```
-> **Note:** If no volume letter is associated with the -status command, all volumes on the computer display their status.
-
+
+> [!NOTE]
+> If no volume letter is associated with the -status command, all volumes on the computer display their status.
+
### Checking BitLocker status with Windows PowerShell
Windows PowerShell commands offer another way to query BitLocker status for volumes. Like manage-bde, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer.
@@ -520,6 +506,7 @@ This command disables protectors while it decrypts the volume and removes all pr
```powershell
manage-bde -status C:
```
+
### Decrypting volumes using the BitLocker Windows PowerShell cmdlets
Decryption with Windows PowerShell cmdlets is straightforward, similar to manage-bde. The additional advantage Windows PowerShell offers is the ability to decrypt multiple drives in one pass. In the example below, the users have three encrypted volumes, which they wish to decrypt.
@@ -529,16 +516,16 @@ Using the Disable-BitLocker command, they can remove all protectors and encrypti
```powershell
Disable-BitLocker
```
+
If a user did not want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is:
```powershell
Disable-BitLocker -MountPoint E:,F:,G:
```
+
## See also
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker recovery guide](bitlocker-recovery-guide-plan.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
- [BitLocker overview](bitlocker-overview.md)
-
-
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 8b7918f1f7..d9658a3113 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -21,19 +21,21 @@ ms.custom: bitlocker
# BitLocker Group Policy settings
**Applies to**
-- Windows 10
+
+- Windows 10
This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
To control what drive encryption tasks the user can perform from the Windows Control Panel or to modify other configuration options, you can use Group Policy administrative templates or local computer policy settings. How you configure these policy settings depends on how you implement BitLocker and what level of user interaction will be allowed.
->**Note:** A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings).
+> [!NOTE]
+> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings).
BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**.
Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer is not compliant with existing Group Policy settings, BitLocker may not be turned on or modified until the computer is in a compliant state. When a drive is out of compliance with Group Policy settings (for example, if a Group Policy setting was changed after the initial BitLocker deployment in your organization, and then the setting was applied to previously encrypted drives), no change can be made to the BitLocker configuration of that drive except a change that will bring it into compliance.
If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group
-Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed.
+Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed.
## BitLocker Group Policy settings
@@ -100,98 +102,43 @@ The following policies are used to support customized deployment scenarios in yo
This policy setting allows users on devices that are compliant with Modern Standby or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices. |
-
-
-Introduced |
-Windows 10, version 1703 |
-
-
-Drive type |
-Operating system drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
-
-Conflicts |
-This setting overrides the Require startup PIN with TPM option of the Require additional authentication at startup policy on compliant hardware.
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.|
+|Introduced|Windows 10, version 1703|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|This setting overrides the **Require startup PIN with TPM** option of the [Require additional authentication at startup](#bkmk-unlockpol1) policy on compliant hardware.|
+|When enabled|Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.|
+|When disabled or not configured|The options of the [Require additional authentication at startup](#bkmk-unlockpol1) policy apply.|
- |
-
-
-When enabled |
-Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication. |
-
-
-When disabled or not configured |
-The options of the Require additional authentication at startup policy apply. |
-
-
-
+**Reference**
-Reference
-
-The preboot authentication option Require startup PIN with TPM of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support Modern Standby.
-But visually impaired users have no audible way to know when to enter a PIN.
+The preboot authentication option **Require startup PIN with TPM** of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support Modern Standby. But visually impaired users have no audible way to know when to enter a PIN.
This setting enables an exception to the PIN-required policy on secure hardware.
### Allow network unlock at startup
This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption.
+
This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can control whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started. |
-
-
-Introduced |
-Windows Server 2012 and Windows 8 |
-
-
-Drive type |
-Operating system drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors. |
-
-
-When disabled or not configured |
-Clients cannot create and use Network Key Protectors |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|None|
+|When enabled|Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors.|
+|When disabled or not configured|Clients cannot create and use Network Key Protectors|
-Reference
+**Reference**
To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. You can use the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that do not have a TPM cannot create network key protectors to automatically unlock by using Network Unlock.
->**Note:** For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or cannot connect to the domain controller at startup.
+> [!NOTE]
+> For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or cannot connect to the domain controller at startup.
For more information about Network Unlock, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
@@ -199,46 +146,17 @@ For more information about Network Unlock, see [BitLocker: How to enable Network
This policy setting is used to control which unlock options are available for operating system drives.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. |
-
-
-Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
-
-Drive type |
-Operating system drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
-
-Conflicts |
-If one authentication method is required, the other methods cannot be allowed.
-Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled. |
-
-
-When enabled |
-Users can configure advanced startup options in the BitLocker Setup Wizard. |
-
-
-When disabled or not configured |
-Users can configure only basic options on computers with a TPM.
-Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|If one authentication method is required, the other methods cannot be allowed. Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.|
+|When enabled|Users can configure advanced startup options in the BitLocker Setup Wizard.|
+|When disabled or not configured|Users can configure only basic options on computers with a TPM. Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.|
-Reference
+**Reference**
If you want to use BitLocker on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive.
@@ -276,101 +194,46 @@ There are four options for TPM-enabled computers or devices:
This policy setting permits the use of enhanced PINs when you use an unlock method that includes a PIN.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker. |
-
-
-Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
-
-Drive type |
-Operating system drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected. |
-
-
-When disabled or not configured |
-Enhanced PINs will not be used. |
-
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|None|
+|When enabled|All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected.|
+|When disabled or not configured|Enhanced PINs will not be used.|
**Reference**
Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker.
->**Important:** Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
+> [!IMPORANT]
+> Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
### Configure minimum PIN length for startup
This policy setting is used to set a minimum PIN length when you use an unlock method that includes a PIN.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6. |
-
-
-Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
-
-Drive type |
-Operating system drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-You can require that startup PINs set by users must have a minimum length you choose that is between 4 and 20 digits. |
-
-
-When disabled or not configured |
-Users can configure a startup PIN of any length between 6 and 20 digits. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|None|
+|When enabled|You can require that startup PINs set by users must have a minimum length you choose that is between 4 and 20 digits.|
+|When disabled or not configured|Users can configure a startup PIN of any length between 6 and 20 digits.|
-Reference
+**Reference**
-This policy setting is applied when you turn on BitLocker.
-The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
+This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
Originally, BitLocker allowed from 4 to 20 characters for a PIN.
Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
-The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
+The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability.
For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time.
@@ -389,61 +252,33 @@ If the minimum PIN length is reduced from the default of six characters, then th
This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows.
-| | |
-| - | - |
-| **Policy description** | This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. |
-| **Introduced** | Windows 10, version 1703 |
-| **Drive type** | Operating system drives |
-| **Policy path** | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
-| **Conflicts** | None |
-| **When enabled** | Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. |
-| **When disabled or not configured** | DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|
+| | |
+|---------|---------|
+|Policy description|This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys.|
+|Introduced|Windows 10, version 1703|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|Conflicts|None|
+|When enabled|Every time the user locks the scree, DMA will be blocked on hot pluggable PCI ports until the user signs in again.|
+|When disabled or not configured|DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|
**Reference**
-This policy setting is only enforced when BitLocker or device encryption is enabled. As explained in the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2018/01/18/issue-with-bitlockerdma-setting-in-windows-10-fall-creators-update-v1709/), in some cases when this setting is enabled, internal, PCI-based peripherals can fail, including wireless network drivers and input and audio peripherals. This problem is fixed in the [April 2018 quality update](https://support.microsoft.com/help/4093105/windows-10-update-kb4093105).
+This policy setting is only enforced when BitLocker or device encryption is enabled. As explained in the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2018/01/18/issue-with-bitlockerdma-setting-in-windows-10-fall-creators-update-v1709/), in some cases when this setting is enabled, internal, PCI-based peripherals can fail, including wireless network drivers and input and audio peripherals. This problem is fixed in the [April 2018 quality update](https://support.microsoft.com/help/4093105).
### Disallow standard users from changing the PIN or password
This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can configure whether standard users are allowed to change the PIN or password used to protect the operating system drive. |
-
-
-Introduced |
-Windows Server 2012 and Windows 8 |
-
-
-Drive type |
-Operating system drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-Standard users are not allowed to change BitLocker PINs or passwords. |
-
-
-When disabled or not configured |
-Standard users are permitted to change BitLocker PINs or passwords. |
-
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure whether standard users are allowed to change the PIN or password used to protect the operating system drive.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|None|
+|When enabled|Standard users are not allowed to change BitLocker PINs or passwords.|
+|When disabled or not configured|Standard users are permitted to change BitLocker PINs or passwords.|
**Reference**
@@ -453,55 +288,22 @@ To change the PIN or password, the user must be able to provide the current PIN
This policy controls how non-TPM based systems utilize the password protector. Used in conjunction with the **Password must meet complexity requirements** policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose **Require password complexity** because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can specify the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker. |
-
-
-Introduced |
-Windows Server 2012 and Windows 8 |
-
-
-Drive type |
-Operating system drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
-
-Conflicts |
-Passwords cannot be used if FIPS-compliance is enabled.
-
- NoteThe System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
-
-
- |
-
-
-When enabled |
-Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select Require complexity. |
-
-
-When disabled or not configured |
-The default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur. |
-
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can specify the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|Passwords cannot be used if FIPS-compliance is enabled.
**NOTE:** The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options** specifies whether FIPS-compliance is enabled.|
+|When enabled|Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select **Require complexity**.|
+|When disabled or not configured|The default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur.|
**Reference**
If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled.
->**Note:** These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+> [!NOTE]
+> These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there is no password complexity validation.
Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
@@ -516,44 +318,17 @@ When this policy setting is enabled, you can set the option **Configure password
This policy setting is used to control what unlock options are available for computers running Windows Server 2008 or Windows Vista.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts. |
-
-
-Introduced |
-Windows Server 2008 and Windows Vista |
-
-
-Drive type |
-Operating system drives (Windows Server 2008 and Windows Vista) |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
-
-Conflicts |
-If you choose to require an additional authentication method, other authentication methods cannot be allowed. |
-
-
-When enabled |
-The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM. |
-
-
-When disabled or not configured |
-The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts.|
+|Introduced|Windows Server 2008 and Windows Vista|
+|Drive type|Operating system drives (Windows Server 2008 and Windows Vista)|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|If you choose to require an additional authentication method, other authentication methods cannot be allowed.|
+|When enabled|The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM.|
+|When disabled or not configured|The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.|
-Reference
+**Reference**
On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 6-digit to 20-digit startup PIN.
@@ -580,97 +355,38 @@ To hide the advanced page on a TPM-enabled computer or device, set these options
This policy setting is used to require, allow, or deny the use of smart cards with fixed data drives.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer. |
-
-
-Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
-
-Drive type |
-Fixed data drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
-
-Conflicts |
-To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates. |
-
-
-When enabled |
-Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on fixed data drives check box. |
-
-
-When disabled |
-Users cannot use smart cards to authenticate their access to BitLocker-protected fixed data drives. |
-
-
-When not configured |
-Smart cards can be used to authenticate user access to a BitLocker-protected drive. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Fixed data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|Conflicts|To use smart cards with BitLocker, you may also need to modify the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting to match the object identifier of your smart card certificates.|
+|When enabled|Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the **Require use of smart cards on fixed data drives** check box.|
+|When disabled|Users cannot use smart cards to authenticate their access to BitLocker-protected fixed data drives.|
+|When not configured|Smart cards can be used to authenticate user access to a BitLocker-protected drive.|
-Reference
+**Reference**
->**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive.
+> [!NOTE]
+> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive.
### Configure use of passwords on fixed data drives
This policy setting is used to require, allow, or deny the use of passwords with fixed data drives.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can specify whether a password is required to unlock BitLocker-protected fixed data drives. |
-
-
-Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
-
-Drive type |
-Fixed data drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
-
-Conflicts |
-To use password complexity, the Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements policy setting must also be enabled. |
-
-
-When enabled |
-Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for fixed data drive. To enforce complexity requirements on the password, select Require complexity. |
-
-
-When disabled |
-The user is not allowed to use a password. |
-
-
-When not configured |
-Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can specify whether a password is required to unlock BitLocker-protected fixed data drives.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Fixed data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|Conflicts|To use password complexity, the **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements** policy setting must also be enabled.|
+|When enabled|Users can configure a password that meets the requirements you define. To require the use of a password, select **Require password for fixed data drive**. To enforce complexity requirements on the password, select **Require complexity**.|
+|When disabled|The user is not allowed to use a password.|
+|When not configured|Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters.|
-Reference
+**Reference**
When set to **Require complexity**, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled.
@@ -680,115 +396,58 @@ When set to **Do not allow complexity**, no password complexity validation is pe
Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
->**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+> [!NOTE]
+> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
For the complexity requirement setting to be effective, the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements** must also be enabled.
This policy setting is configured on a per-computer basis. This means that it applies to local user accounts and domain user accounts. Because the password filter that is used to validate password complexity is located on the domain controllers, local user accounts cannot access the password filter because they are not authenticated for domain access. When this policy setting is enabled, if you sign in with a local user account, and you attempt to encrypt a drive or change a password on an existing BitLocker-protected drive, an "Access denied" error message is displayed. In this situation, the password key protector cannot be added to the drive.
Enabling this policy setting requires that connectivity to a domain be established before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they cannot connect to the domain should be made aware of this requirement so that they can schedule a time when they will be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive.
->**Important:** Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
+> [!IMPORTANT]
+> Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
### Configure use of smart cards on removable data drives
This policy setting is used to require, allow, or deny the use of smart cards with removable data drives.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer. |
-
-
-Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
-
-Drive type |
-Removable data drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
-
-Conflicts |
-To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates. |
-
-
-When enabled |
-Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on removable data drives check box. |
-
-
-When disabled or not configured |
-Users are not allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives. |
-
-
-When not configured |
-Smart cards are available to authenticate user access to a BitLocker-protected removable data drive. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Removable data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|Conflicts|To use smart cards with BitLocker, you may also need to modify the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting to match the object identifier of your smart card certificates.|
+|When enabled|Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the **Require use of smart cards on removable data drives** check box.|
+|When disabled or not configured|Users are not allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.|
+|When not configured|Smart cards are available to authenticate user access to a BitLocker-protected removable data drive.|
-Reference
+**Reference**
->**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+> [!NOTE]
+> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
### Configure use of passwords on removable data drives
This policy setting is used to require, allow, or deny the use of passwords with removable data drives.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can specify whether a password is required to unlock BitLocker-protected removable data drives. |
-
-
-Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
-
-Drive type |
-Removable data drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
-
-Conflicts |
-To use password complexity, the Password must meet complexity requirements policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be enabled. |
-
-
-When enabled |
-Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for removable data drive. To enforce complexity requirements on the password, select Require complexity. |
-
-
-When disabled |
-The user is not allowed to use a password. |
-
-
-When not configured |
-Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters. |
-
-
-
-
-Reference
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can specify whether a password is required to unlock BitLocker-protected removable data drives.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Removable data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|Conflicts|To use password complexity, the **Password must meet complexity requirements** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy** must also be enabled.|
+|When enabled|Users can configure a password that meets the requirements you define. To require the use of a password, select **Require password for removable data drive**. To enforce complexity requirements on the password, select **Require complexity**.|
+|When disabled|The user is not allowed to use a password.|
+|When not configured|Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters.|
+**Reference**
If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** must also be enabled.
->**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+> [!NOTE]
+> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
@@ -798,52 +457,26 @@ When set to **Allow complexity**, a connection to a domain controller will be at
When set to **Do not allow complexity**, no password complexity validation will be done.
->**Note:** Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
+> [!NOTE]
+> Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
-For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](https://technet.microsoft.com/library/jj852211.aspx).
+For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing).
### Validate smart card certificate usage rule compliance
This policy setting is used to determine what certificate to use with BitLocker.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can associate an object identifier from a smart card certificate to a BitLocker-protected drive. |
-
-
-Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
-
-Drive type |
-Fixed and removable data drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-The object identifier that is specified in the Object identifier setting must match the object identifier in the smart card certificate. |
-
-
-When disabled or not configured |
-The default object identifier is used. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can associate an object identifier from a smart card certificate to a BitLocker-protected drive.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Fixed and removable data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|Conflicts|None|
+|When enabled|The object identifier that is specified in the **Object identifier** setting must match the object identifier in the smart card certificate.|
+|When disabled or not configured|The default object identifier is used.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker.
@@ -851,50 +484,24 @@ The object identifier is specified in the enhanced key usage (EKU) of a certific
The default object identifier is 1.3.6.1.4.1.311.67.1.1.
->**Note:** BitLocker does not require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.
+> [!NOTE]
+> BitLocker does not require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.
### Enable use of BitLocker authentication requiring preboot keyboard input on slates
This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can allow users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability. |
-
-
-Introduced |
-Windows Server 2012 and Windows 8 |
-
-
-Drive type |
-Operating system drive |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-Devices must have an alternative means of preboot input (such as an attached USB keyboard). |
-
-
-When disabled or not configured |
-The Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can allow users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drive|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive|
+|Conflicts|None|
+|When enabled|Devices must have an alternative means of preboot input (such as an attached USB keyboard).|
+|When disabled or not configured|The Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password.|
-Reference
+**Reference**
The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
@@ -912,44 +519,17 @@ If you do not enable this policy setting, the following options in the **Require
This policy setting is used to require encryption of fixed drives prior to granting Write access.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can set whether BitLocker protection is required for fixed data drives to be writable on a computer. |
-
-
-Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
-
-Drive type |
-Fixed data drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
-
-Conflicts |
-See the Reference section for a description of conflicts. |
-
-
-When enabled |
-All fixed data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access. |
-
-
-When disabled or not configured |
-All fixed data drives on the computer are mounted with Read and Write access. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can set whether BitLocker protection is required for fixed data drives to be writable on a computer.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Fixed data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|Conflicts|See the Reference section for a description of conflicts.|
+|When enabled|All fixed data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access.|
+|When disabled or not configured|All fixed data drives on the computer are mounted with Read and Write access.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker.
@@ -967,48 +547,22 @@ Conflict considerations include:
This policy setting is used to require that removable drives are encrypted prior to granting Write access, and to control whether BitLocker-protected removable drives that were configured in another organization can be opened with Write access.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can configure whether BitLocker protection is required for a computer to be able to write data to a removable data drive. |
-
-
-Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
-
-Drive type |
-Removable data drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
-
-Conflicts |
-See the Reference section for a description of conflicts. |
-
-
-When enabled |
-All removable data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access. |
-
-
-When disabled or not configured |
-All removable data drives on the computer are mounted with Read and Write access. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure whether BitLocker protection is required for a computer to be able to write data to a removable data drive.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Removable data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|Conflicts|See the Reference section for a description of conflicts.|
+|When enabled|All removable data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access.|
+|When disabled or not configured|All removable data drives on the computer are mounted with Read and Write access.|
-Reference
+**Reference**
If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it is checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting.
->**Note:** You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored.
+> [!NOTE]
+> You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored.
Conflict considerations include:
@@ -1020,52 +574,22 @@ Conflict considerations include:
This policy setting is used to prevent users from turning BitLocker on or off on removable data drives.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can control the use of BitLocker on removable data drives. |
-
-
-Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
-
-Drive type |
-Removable data drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-You can select property settings that control how users can configure BitLocker. |
-
-
-When disabled |
-Users cannot use BitLocker on removable data drives. |
-
-
-When not configured |
-Users can use BitLocker on removable data drives. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control the use of BitLocker on removable data drives.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Removable data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|Conflicts|None|
+|When enabled|You can select property settings that control how users can configure BitLocker.|
+|When disabled|Users cannot use BitLocker on removable data drives.|
+|When not configured|Users can use BitLocker on removable data drives.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker.
-For information about suspending BitLocker protection, see [BitLocker Basic Deployment](https://technet.microsoft.com/library/dn383581.aspx).
+For information about suspending BitLocker protection, see [BitLocker Basic Deployment](bitlocker-basic-deployment.md).
The options for choosing property settings that control how users can configure BitLocker are:
@@ -1076,44 +600,17 @@ The options for choosing property settings that control how users can configure
This policy setting is used to control the encryption method and cipher strength.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can control the encryption method and strength for drives. |
-
-
-Introduced |
-Windows Server 2012 and Windows 8 |
-
-
-Drive type |
-All drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives. |
-
-
-When disabled or not configured |
-Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CBC 128-bit by default and supports AES-CBC 256-bit by policy. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control the encryption method and strength for drives.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|All drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|Conflicts|None|
+|When enabled|You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.|
+|When disabled or not configured|Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CBC 128-bit by default and supports AES-CBC 256-bit by policy.|
-Reference
+**Reference**
The values of this policy determine the strength of the cipher that BitLocker uses for encryption.
Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128).
@@ -1124,7 +621,8 @@ For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the d
Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
->**Warning:** This policy does not apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning.
+> [!WARNING]
+> This policy does not apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning.
When this policy setting is disabled or not configured, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method that is specified in the setup script.
@@ -1132,51 +630,21 @@ When this policy setting is disabled or not configured, BitLocker will use the d
This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they are used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption. |
-
-
-Introduced |
-Windows Server 2012 and Windows 8 |
-
-
-Drive type |
-Fixed data drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption. |
-
-
-When disabled |
-BitLocker cannot use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted. |
-
-
-When not configured |
-BitLocker software-based encryption is used irrespective of hardware-based encryption ability.
- |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Fixed data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|Conflicts|None|
+|When enabled|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
+|When disabled|BitLocker cannot use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.|
+|When not configured|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.|
-Reference
+**Reference**
->**Note:** The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
+> [!NOTE]
+> The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
@@ -1187,52 +655,23 @@ The encryption algorithm that is used by hardware-based encryption is set when t
This policy controls how BitLocker reacts when encrypted drives are used as operating system drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. |
-
-
-Introduced |
-Windows Server 2012 and Windows 8 |
-
-
-Drive type |
-Operating system drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption. |
-
-
-When disabled |
-BitLocker cannot use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted. |
-
-
-When not configured |
-BitLocker software-based encryption is used irrespective of hardware-based encryption ability. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|None|
+|When enabled|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
+|When disabled|BitLocker cannot use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted.|
+|When not configured|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.|
-Reference
+**Reference**
If hardware-based encryption is not available, BitLocker software-based encryption is used instead.
->**Note:** The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
+> [!NOTE]
+> The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
@@ -1243,52 +682,23 @@ The encryption algorithm that is used by hardware-based encryption is set when t
This policy controls how BitLocker reacts to encrypted drives when they are used as removable data drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. |
-
-
-Introduced |
-Windows Server 2012 and Windows 8 |
-
-
-Drive type |
-Removable data drive |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption. |
-
-
-When disabled |
-BitLocker cannot use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted. |
-
-
-When not configured |
-BitLocker software-based encryption is used irrespective of hardware-based encryption ability. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Removable data drive|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|Conflicts|None|
+|When enabled|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
+|When disabled|BitLocker cannot use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.|
+|When not configured|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.|
-Reference
+**Reference**
If hardware-based encryption is not available, BitLocker software-based encryption is used instead.
->**Note:** The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
+> [!NOTE]
+> The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
@@ -1299,192 +709,86 @@ The encryption algorithm that is used by hardware-based encryption is set when t
This policy controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so no encryption selection displays to the user.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can configure the encryption type that is used by BitLocker. |
-
-
-Introduced |
-Windows Server 2012 and Windows 8 |
-
-
-Drive type |
-Fixed data drive |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard. |
-
-
-When disabled or not configured |
-The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure the encryption type that is used by BitLocker.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Fixed data drive|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|Conflicts|None|
+|When enabled|This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard.|
+|When disabled or not configured|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
->**Note:** This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
+> [!NOTE]
+> This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
-For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx).
+For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
### Enforce drive encryption type on operating system drives
This policy controls whether operating system drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can configure the encryption type that is used by BitLocker. |
-
-
-Introduced |
-Windows Server 2012 and Windows 8 |
-
-
-Drive type |
-Operating system drive |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard. |
-
-
-When disabled or not configured |
-The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure the encryption type that is used by BitLocker.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drive|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|None|
+|When enabled|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.|
+|When disabled or not configured|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
->**Note:** This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
+> [!NOTE]
+> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
-For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx).
+For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
### Enforce drive encryption type on removable data drives
This policy controls whether fixed data drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can configure the encryption type that is used by BitLocker. |
-
-
-Introduced |
-Windows Server 2012 and Windows 8 |
-
-
-Drive type |
-Removable data drive |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard. |
-
-
-When disabled or not configured |
-The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure the encryption type that is used by BitLocker.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Removable data drive|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|Conflicts|None|
+|When enabled|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.|
+|When disabled or not configured|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
->**Note:** This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
+> [!NOTE]
+> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
-For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx).
+For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
### Choose how BitLocker-protected operating system drives can be recovered
This policy setting is used to configure recovery methods for operating system drives.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. |
-
-
-Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
-
-Drive type |
-Operating system drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
-
-Conflicts |
-You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
-When using data recovery agents, you must enable the Provide the unique identifiers for your organization policy setting. |
-
-
-When enabled |
-You can control the methods that are available to users to recover data from BitLocker-protected operating system drives. |
-
-
-When disabled or not configured |
-The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. When using data recovery agents, you must enable the **Provide the unique identifiers for your organization** policy setting.|
+|When enabled|You can control the methods that are available to users to recover data from BitLocker-protected operating system drives.|
+|When disabled or not configured|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker.
@@ -1501,50 +805,24 @@ In **Save BitLocker recovery information to Active Directory Domain Services**,
Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
->**Note:** If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated.
+> [!NOTE]
+> If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated.
### Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)
This policy setting is used to configure recovery methods for BitLocker-protected drives on computers running Windows Server 2008 or Windows Vista.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can control whether the BitLocker Setup Wizard can display and specify BitLocker recovery options. |
-
-
-Introduced |
-Windows Server 2008 and Windows Vista |
-
-
-Drive type |
-Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
-
-Conflicts |
-This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the Do not allow option for both user recovery options, you must enable the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting to prevent a policy error. |
-
-
-When enabled |
-You can configure the options that the Bitlocker Setup Wizard displays to users for recovering BitLocker encrypted data. |
-
-
-When disabled or not configured |
-The BitLocker Setup Wizard presents users with ways to store recovery options. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control whether the BitLocker Setup Wizard can display and specify BitLocker recovery options.|
+|Introduced|Windows Server 2008 and Windows Vista|
+|Drive type|Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|Conflicts|This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the **Do not allow** option for both user recovery options, you must enable the **Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)** policy setting to prevent a policy error.|
+|When enabled|You can configure the options that the Bitlocker Setup Wizard displays to users for recovering BitLocker encrypted data.|
+|When disabled or not configured|The BitLocker Setup Wizard presents users with ways to store recovery options.|
-Reference
+**Reference**
This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker.
@@ -1552,53 +830,28 @@ Two recovery options can be used to unlock BitLocker-encrypted data in the absen
Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving it to a folder stores the 48-digit recovery password as a text file. Printing it sends the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder.
-> **Important:** If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information.
+> [!IMPORTANT]
+> If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information.
> The 48-digit recovery password is not available in FIPS-compliance mode.
->
-> **Important:** To prevent data loss, you must have a way to recover BitLocker encryption keys. If you do not allow both recovery options, you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs.
+
+> [!IMPORTANT]
+> To prevent data loss, you must have a way to recover BitLocker encryption keys. If you do not allow both recovery options, you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs.
### Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information. |
-
-
-Introduced |
-Windows Server 2008 and Windows Vista |
-
-
-Drive type |
-Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista. |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer. |
-
-
-When disabled or not configured |
-BitLocker recovery information is not backed up to AD DS. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information.|
+|Introduced|Windows Server 2008 and Windows Vista|
+|Drive type|Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista.|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|Conflicts|None|
+|When enabled|BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer.|
+|When disabled or not configured|BitLocker recovery information is not backed up to AD DS.|
-Reference
+**Reference**
This policy is only applicable to computers running Windows Server 2008 or Windows Vista.
@@ -1619,92 +872,38 @@ For more information about this setting, see [TPM Group Policy settings](/window
This policy setting is used to configure the default folder for recovery passwords.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can specify the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password. |
-
-
-Introduced |
-Windows Vista |
-
-
-Drive type |
-All drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path is not valid, the BitLocker Setup Wizard displays the computer's top-level folder view. |
-
-
-When disabled or not configured |
-The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can specify the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password.|
+|Introduced|Windows Vista|
+|Drive type|All drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|Conflicts|None|
+|When enabled|You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path is not valid, the BitLocker Setup Wizard displays the computer's top-level folder view.|
+|When disabled or not configured|The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker.
->**Note:** This policy setting does not prevent the user from saving the recovery password in another folder.
+> [!NOTE]
+> This policy setting does not prevent the user from saving the recovery password in another folder.
### Choose how BitLocker-protected fixed drives can be recovered
This policy setting is used to configure recovery methods for fixed data drives.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. |
-
-
-Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
-
-Drive type |
-Fixed data drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
-
-Conflicts |
-You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
-When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting. |
-
-
-When enabled |
-You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives. |
-
-
-When disabled or not configured |
-The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Fixed data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|Conflicts|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. When using data recovery agents, you must enable and configure the **Provide the unique identifiers for your organization** policy setting.|
+|When enabled|You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives.|
+|When disabled or not configured|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker.
@@ -1717,55 +916,29 @@ Select **Omit recovery options from the BitLocker setup wizard** to prevent user
In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS.
Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
-For more information about the BitLocker repair tool, see [Repair-bde](https://technet.microsoft.com/library/ff829851.aspx).
+For more information about the BitLocker repair tool, see [Repair-bde](/windows-server/administration/windows-commands/repair-bde).
Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
->**Note:** If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.
+> [!NOTE]
+> If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.
### Choose how BitLocker-protected removable drives can be recovered
This policy setting is used to configure recovery methods for removable data drives.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. |
-
-
-Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
-
-Drive type |
-Removable data drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
-
-Conflicts |
-You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
-When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting. |
-
-
-When enabled |
-You can control the methods that are available to users to recover data from BitLocker-protected removable data drives. |
-
-
-When disabled or not configured |
-The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control how BitLocker-protected removable data drives are recovered in the absence of the required credentials.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Removable data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|Conflicts|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.
+When using data recovery agents, you must enable and configure the **Provide the unique identifiers for your organization** policy setting.|
+|When enabled|You can control the methods that are available to users to recover data from BitLocker-protected removable data drives.|
+|When disabled or not configured|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker.
@@ -1779,50 +952,24 @@ In **Save BitLocker recovery information to Active Directory Domain Services**,
Select the **Do not enable BitLocker until recovery information is stored in AD DS for removable data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
->**Note:** If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.
+> [!NOTE]
+> If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.
### Configure the pre-boot recovery message and URL
This policy setting is used to configure the entire recovery message and to replace the existing URL that is displayed on the pre-boot recovery screen when the operating system drive is locked.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can configure the BitLocker recovery screen to display a customized message and URL. |
-
-
-Introduced |
-Windows 10 |
-
-
-Drive type |
-Operating system drives |
-
-
-Policy path |
-Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the Use default recovery message and URL option. |
-
-
-When disabled or not configured |
-If the setting has not been previously enabled the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is subsequently disabled the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure the BitLocker recovery screen to display a customized message and URL.|
+|Introduced|Windows 10|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL|
+|Conflicts|None|
+|When enabled|The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the **Use default recovery message and URL** option.|
+|When disabled or not configured|If the setting has not been previously enabled the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is subsequently disabled the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message.|
-Reference
+**Reference**
Enabling the **Configure the pre-boot recovery message and URL** policy setting allows you to customize the default recovery screen message and URL to assist customers in recovering their key.
@@ -1832,111 +979,59 @@ Once you enable the setting you have three options:
- If you select the **Use custom recovery message** option, type the custom message in the **Custom recovery message option** text box. The message that you type in the **Custom recovery message option** text box will be displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message.
- If you select the **Use custom recovery URL** option, type the custom message URL in the **Custom recovery URL option** text box. The URL that you type in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which will be displayed on the pre-boot recovery screen.
-> **Important:** Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen.
->
-> **Important:** Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you cannot return the policy setting to the default setting by selecting the **Not Configured** option after you have configured this policy setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box.
+> [!IMPORTANT]
+> Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen.
+
+> [!IMPORTANT]
+> Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you cannot return the policy setting to the default setting by selecting the **Not Configured** option after you have configured this policy setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box.
### Allow Secure Boot for integrity validation
This policy controls how BitLocker-enabled system volumes are handled in conjunction with the Secure Boot feature. Enabling this feature forces Secure Boot validation during the boot process and verifies Boot Configuration Data (BCD) settings according to the Secure Boot policy.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. |
-
-
-Introduced |
-Windows Server 2012 and Windows 8 |
-
-
-Drive type |
-All drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
-
-Conflicts |
-If you enable Allow Secure Boot for integrity validation, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.
-For more information about PCR 7, see Platform Configuration Register (PCR) in this topic. |
-
-
-When enabled or not configured |
-BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation. |
-
-
-When disabled |
-BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|All drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|If you enable **Allow Secure Boot for integrity validation**, make sure the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation. For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.|
+|When enabled or not configured|BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation.|
+|When disabled|BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation.|
-Reference
+**Reference**
Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8.
When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker.
->**Warning:** Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates.
+> [!WARNING]
+> Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates.
### Provide the unique identifiers for your organization
This policy setting is used to establish an identifier that is applied to all drives that are encrypted in your organization.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can associate unique organizational identifiers to a new drive that is enabled with BitLocker. |
-
-
-Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
-
-Drive type |
-All drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
-
-Conflicts |
-Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it is identical to the value that is configured on the computer. |
-
-
-When enabled |
-You can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization. |
-
-
-When disabled or not configured |
-The identification field is not required. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can associate unique organizational identifiers to a new drive that is enabled with BitLocker.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|All drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|Conflicts|Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it is identical to the value that is configured on the computer.|
+|When enabled|You can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization.|
+|When disabled or not configured|The identification field is not required.|
-Reference
+**Reference**
-These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool.
+These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool.
An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the drive matches the value that is configured for the identification field.
-For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx).
+For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
The allowed identification field is used in combination with the **Deny write access to removable drives not protected by BitLocker** policy setting to help control the use of removable drives in your organization. It is a comma-separated list of identification fields from your organization or external organizations.
-You can configure the identification fields on existing drives by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool.
+You can configure the identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool.
When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an outside organization.
@@ -1946,44 +1041,17 @@ Multiple values separated by commas can be entered in the identification and all
This policy setting is used to control whether the computer's memory will be overwritten the next time the computer is restarted.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can control computer restart performance at the risk of exposing BitLocker secrets. |
-
-
-Introduced |
-Windows Vista |
-
-
-Drive type |
-All drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-The computer will not overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets. |
-
-
-When disabled or not configured |
-BitLocker secrets are removed from memory when the computer restarts. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control computer restart performance at the risk of exposing BitLocker secrets.|
+|Introduced|Windows Vista|
+|Drive type|All drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|Conflicts|None|
+|When enabled|The computer will not overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets.|
+|When disabled or not configured|BitLocker secrets are removed from memory when the computer restarts.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled.
@@ -1991,48 +1059,22 @@ This policy setting is applied when you turn on BitLocker. BitLocker secrets inc
This policy setting determines what values the TPM measures when it validates early boot components before it unlocks an operating system drive on a computer with a BIOS configuration or with UEFI firmware that has the Compatibility Support Module (CSM) enabled.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key. |
-
-
-Introduced |
-Windows Server 2012 and Windows 8 |
-
-
-Drive type |
-Operating system drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive. |
-
-
-When disabled or not configured |
-The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|None|
+|When enabled|You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
+|When disabled or not configured|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.|
-Reference
+**Reference**
This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.
->**Important:** This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.
+> [!IMPORTANT]
+> This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.
A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following:
@@ -2044,7 +1086,8 @@ A platform validation profile consists of a set of PCR indices that range from 0
- Boot Manager (PCR 10)
- BitLocker Access Control (PCR 11)
->**Note:** Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+> [!NOTE]
+> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
The following list identifies all of the PCRs available:
@@ -2066,44 +1109,17 @@ The following list identifies all of the PCRs available:
This policy setting determines what values the TPM measures when it validates early boot components before unlocking a drive on a computer running Windows Vista, Windows Server 2008, or Windows 7.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key. |
-
-
-Introduced |
-Windows Server 2008 and Windows Vista |
-
-
-Drive type |
-Operating system drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive. |
-
-
-When disabled or not configured |
-The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.|
+|Introduced|Windows Server 2008 and Windows Vista|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|None|
+|When enabled|You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
+|When disabled or not configured|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.|
-Reference
+**Reference**
This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection.
@@ -2117,7 +1133,8 @@ A platform validation profile consists of a set of PCR indices that range from 0
- Boot Manager (PCR 10)
- BitLocker Access Control (PCR 11)
->**Note:** The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only.
+> [!NOTE]
+> The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only.
The following list identifies all of the PCRs available:
@@ -2135,56 +1152,29 @@ The following list identifies all of the PCRs available:
- PCR 11: BitLocker access control
- PCR 12 - 23: Reserved for future use
->**Warning:** Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+> [!WARNING]
+> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
### Configure TPM platform validation profile for native UEFI firmware configurations
This policy setting determines what values the TPM measures when it validates early boot components before unlocking an operating system drive on a computer with native UEFI firmware configurations.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. |
-
-
-Introduced |
-Windows Server 2012 and Windows 8 |
-
-
-Drive type |
-Operating system drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
-
-Conflicts |
-Setting this policy with PCR 7 omitted, overrides the Allow Secure Boot for integrity validation Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.
-If your environments use TPM and Secure Boot for platform integrity checks, this policy should not be configured.
-For more information about PCR 7, see Platform Configuration Register (PCR) in this topic. |
-
-
-When enabled |
-Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive. |
-
-
-When disabled or not configured |
-BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|Setting this policy with PCR 7 omitted, overrides the **Allow Secure Boot for integrity validation** Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation,
If your environments use TPM and Secure Boot for platform integrity checks, this policy should not be configured.
For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.|
+|When enabled|Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
+|When disabled or not configured|BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.|
-Reference
+**Reference**
This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection.
->**Important:** This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled.
+> [!IMPORTANT]
+> This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled.
A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11).
@@ -2210,54 +1200,25 @@ The following list identifies all of the PCRs available:
- PCR 14: Boot Authorities
- PCR 15 – 23: Reserved for future use
->**Warning:** Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+> [!WARNING]
+> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
### Reset platform validation data after BitLocker recovery
This policy setting determines if you want platform validation data to refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can control whether platform validation data is refreshed when Windows is started following a BitLocker recovery. |
-
-
-Introduced |
-Windows Server 2012 and Windows 8 |
-
-
-Drive type |
-Operating system drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
-
-Conflicts |
-None |
-
-
-When enabled |
-Platform validation data is refreshed when Windows is started following a BitLocker recovery. |
-
-
-When disabled |
-Platform validation data is not refreshed when Windows is started following a BitLocker recovery. |
-
-
-When not configured |
-Platform validation data is refreshed when Windows is started following a BitLocker recovery. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control whether platform validation data is refreshed when Windows is started following a BitLocker recovery.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|None|
+|When enabled|Platform validation data is refreshed when Windows is started following a BitLocker recovery.|
+|When disabled|Platform validation data is not refreshed when Windows is started following a BitLocker recovery.|
+|When not configured|Platform validation data is refreshed when Windows is started following a BitLocker recovery.|
-Reference
+**Reference**
For more information about the recovery process, see the [BitLocker recovery guide](bitlocker-recovery-guide-plan.md).
@@ -2265,95 +1226,40 @@ For more information about the recovery process, see the [BitLocker recovery gui
This policy setting determines specific Boot Configuration Data (BCD) settings to verify during platform validation. A platform validation uses the data in the platform validation profile, which consists of a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can specify Boot Configuration Data (BCD) settings to verify during platform validation. |
-
-
-Introduced |
-Windows Server 2012 and Windows 8 |
-
-
-Drive type |
-Operating system drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
-
-Conflicts |
-When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the Use enhanced Boot Configuration Data validation profile Group Policy setting is ignored (as defined by the Allow Secure Boot for integrity validation Group Policy setting). |
-
-
-When enabled |
-You can add additional BCD settings, exclude the BCD settings you specify, or combine inclusion and exclusion lists to create a customized BCD validation profile, which gives you the ability to verify those BCD settings. |
-
-
-When disabled |
-The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7. |
-
-
-When not configured |
-The computer verifies the default BCD settings in Windows. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can specify Boot Configuration Data (BCD) settings to verify during platform validation.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored (as defined by the **Allow Secure Boot for integrity validation** Group Policy setting).|
+|When enabled|You can add additional BCD settings, exclude the BCD settings you specify, or combine inclusion and exclusion lists to create a customized BCD validation profile, which gives you the ability to verify those BCD settings.|
+|When disabled|The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7.|
+|When not configured|The computer verifies the default BCD settings in Windows.|
-Reference
+**Reference**
->**Note:** The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is included in the inclusion or the exclusion list.
+> [!NOTE]
+> The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is included in the inclusion or the exclusion list.
### Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
This policy setting is used to control whether access to drives is allowed by using the BitLocker To Go Reader, and if the application is installed on the drive.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can configure whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2). |
-
-
-Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
-
-Drive type |
-Fixed data drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
-
-Conflicts |
-None |
-
-
-When enabled and When not configured |
-Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives. |
-
-
-When disabled |
-Fixed data drives that are formatted with the FAT file system and are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2).|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Fixed data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|Conflicts|None|
+|When enabled and When not configured|Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.|
+|When disabled|Fixed data drives that are formatted with the FAT file system and are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed.|
-Reference
+**Reference**
->**Note:** This policy setting does not apply to drives that are formatted with the NTFS file system.
+> [!NOTE]
+> This policy setting does not apply to drives that are formatted with the NTFS file system.
When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted fixed drives** check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user is prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.
@@ -2361,46 +1267,20 @@ When this policy setting is enabled, select the **Do not install BitLocker To Go
This policy setting controls access to removable data drives that are using the BitLocker To Go Reader and whether the BitLocker To Go Reader can be installed on the drive.
-
-
-
-
-
-
-
-Policy description |
-With this policy setting, you can configure whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. |
-
-
-Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
-
-Drive type |
-Removable data drives |
-
-
-Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
-
-Conflicts |
-None |
-
-
-When enabled and When not configured |
-Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives. |
-
-
-When disabled |
-Removable data drives that are formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed. |
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Removable data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|Conflicts|None|
+|When enabled and When not configured|Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.|
+|When disabled|Removable data drives that are formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed.|
-Reference
+**Reference**
->**Note:** This policy setting does not apply to drives that are formatted with the NTFS file system.
+> [!NOTE]
+> This policy setting does not apply to drives that are formatted with the NTFS file system.
When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted removable drives** check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go Reader installed.
@@ -2408,44 +1288,17 @@ When this policy setting is enabled, select the **Do not install BitLocker To Go
You can configure the Federal Information Processing Standard (FIPS) setting for FIPS compliance. As an effect of FIPS compliance, users cannot create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted.
-
-
-
-
-
-
-
-Policy description |
-Notes |
-
-
-Introduced |
-Windows Server 2003 with SP1 |
-
-
-Drive type |
-System-wide |
-
-
-Policy path |
-Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing |
-
-
-Conflicts |
-Some applications, such as Terminal Services, do not support FIPS-140 on all operating systems. |
-
-
-When enabled |
-Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password. |
-
-
-When disabled or not configured |
-No BitLocker encryption key is generated |
-
-
-
+|||
+|--- |--- |
+|Policy description|Notes|
+|Introduced|Windows Server 2003 with SP1|
+|Drive type|System-wide|
+|Policy path|Local Policies\Security Options\System cryptography: **Use FIPS compliant algorithms for encryption, hashing, and signing**|
+|Conflicts|Some applications, such as Terminal Services, do not support FIPS-140 on all operating systems.|
+|When enabled|Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password.|
+|When disabled or not configured|No BitLocker encryption key is generated|
-Reference
+**Reference**
This policy needs to be enabled before any encryption key is generated for BitLocker. Note that when this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead.
@@ -2453,7 +1306,7 @@ You can save the optional recovery key to a USB drive. Because recovery password
You can edit the FIPS setting by using the Security Policy Editor (Secpol.msc) or by editing the Windows registry. You must be an administrator to perform these procedures.
-For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](https://technet.microsoft.com/library/jj852197.aspx).
+For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing).
## Power management Group Policy settings: Sleep and Hibernate
@@ -2477,11 +1330,12 @@ Changing from the default platform validation profile affects the security and m
PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can leverage Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4 which have the measurements of the exact firmware and Bootmgr images loaded. This
reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides you with greater flexibility to manage the preboot configuration.
-PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](https://msdn.microsoft.com/library/windows/hardware/jj923068.aspx).
+PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](/windows-hardware/test/hlk/testref/trusted-execution-environment-efi-protocol).
PCR 7 measurements are a mandatory logo requirement for systems that support Modern Standby (also known as Always On, Always Connected PCs), such as the Microsoft Surface RT. On such systems, if the TPM with PCR 7 measurement and Secure Boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default.
## See also
+
- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
- [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index d8cb2c79de..5c7b1190b1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -95,7 +95,7 @@ The server side configuration to enable Network Unlock also requires provisionin
The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012.
-### Install the WDS Server role
+### Install the WDS Server role
The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager.
@@ -107,7 +107,7 @@ Install-WindowsFeature WDS-Deployment
You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Domain Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
-### Confirm the WDS Service is running
+### Confirm the WDS Service is running
To confirm the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service.
@@ -116,7 +116,7 @@ To confirm the service is running using Windows PowerShell, use the following co
```powershell
Get-Service WDSServer
```
-### Install the Network Unlock feature
+### Install the Network Unlock feature
To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
@@ -125,7 +125,7 @@ To install the feature using Windows PowerShell, use the following command:
```powershell
Install-WindowsFeature BitLocker-NetworkUnlock
```
-### Create the certificate template for Network Unlock
+### Create the certificate template for Network Unlock
A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates.
@@ -155,7 +155,7 @@ To add the Network Unlock template to the Certification Authority, open the Cert
After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock.
-### Create the Network Unlock certificate
+### Create the Network Unlock certificate
Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate.
@@ -218,7 +218,7 @@ Certreq example:
3. Open an elevated command prompt and use the certreq tool to create a new certificate using the following command, specifying the full path to the file created previously, along with the file name:
- ``` syntax
+ ```cmd
certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
```
@@ -226,7 +226,7 @@ Certreq example:
5. Launch Certificates - Local Machine by running **certlm.msc**.
6. Create a .pfx file by opening the **Certificates – Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
-### Deploy the private key and certificate to the WDS server
+### Deploy the private key and certificate to the WDS server
With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following:
@@ -281,6 +281,7 @@ SUBNET2=10.185.252.200/28
SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP.
```
+
Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate.
> [!NOTE]
@@ -288,8 +289,9 @@ Following the \[SUBNETS\] section, there can be sections for each Network Unlock
Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section.
Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon.
+
```ini
-[2158a767e1c14e88e27a4c0aee111d2de2eafe60]
+[2158a767e1c14e88e27a4c0aee111d2de2eafe60]
;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on.
;This list shows this cert is only allowed to unlock clients on SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out.
SUBNET1
@@ -299,17 +301,20 @@ SUBNET3
To disallow the use of a certificate altogether, its subnet list may contain the line “DISABLED".
-## Turning off Network Unlock
+## Turning off Network Unlock
To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
> [!NOTE]
> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
-## Update Network Unlock certificates
+## Update Network Unlock certificates
To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller.
+> [!NOTE]
+> Servers that do not receive the Group Policy Object (GPO) will require a PIN when booting. In such cases, the reason why the server did not receive the GPO to update the certificate needs to be investigated.
+
## Troubleshoot Network Unlock
Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue will be the root cause of the failure. Items to verify include:
@@ -336,7 +341,7 @@ Files to gather when troubleshooting BitLocker Network Unlock include:
1. Start an elevated command prompt and run the following command:
- ``` syntax
+ ```cmd
wevtutil sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true
```
2. Open Event Viewer on the WDS server.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index 943135fa94..799e432faa 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -21,6 +21,7 @@ ms.custom: bitlocker
# BitLocker recovery guide
**Applies to**
+
- Windows 10
This topic for IT professionals describes how to recover BitLocker keys from AD DS.
@@ -43,7 +44,7 @@ BitLocker recovery is the process by which you can restore access to a BitLocker
The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
-- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](https://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](https://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout.
+- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
- Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
- Failing to boot from a network drive before booting from the hard drive.
@@ -84,14 +85,14 @@ The following list provides examples of specific events that will cause BitLocke
> [!NOTE]
> Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components.
-
+
For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.
> [!NOTE]
> If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method.
-
+
Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user.
## Testing recovery
@@ -109,17 +110,16 @@ Before you create a thorough BitLocker recovery process, we recommend that you t
1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**.
2. At the command prompt, type the following command and then press ENTER:
- `manage-bde. -ComputerName -forcerecovery `
+ `manage-bde -ComputerName -forcerecovery `
> [!NOTE]
> Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx).
-
+
## Planning your recovery process
When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model.
-Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker
-Administration and Monitoring](https://technet.microsoft.com/windows/hh826072.aspx).
+Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/).
After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. You must consider both self-recovery and recovery password retrieval methods for your organization.
@@ -150,7 +150,7 @@ DS** check box if you want to prevent users from enabling BitLocker unless the c
> [!NOTE]
> If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required.
-
+
The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory.
You can use the following list as a template for creating your own recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.
@@ -191,7 +191,7 @@ Because the recovery password is 48 digits long the user may need to record the
> [!NOTE]
> Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
-
+
### Post-recovery analysis
When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption
@@ -227,7 +227,7 @@ The details of this reset can vary according to the root cause of the recovery.
> [!NOTE]
> You can perform a BitLocker validation profile reset by suspending and resuming BitLocker.
-
+
- [Unknown PIN](#bkmk-unknownpin)
- [Lost startup key](#bkmk-loststartup)
- [Changes to boot files](#bkmk-changebootknown)
@@ -262,19 +262,18 @@ This error might occur if you updated the firmware. As a best practice you shoul
Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
-
## BitLocker recovery screen
During BitLocker recovery, Windows can display a custom recovery message and hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery.
### Custom recovery message
-BitLocker Group Policy settings in Windows 10, version 1511, let you confiure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
+BitLocker Group Policy settings in Windows 10, version 1511, let you configure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**.
It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP:
-*./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage*
+*\./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage\*
@@ -282,30 +281,26 @@ Example of customized recovery screen:
-
-
### BitLocker recovery key hints
-BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume’s recovery key. Hints are displayed on the recovery screen and refer to the location where key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen.
+BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen.
> [!IMPORTANT]
> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account.
-
There are rules governing which hint is shown during the recovery (in order of processing):
1. Always display custom recovery message if it has been configured (using GPO or MDM).
-2. Always display generic hint: "For more information, go to https://aka.ms/recoverykeyfaq."
+2. Always display generic hint: "For more information, go to ".
3. If multiple recovery keys exist on the volume, prioritize the last created (and successfully backed up) recovery key.
4. Prioritize keys with successful backup over keys that have never been backed up.
-5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**.
-6. If a key has been printed and saved to file, display a combined hint, “Look for a printout or a text file with the key,” instead of two separate hints.
+5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**.
+6. If a key has been printed and saved to file, display a combined hint, "Look for a printout or a text file with the key," instead of two separate hints.
7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed up date.
-8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, “Contact your organization’s help desk,” will be displayed.
-9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system will ask for a key that has been backed up, even if another key is newer.
-
+8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, "Contact your organization's help desk," will be displayed.
+9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system will ask for a key that has been backed up, even if another key is newer.
#### Example 1 (single recovery key with single backup)
@@ -378,7 +373,6 @@ There are rules governing which hint is shown during the recovery (in order of p
-
#### Example 5 (multiple recovery passwords)
| Custom URL | No |
@@ -408,7 +402,6 @@ There are rules governing which hint is shown during the recovery (in order of p
-
## Using additional recovery information
Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used.
@@ -419,7 +412,7 @@ If the recovery methods discussed earlier in this document do not unlock the vol
> [!NOTE]
> You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package.
-
+
The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc).
## Resetting recovery passwords
@@ -456,6 +449,7 @@ You can reset the recovery password in two ways:
```powershell
Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
```
+
> [!WARNING]
> You must include the braces in the ID string.
@@ -471,7 +465,7 @@ You can reset the recovery password in two ways:
> [!NOTE]
> To manage a remote computer, you can specify the remote computer name rather than the local computer name.
-
+
You can use the following sample script to create a VBScript file to reset the recovery passwords.
```vb
@@ -891,5 +885,3 @@ End Function
## See also
- [BitLocker overview](bitlocker-overview.md)
-
-
diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
index f4020af299..e6e97c6293 100644
--- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
@@ -25,14 +25,14 @@ This article addresses common issues in BitLocker and provides guidelines to tro
Open Event Viewer and review the following logs under Applications and Services logs\\Microsoft\\Windows:
- **BitLocker-API**. Review the Management log, the Operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
- - Microsoft-Windows-BitLocker/BitLocker Operational
- - Microsoft-Windows-BitLocker/BitLocker Management
+ - Microsoft-Windows-BitLocker-API/BitLocker Operational
+ - Microsoft-Windows-BitLocker-API/BitLocker Management
-- **BitLocker-DrivePreparationTool**. Review the Admin log, the **Operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
+- **BitLocker-DrivePreparationTool**. Review the Admin log, the Operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
- Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
- Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
-Additionally, review the Windows logs\\System log for events that were produced by the TCM and TCM-WMI event sources.
+Additionally, review the Windows logs\\System log for events that were produced by the TPM and TPM-WMI event sources.
To filter and display or export logs, you can use the [wevtutil.exe](https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](https://docs.microsoft.com/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6) cmdlet.
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index 384c907c62..017eb64762 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -96,7 +96,7 @@ Because Secure Boot has protected the bootloader and Trusted Boot has protected
Early Launch Anti-Malware (ELAM) can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not trusted, Windows won’t load it.
-An ELAM driver isn’t a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows 10) supports ELAM, as does [Microsoft System Center 2012 Endpoint Protection](https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx) and several non-Microsoft anti-malware apps.
+An ELAM driver isn’t a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows 10) supports ELAM, as does [Microsoft System Center 2012 Endpoint Protection](https://docs.microsoft.com/lifecycle/products/microsoft-system-center-2012-endpoint-protection) and several non-Microsoft anti-malware apps.
## Measured Boot
If a PC in your organization does become infected with a rootkit, you need to know about it. Enterprise anti-malware apps can report malware infections to the IT department, but that doesn’t work with rootkits that hide their presence. In other words, you can’t trust the client to tell you whether it’s healthy.
@@ -129,4 +129,4 @@ Measured Boot uses the power of UEFI, TPM, and Windows 10 to give you a way to
Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows 10, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows 10, you can truly trust the integrity of your operating system.
## Additional resources
-- [Windows 10 Enterprise Evaluation](https://technet.microsoft.com/evalcenter/hh699156.aspx?ocid=wc-tn-wctc)
+- [Windows 10 Enterprise LTSC 2019 or v2004 Evaluation](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise)
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 73946540c5..d27fae3822 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -458,7 +458,7 @@ contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,conto
Value format without proxy:
```console
-contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com
+contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com,
```
### Protected domains
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 0de8771fac..9af557f950 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -59,7 +59,7 @@ To help address this security insufficiency, companies developed data loss preve
- **The ability to specify what happens when data matches a rule, including whether employees can bypass enforcement.** For example, in Microsoft SharePoint and SharePoint Online, the Microsoft data loss prevention system lets you warn your employees that shared data includes sensitive info, and to share it anyway (with an optional audit log entry).
-Unfortunately, data loss prevention systems have their own problems. For example, the more detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees’ natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn’t see and can’t understand.
+Unfortunately, data loss prevention systems have their own problems. For example, the less detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees’ natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn’t see and can’t understand.
### Using information rights management systems
To help address the potential data loss prevention system problems, companies developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on.
@@ -90,7 +90,7 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
- - **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
+ - **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but makes a mistake and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode.
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 78cbfc5ab5..867c020956 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -9,6 +9,7 @@
### [Overview of Microsoft Defender Security Center](microsoft-defender-atp/use.md)
### [Portal overview](microsoft-defender-atp/portal-overview.md)
### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
+### [Microsoft Defender ATP for non-Windows platforms](microsoft-defender-atp/non-windows.md)
## [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md)
@@ -18,16 +19,30 @@
### [Deployment phases](microsoft-defender-atp/deployment-phases.md)
### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md)
### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md)
-### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md)
+### [Phase 3: Onboard]()
+#### [Onboarding overview](microsoft-defender-atp/onboarding.md)
+##### [Onboarding using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/onboarding-endpoint-configuration-manager.md)
+##### [Onboarding using Microsoft Endpoint Manager](microsoft-defender-atp/onboarding-endpoint-manager.md)
-## [Migration guides]()
-### [Migrate from Symantec to Microsoft Defender ATP]()
-#### [Get an overview of migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md)
-#### [Prepare for your migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md)
-#### [Set up Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md)
-#### [Onboard to Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md)
-### [Manage Microsoft Defender ATP post migration]()
-#### [Overview](microsoft-defender-atp/manage-atp-post-migration.md)
+
+## [Migration guides](microsoft-defender-atp/migration-guides.md)
+### [Switch from McAfee to Microsoft Defender for Endpoint]()
+#### [Overview of migration](microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md)
+#### [Phase 1: Prepare](microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md)
+#### [Phase 2: Setup](microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md)
+#### [Phase 3: Onboard](microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md)
+### [Switch from Symantec to Microsoft Defender for Endpoint]()
+#### [Overview of migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md)
+#### [Phase 1: Prepare](microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md)
+#### [Phase 2: Setup](microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md)
+#### [Phase 3: Onboard](microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md)
+### [Switch from your non-Microsoft endpoint security solution to Microsoft Defender for Endpoint]()
+#### [Overview of migration](microsoft-defender-atp/switch-to-microsoft-defender-migration.md)
+#### [Phase 1: Prepare](microsoft-defender-atp/switch-to-microsoft-defender-prepare.md)
+#### [Phase 2: Setup](microsoft-defender-atp/switch-to-microsoft-defender-setup.md)
+#### [Phase 3: Onboard](microsoft-defender-atp/switch-to-microsoft-defender-onboard.md)
+### [Manage Microsoft Defender for Endpoint after migration]()
+#### [Overview of managing Microsoft Defender for Endpoint](microsoft-defender-atp/manage-atp-post-migration.md)
#### [Intune (recommended)](microsoft-defender-atp/manage-atp-post-migration-intune.md)
#### [Configuration Manager](microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md)
#### [Group Policy Objects](microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md)
@@ -66,7 +81,8 @@
##### [Application isolation]()
###### [Application guard overview](microsoft-defender-application-guard/md-app-guard-overview.md)
###### [System requirements](microsoft-defender-application-guard/reqs-md-app-guard.md)
-###### [Install Windows Defender Application Guard](microsoft-defender-application-guard/install-md-app-guard.md)
+###### [Install Microsoft Defender Application Guard](microsoft-defender-application-guard/install-md-app-guard.md)
+###### [Install Microsoft Defender Application Guard Extension](microsoft-defender-application-guard/md-app-guard-browser-extension.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
###### [Audit Application control policies](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
@@ -76,7 +92,7 @@
##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
#### [Device control]()
-##### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+##### [Code integrity](device-guard/enable-virtualization-based-protection-of-code-integrity.md)
##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
@@ -86,12 +102,12 @@
##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md)
##### [Import, export, and deploy exploit protection configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
-
+##### [Exploit protection reference](microsoft-defender-atp/exploit-protection-reference.md )
#### [Network protection]()
##### [Protect your network](microsoft-defender-atp/network-protection.md)
##### [Evaluate network protection](microsoft-defender-atp/evaluate-network-protection.md)
-##### [Turning on network protection](microsoft-defender-atp/enable-network-protection.md)
+##### [Turn on network protection](microsoft-defender-atp/enable-network-protection.md)
#### [Web protection]()
##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
@@ -213,7 +229,13 @@
#### [Deploy]()
##### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md)
-##### [JAMF-based deployment](microsoft-defender-atp/mac-install-with-jamf.md)
+##### [JAMF Pro-based deployment]()
+###### [Deploying Microsoft Defender ATP for macOS using Jamf Pro](microsoft-defender-atp/mac-install-with-jamf.md)
+###### [Login to Jamf Pro](microsoft-defender-atp/mac-install-jamfpro-login.md)
+###### [Set up device groups](microsoft-defender-atp/mac-jamfpro-device-groups.md)
+###### [Set up policies](microsoft-defender-atp/mac-jamfpro-policies.md)
+###### [Enroll devices](microsoft-defender-atp/mac-jamfpro-enroll-devices.md)
+
##### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md)
##### [Manual deployment](microsoft-defender-atp/mac-install-manually.md)
#### [Update](microsoft-defender-atp/mac-updates.md)
@@ -234,6 +256,18 @@
#### [Resources](microsoft-defender-atp/mac-resources.md)
+
+
+### [Microsoft Defender Advanced Threat Protection for iOS]()
+#### [Overview of Microsoft Defender Advanced Threat Protection for iOS](microsoft-defender-atp/microsoft-defender-atp-ios.md)
+
+#### [Deploy]()
+##### [App-based deployment](microsoft-defender-atp/ios-install.md)
+
+#### [Configure]()
+##### [Configure iOS features](microsoft-defender-atp/ios-configure-features.md)
+
+
### [Microsoft Defender Advanced Threat Protection for Linux]()
#### [Overview of Microsoft Defender ATP for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
#### [What's New](microsoft-defender-atp/linux-whatsnew.md)
@@ -270,6 +304,11 @@
#### [Configure]()
##### [Configure Microsoft Defender ATP for Android features](microsoft-defender-atp/android-configure.md)
+#### [Privacy]()
+##### [Microsoft Defender ATP for Android - Privacy information](microsoft-defender-atp/android-privacy.md)
+
+#### [Troubleshoot]()
+##### [Troubleshoot issues](microsoft-defender-atp/android-support-signin.md)
### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
@@ -338,16 +377,9 @@
#### [Reporting]()
##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
-##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
#### [Device health and compliance reports](microsoft-defender-atp/machine-reports.md)
-
-#### [Custom detections]()
-##### [Custom detections overview](microsoft-defender-atp/overview-custom-detections.md)
-##### [Create detection rules](microsoft-defender-atp/custom-detection-rules.md)
-##### [View & manage detection rules](microsoft-defender-atp/custom-detections-manage.md)
-
### [Behavioral blocking and containment]()
#### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md)
#### [Client behavioral blocking](microsoft-defender-atp/client-behavioral-blocking.md)
@@ -360,10 +392,15 @@
### [Advanced hunting]()
#### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md)
-#### [Learn the query language](microsoft-defender-atp/advanced-hunting-query-language.md)
+#### [Learn, train, & get examples]()
+##### [Learn the query language](microsoft-defender-atp/advanced-hunting-query-language.md)
+##### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md)
#### [Work with query results](microsoft-defender-atp/advanced-hunting-query-results.md)
-#### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md)
-#### [Advanced hunting schema reference]()
+#### [Optimize & handle errors]()
+##### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
+##### [Handle errors](microsoft-defender-atp/advanced-hunting-errors.md)
+##### [Service limits](microsoft-defender-atp/advanced-hunting-limits.md)
+#### [Data schema]()
##### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md)
##### [DeviceAlertEvents](microsoft-defender-atp/advanced-hunting-devicealertevents-table.md)
##### [DeviceFileEvents](microsoft-defender-atp/advanced-hunting-devicefileevents-table.md)
@@ -380,7 +417,10 @@
##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)
##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md)
##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)
-#### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
+#### [Custom detections]()
+##### [Custom detections overview](microsoft-defender-atp/overview-custom-detections.md)
+##### [Create detection rules](microsoft-defender-atp/custom-detection-rules.md)
+##### [View & manage detection rules](microsoft-defender-atp/custom-detections-manage.md)
### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
@@ -431,8 +471,6 @@
#### [General]()
##### [Verify data storage location and update data retention settings](microsoft-defender-atp/data-retention-settings.md)
##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
-##### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md)
-##### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md)
##### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
#### [Permissions]()
@@ -620,6 +658,7 @@
#### [Managed security service provider (MSSP) integration]()
##### [Configure managed security service provider integration](microsoft-defender-atp/configure-mssp-support.md)
+##### [Supported managed security service providers](microsoft-defender-atp/mssp-list.md)
##### [Grant MSSP access to the portal](microsoft-defender-atp/grant-mssp-access.md)
##### [Access the MSSP customer portal](microsoft-defender-atp/access-mssp-portal.md)
##### [Configure alert notifications](microsoft-defender-atp/configure-mssp-notifications.md)
@@ -657,8 +696,12 @@
#### [Troubleshoot Microsoft Defender ATP service issues]()
##### [Troubleshoot service issues](microsoft-defender-atp/troubleshoot-mdatp.md)
##### [Check service health](microsoft-defender-atp/service-status.md)
+##### [Contact Microsoft Defender ATP support](microsoft-defender-atp/contact-support.md)
+
#### [Troubleshoot live response issues](microsoft-defender-atp/troubleshoot-live-response.md)
+
+#### [Collect support logs using LiveAnalyzer ](microsoft-defender-atp/troubleshoot-collect-support-log.md)
#### [Troubleshoot attack surface reduction issues]()
##### [Network protection](microsoft-defender-atp/troubleshoot-np.md)
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index e36022563e..1ce7884399 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -64,7 +64,6 @@ Detailed Tracking security policy settings and audit events can be used to monit
- [Audit Process Creation](audit-process-creation.md)
- [Audit Process Termination](audit-process-termination.md)
- [Audit RPC Events](audit-rpc-events.md)
-- [Audit Credential Validation](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-credential-validation)
- [Audit Token Right Adjusted](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-token-right-adjusted)
## DS Access
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index cba2f4eb49..4c48e4623a 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -81,29 +81,29 @@ This event generates every time a new process starts.
- 1 - Windows Server 2012 R2, Windows 8.1.
- - Added “Process Command Line” field.
+ - Added "Process Command Line" field.
- 2 - Windows 10.
- **Subject** renamed to **Creator Subject**.
- - Added “**Target Subject**” section.
+ - Added "**Target Subject**" section.
- - Added “**Mandatory Label**” field.
+ - Added "**Mandatory Label**" field.
- - Added “**Creator Process Name**” field.
+ - Added "**Creator Process Name**" field.
***Field Descriptions:***
**Creator Subject** \[Value for versions 0 and 1 – **Subject**\]**:**
-- **Security ID** \[Type = SID\]**:** SID of account that requested the “create process” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+- **Security ID** \[Type = SID\]**:** SID of account that requested the "create process" operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create process” operation.
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the "create process" operation.
-- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+- **Account Domain** \[Type = UnicodeString\]**:** subject's domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
@@ -111,11 +111,11 @@ This event generates every time a new process starts.
- Uppercase full domain name: CONTOSO.LOCAL
- - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+ - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
- - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
-- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on."
**Target Subject** \[Version 2\]**:**
@@ -127,7 +127,7 @@ This event generates every time a new process starts.
- **Account Name** \[Type = UnicodeString\] \[Version 2\]**:** the name of the target account.
-- **Account Domain** \[Type = UnicodeString\] \[Version 2\]**:** target account’s domain or computer name. Formats vary, and include the following:
+- **Account Domain** \[Type = UnicodeString\] \[Version 2\]**:** target account's domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
@@ -135,11 +135,11 @@ This event generates every time a new process starts.
- Uppercase full domain name: CONTOSO.LOCAL
- - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+ - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
- - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
-- **Logon ID** \[Type = HexInt64\] \[Version 2\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+- **Logon ID** \[Type = HexInt64\] \[Version 2\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on."
**Process Information:**
@@ -173,11 +173,11 @@ This event generates every time a new process starts.
- **Creator Process ID** \[Type = Pointer\]**:** hexadecimal Process ID of the process which ran the new process. If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-> You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+> You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID**.
- **Creator Process Name** \[Version 2\] \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-- **Process Command Line** \[Version 1, 2\] \[Type = UnicodeString\]**:** contains the name of executable and arguments which were passed to it. You must enable “Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events” group policy to include command line in process creation events:
+- **Process Command Line** \[Version 1, 2\] \[Type = UnicodeString\]**:** contains the name of executable and arguments which were passed to it. You must enable "Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events" group policy to include command line in process creation events:
@@ -189,28 +189,27 @@ For 4688(S): A new process has been created.
| **Type of monitoring required** | **Recommendation** |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor all events with the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that corresponds to the high-value account or accounts. |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor all events with the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that corresponds to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Creator Subject\\Security ID”** and **“Target Subject\\Security ID”** for accounts that are outside the allow list. |
-| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** to see whether the account type is as expected. |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** corresponding to accounts from another domain or “external” accounts. |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that you are concerned about. |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** for names that don’t comply with naming conventions. |
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "whitelist-only" action, review the **"Creator Subject\\Security ID"** and **"Target Subject\\Security ID"** for accounts that are outside the allow list. |
+| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** to see whether the account type is as expected. |
+| **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** corresponding to accounts from another domain or "external" accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that you are concerned about. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** for names that don't comply with naming conventions. |
-- If you have a pre-defined “**New** **Process Name**” or **“Creator Process Name**” for the process reported in this event, monitor all events with “**New** **Process Name**” or **“Creator Process Name**” not equal to your defined value.
+- If you have a pre-defined "**New** **Process Name**" or **"Creator Process Name**" for the process reported in this event, monitor all events with "**New** **Process Name**" or **"Creator Process Name**" not equal to your defined value.
-- You can monitor to see if “**New** **Process Name**” or **“Creator Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+- You can monitor to see if "**New** **Process Name**" or **"Creator Process Name**" is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-- If you have a pre-defined list of restricted substrings or words in process names (for example “**mimikatz**” or “**cain.exe**”), check for these substrings in “**New** **Process Name**” or **“Creator Process Name**.”
+- If you have a pre-defined list of restricted substrings or words in process names (for example "**mimikatz**" or "**cain.exe**"), check for these substrings in "**New** **Process Name**" or **"Creator Process Name**."
- It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**.
-- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. Typically this means that UAC is disabled for this account for some reason.
+- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. Typically this means that UAC is disabled for this account for some reason.
-- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. This means that a user ran a program using administrative privileges.
+- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. This means that a user ran a program using administrative privileges.
- You can also monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs.
-- If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480 (Protected process), check the “**Mandatory Label**” in this event.
-
+- If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480 (Protected process), check the "**Mandatory Label**" in this event.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md
index ba941d6b5d..a6f3256c16 100644
--- a/windows/security/threat-protection/auditing/event-4698.md
+++ b/windows/security/threat-protection/auditing/event-4698.md
@@ -62,6 +62,17 @@ This event generates every time a new scheduled task is created.
```
+>[!NOTE]
+> Windows 10 Versions 1903 and above augments the event with these additional properties:
+> Event Version 1.
+> ***Event XML:***
+>```
+> 5066549580796854
+> 3932
+> 5304
+> 0
+> DESKTOP-Name
+
***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md
index 35eccf157c..48148e6246 100644
--- a/windows/security/threat-protection/auditing/event-4699.md
+++ b/windows/security/threat-protection/auditing/event-4699.md
@@ -62,6 +62,17 @@ This event generates every time a scheduled task was deleted.
```
+>[!NOTE]
+> Windows 10 Versions 1903 and above augments the event with these additional properties:
+> Event Version 1.
+> ***Event XML:***
+>```
+> 5066549580796854
+> 3932
+> 5304
+> 0
+> DESKTOP-Name
+
***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md
index 7de372086e..8d39b0e38d 100644
--- a/windows/security/threat-protection/auditing/event-4700.md
+++ b/windows/security/threat-protection/auditing/event-4700.md
@@ -62,6 +62,17 @@ This event generates every time a scheduled task is enabled.
```
+>[!NOTE]
+> Windows 10 Versions 1903 and above augments the event with these additional properties:
+> Event Version 1.
+> ***Event XML:***
+>```
+> 5066549580796854
+> 3932
+> 5304
+> 0
+> DESKTOP-Name
+
***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md
index efe36fcc4d..ef24c397fc 100644
--- a/windows/security/threat-protection/auditing/event-4701.md
+++ b/windows/security/threat-protection/auditing/event-4701.md
@@ -62,6 +62,17 @@ This event generates every time a scheduled task is disabled.
```
+>[!NOTE]
+> Windows 10 Versions 1903 and above augments the event with these additional properties:
+> Event Version 1.
+> ***Event XML:***
+>```
+> 5066549580796854
+> 3932
+> 5304
+> 0
+> DESKTOP-Name
+
***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md
index 4ae828770c..393a0619d6 100644
--- a/windows/security/threat-protection/auditing/event-4702.md
+++ b/windows/security/threat-protection/auditing/event-4702.md
@@ -62,6 +62,17 @@ This event generates every time scheduled task was updated/changed.
```
+>[!NOTE]
+> Windows 10 Versions 1903 and above augments the event with these additional properties:
+> Event Version 1.
+> ***Event XML:***
+>```
+> 5066549580796854
+> 3932
+> 5304
+> 0
+> DESKTOP-Name
+
***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
index d6788c3add..add9bc1309 100644
--- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@@ -8,7 +8,6 @@ ms.pagetype: security
ms.localizationpriority: medium
ms.author: dansimp
author: dansimp
-ms.date: 10/04/2019
ms.reviewer: dansimp
manager: dansimp
audience: ITPro
@@ -23,7 +22,7 @@ Microsoft recommends [a layered approach to securing removable media](https://ak
1. [Discover plug and play connected events for peripherals in Microsoft Defender ATP advanced hunting](#discover-plug-and-play-connected-events). Identify or investigate suspicious usage activity.
2. Configure to allow or block only certain removable devices and prevent threats.
- 1. [Allow or block removable devices](#allow-or-block-removable-devices) based on granular configuration to deny write access to removable disks and approve or deny devices by USB vendor IDs, product IDs, device IDs, or a combination. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
+ 1. [Allow or block removable devices](#allow-or-block-removable-devices) based on granular configuration to deny write access to removable disks and approve or deny devices by using USB device IDs. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
2. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
- Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware.
@@ -98,35 +97,37 @@ In this example, the following classes needed to be added: HID, Keyboard, and {3
-If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device ID that you want to add. To find the vendor or product IDs, see [Look up device vendor ID or product ID](#look-up-device-vendor-id-or-product-id).
+If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device ID that you want to add. Device ID is based on the vendor ID and product ID values for a device. For information on device ID formats, see [Standard USB Identifiers](https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers).
+
+To find the device IDs, see [Look up device ID](#look-up-device-id).
For example:
1. Remove class USBDevice from the **Allow installation of devices using drivers that match these device setup**.
-2. Add the vendor ID or product ID to allow in the **Allow installation of device that match any of these device IDs**.
+2. Add the device ID to allow in the **Allow installation of device that match any of these device IDs**.
#### Prevent installation and usage of USB drives and other peripherals
If you want to prevent the installation of a device class or certain devices, you can use the prevent device installation policies:
-1. Enable **Prevent installation of devices that match any of these device IDs**.
+1. Enable **Prevent installation of devices that match any of these device IDs** and add these devices to the list.
2. Enable **Prevent installation of devices using drivers that match these device setup classes**.
> [!Note]
> The prevent device installation policies take precedence over the allow device installation policies.
-The **Prevent installation of devices that match any of these device IDs** policy allows you to specify a list of vendor or product IDs for devices that Windows is prevented from installing.
+The **Prevent installation of devices that match any of these device IDs** policy allows you to specify a list of devices that Windows is prevented from installing.
To prevent installation of devices that match any of these device IDs:
-1. [Look up device vendor ID or product ID](#look-up-device-vendor-id-or-product-id) for devices that you want Windows to prevent from installing.
+1. [Look up device ID](#look-up-device-id) for devices that you want Windows to prevent from installing.
2. Enable **Prevent installation of devices that match any of these device IDs** and add the vendor or product IDs to the list.
-#### Look up device vendor ID or product ID
-You can use Device Manager to look up a device vendor or product ID.
+#### Look up device ID
+You can use Device Manager to look up a device ID.
1. Open Device Manager.
2. Click **View** and select **Devices by connection**.
@@ -135,11 +136,11 @@ You can use Device Manager to look up a device vendor or product ID.
5. Click the **Property** drop-down list and select **Hardware Ids**.
6. Right-click the top ID value and select **Copy**.
-For information on vendor and product ID formats, see [Standard USB Identifiers](https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers).
+For information about Device ID formats, see [Standard USB Identifiers](https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers).
For information on vendor IDs, see [USB members](https://www.usb.org/members).
-The following is an example for looking up a device vendor ID or product ID using PowerShell:
+The following is an example for looking up a device vendor ID or product ID (which is part of the device ID) using PowerShell:
``` PowerShell
Get-WMIObject -Class Win32_DiskDrive |
Select-Object -Property *
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 279b1a69a3..b4f683756c 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -135,7 +135,7 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
- [API and SIEM integration](microsoft-defender-atp/configure-siem.md)
- [Exposed APIs](microsoft-defender-atp/apis-intro.md)
- [Role-based access control (RBAC)](microsoft-defender-atp/rbac.md)
-- [Reporting and trends](microsoft-defender-atp/powerbi-reports.md)
+- [Reporting and trends](microsoft-defender-atp/threat-protection-reports.md)
**[Integration with Microsoft solutions](microsoft-defender-atp/threat-protection-integration.md)**
diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md
index f73ad0c4ca..b6f4a2b873 100644
--- a/windows/security/threat-protection/intelligence/macro-malware.md
+++ b/windows/security/threat-protection/intelligence/macro-malware.md
@@ -27,12 +27,12 @@ Macro malware was fairly common several years ago because macros ran automatical
We've seen macro malware download threats from the following families:
-* [Ransom:MSIL/Swappa](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A)
-* [Ransom:Win32/Teerac](Ransom:Win32/Teerac)
-* [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A)
-* [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif)
-* [Win32/Fynloski](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski)
-* [Worm:Win32/Gamarue](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue)
+* [Ransom:MSIL/Swappa](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A)
+* [Ransom:Win32/Teerac](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Teerac&threatId=-2147277789)
+* [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A)
+* [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif)
+* [Win32/Fynloski](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski)
+* [Worm:Win32/Gamarue](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue)
## How to protect against macro malware
diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md
index 6e38ba61c8..cfc9140745 100644
--- a/windows/security/threat-protection/intelligence/phishing.md
+++ b/windows/security/threat-protection/intelligence/phishing.md
@@ -24,16 +24,35 @@ Cybercriminals often attempt to steal usernames, passwords, credit card details,
## What to do if you've been a victim of a phishing scam
-If you feel you've been a victim of a phishing attack, contact your IT admin. Immediately change all passwords associated with the accounts, and report any fraudulent activity to your bank and credit card company.
+If you feel you've been a victim of a phishing attack:
+
+1. Contact your IT admin if you are on a work computer.
+2. Immediately change all passwords associated with the accounts.
+3. Report any fraudulent activity to your bank and credit card company.
### Reporting spam
-Submit phishing scam emails to **Microsoft** by sending an email with the scam as an attachment to: phish@office365.microsoft.com. For more information on submitting messages to Microsoft, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis).
+- **Outlook.com**: If you receive a suspicious email message that asks for personal information, select the check box next to the message in your Outlook inbox. Select the arrow next to **Junk**, and then select **Phishing**.
-For Outlook and Outlook on the web users, use the **Report Message Add-in** for Microsoft Outlook. For information about how to install and use this tool, see [Enable the Report Message add-in](https://support.office.com/article/4250c4bc-6102-420b-9e0a-a95064837676).
+- **Microsoft Office Outlook**: While in the suspicious message, select **Report message** from the ribbon, and then select **Phishing**.
+
+- **Microsoft**: Create a new, blank email message with the one of the following recipients:
+ - Junk: junk@office365.microsoft.com
+ - Phishing: phish@office365.microsoft.com
+
+ Drag and drop the junk or phishing message into the new message. This will save the junk or phishing message as an attachment in the new message. Don't copy and paste the content of the message or forward the message (we need the original message so we can inspect the message headers). For more information, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis).
+
+- **Anti-Phishing Working Group**: phishing-report@us-cert.gov. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions, and law enforcement agencies are involved.
+
+If you’re on a suspicious website:
+
+- **Microsoft Edge**: While you’re on a suspicious site, select the **More (…) icon** > **Help and feedback** > **Report Unsafe site**. Follow the instructions on the webpage that displays to report the website.
+
+- **Internet Explorer**: While you’re on a suspicious site, select the gear icon, point to **Safety**, and then select **Report Unsafe Website**. Follow the instructions on the webpage that displays to report the website.
+
+>[!NOTE]
+>For more information, see [Protect yourself from phishing](https://support.microsoft.com/en-us/help/4033787/windows-protect-yourself-from-phishing).
-Send an email with the phishing scam to **The Anti-Phishing Working Group**: reportphishing@apwg.org. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions, and law enforcement agencies are involved.
-
## How phishing works
Phishing attacks are scams that often use social engineering bait or lure content. For example, during tax season bait content can be tax-filing announcements that attempt to lure you into providing personal information such as your SSN or bank account information.
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
index 771169d40b..59f32f84e6 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -17,6 +17,9 @@ manager: dansimp
Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these additional checks had not been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive.
MBSA was largely used in situations where neither Microsoft Update nor a local WSUS or Configuration Manager server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016.
+
+> [!NOTE]
+> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file.
## The Solution
A script can help you with an alternative to MBSA’s patch-compliance checking:
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
index a0e3d27f66..1bf808c9ae 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
@@ -20,6 +20,9 @@ ms.topic: article
# What to do with false positives/negatives in Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
index 072cc3c421..c313f7f7cf 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
@@ -18,6 +18,9 @@ manager: dansimp
# Collect Update Compliance diagnostic data for Microsoft Defender AV Assessment
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
index 9c9ec19ea9..ca821701f2 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
@@ -18,6 +18,9 @@ manager: dansimp
# Collect Microsoft Defender AV diagnostic data
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
index 8bf5563e09..3038c3095f 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
@@ -17,6 +17,9 @@ ms.date: 08/17/2020
# Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
index 53d9dc6877..58cd36777d 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
@@ -16,6 +16,9 @@ manager: dansimp
---
# Common mistakes to avoid when defining exclusions
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable.
This topic describes some common mistake that you should avoid when defining exclusions.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
index ac38745a10..093c6632fb 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Manage Microsoft Defender Antivirus in your business
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
index 9800bbf096..93b12016f3 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Configure Microsoft Defender Antivirus scanning options
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
index f11dc35650..a71f13399e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
@@ -17,9 +17,12 @@ ms.date: 08/26/2020
# Turn on block at first sight
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Microsoft Defender Antivirus
Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
index 3d86286bb7..4be673460a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
@@ -18,9 +18,12 @@ manager: dansimp
# Configure the cloud block timeout period
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Microsoft Defender Antivirus
When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
index 0c3ce33cac..db09d1d9ef 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
@@ -17,6 +17,9 @@ manager: dansimp
# Configure end-user interaction with Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
index e7d0bb0417..1351a2448b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
@@ -17,6 +17,9 @@ manager: dansimp
# Configure and validate exclusions for Microsoft Defender Antivirus scans
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -45,4 +48,4 @@ The following is a list of recommendations that you should keep in mind when def
## Related articles
- [Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md)
-- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
\ No newline at end of file
+- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
index d9e2707453..cad89f1643 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
@@ -16,6 +16,9 @@ manager: dansimp
# Configure and validate exclusions based on file extension and folder location
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
index e77c12eda2..5a4dcf2b76 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
index c705e4b465..0e9715c7f7 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
@@ -18,6 +18,9 @@ manager: dansimp
# Configure Microsoft Defender Antivirus features
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
index 1901905edb..f19baf44aa 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
@@ -18,9 +18,12 @@ manager: dansimp
# Configure and validate Microsoft Defender Antivirus network connections
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Microsoft Defender Antivirus
To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
@@ -57,7 +60,7 @@ The table below lists the services and their associated URLs. Make sure that the
| Microsoft Update Service (MU)
Windows Update Service (WU)| Security intelligence and product updates |`*.update.microsoft.com`
`*.delivery.mp.microsoft.com`
`*.windowsupdate.com`
For details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)|
|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com` `*.download.windowsupdate.com` `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|
| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
`ussus1westprod.blob.core.windows.net`
`usseu1northprod.blob.core.windows.net`
`usseu1westprod.blob.core.windows.net`
`ussuk1southprod.blob.core.windows.net`
`ussuk1westprod.blob.core.windows.net`
`ussas1eastprod.blob.core.windows.net`
`ussas1southeastprod.blob.core.windows.net`
`ussau1eastprod.blob.core.windows.net`
`ussau1southeastprod.blob.core.windows.net` |
-| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/`
`https://www.microsoft.com/pkiops/certs`
`https://crl.microsoft.com/pki/crl/products`
`https://www.microsoft.com/pki/certs` |
+| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `http://www.microsoft.com/pkiops/crl/`
`http://www.microsoft.com/pkiops/certs`
`http://crl.microsoft.com/pki/crl/products`
`http://www.microsoft.com/pki/certs` |
| Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` |
| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`|
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
index db3e3a162e..ce2af4d4b6 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Configure the notifications that appear on endpoints
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
index 31d62322c4..ae76a5bd9d 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
@@ -17,6 +17,9 @@ manager: dansimp
# Configure exclusions for files opened by processes
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
index 20f94ac46b..3d94d7776c 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Configure behavioral, heuristic, and real-time protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
index 6bcef11259..d16426a613 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ ms.custom: nextgen
# Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
index 8b66efba75..ef93c95c0e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Configure remediation for Microsoft Defender Antivirus scans
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
index ab7fa39e3c..fc90bc6dbc 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
@@ -17,6 +17,9 @@ ms.custom: nextgen
# Configure Microsoft Defender Antivirus exclusions on Windows Server
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
> [!NOTE]
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
index 440b53b85c..f482a524ba 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
index 440b53b85c..f482a524ba 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
index 0036dd3c81..a6d053b389 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Deploy, manage, and report on Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
index 56d1a243c9..e66ebbd817 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Deploy and enable Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
index c2f2824510..ebce0895fc 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
@@ -17,6 +17,9 @@ manager: dansimp
# Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -44,69 +47,11 @@ You can also download the whitepaper [Microsoft Defender Antivirus on Virtual De
> [!IMPORTANT]
> Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
There are performance and feature improvements to the way in which Microsoft Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.
-### Set up a dedicated VDI file share
+## Set up a dedicated VDI file share
-In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine - thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), Group Policy, or PowerShell.
+In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine — thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with a Group Policy, or PowerShell.
-> [!TIP]
-> If you don't already have Intune, [try it for free](https://docs.microsoft.com/intune/fundamentals/free-trial-sign-up)!
-
-Open the Intune Management Portal either by searching for Intune on [https://portal.azure.com](https://portal.azure.com) or going to [https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com) and logging in.
-
-#### To create a group with only the devices or users you specify
-
-1. Go to **Groups** > **New group**.
-
-2. Specify the following values:
- - Group type: **Security**
- - Group name: **VDI test VMs**
- - Group description: *Optional*
- - Membership type: **Assigned**
-
-3. Add the devices or users you want to be a part of this test and then click **Create** to save the group.
-
-It’s a good idea to create a couple of groups, one with VMs running the latest Insider Preview build and with the shared security intelligence update feature enabled, and another with VMs that are running Windows 10 1809 or earlier versions. This will help when you create dashboards to test the performance changes.
-
-#### To create a group that will include any machine in your tenant that is a VM, even when they are newly created
-
-1. Go to **Groups** > **New group**.
-
-2. Specify the following values:
- - Group type: **Security**
- - Group name: **VDI test VMs**
- - Group description: *Optional*
- - Membership type: **Dynamic Device**
-
-3. Click **Simple rule**, and select **deviceModel**, **Equals**, and enter **Virtual Machine**.
-
-4. Click **Add query** and then **Create** to save the group.
-
-5. Go to **Device configuration**, then **Profiles**. You can modify an existing custom profile or create a new one.
-
-#### Create a new device configuration profile
-
-In this example, we create a new device configuration profile by clicking **Create profile**.
-
-1. Name it, choose **Windows 10 and later** as the Platform and – most importantly – select **Custom** as the profile type.
-
-2. The **Custom OMA-URI Settings** blade is opened automatically. Click **Add** then enter the following values:
- - Name: **VDI shared sig location**
- - Description: *Optional*
- - OMA-URI: **./Vendor/MSFT/Defender/SharedSignatureRoot**
- - Data type: **String**
- - `\\\wdav-update\` (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be)
-
-3. Click **Ok** to close the details blade, then **OK** again to close the **Custom OMA-URI Settings** blade.
-
-4. Click **Create** to save the new profile. The profile details page now appears.
-
-5. Click **Assignments**. The **Include** tab is automatically selected. In the drop-down menu, select **Selected Groups**, then click **Select groups to include**. Click the **VDI test VMs** group and then **Select**.
-
-6. Click **Evaluate** to see how many users/devices will be impacted. If the number makes sense, click **Save**. If the number doesn’t make sense, go back to the groups blade and confirm the group contains the right users or devices.
-
-The profile will now be deployed to the impacted devices. This may take some time.
-
-#### Use Group Policy to enable the shared security intelligence feature:
+### Use Group Policy to enable the shared security intelligence feature:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and then click **Edit**.
@@ -118,23 +63,23 @@ The profile will now be deployed to the impacted devices. This may take some tim
5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.
-6. Enter `\\\wdav-update` (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be).
+6. Enter `\\\wdav-update` (for what this will be, see [Download and unpackage](#download-and-unpackage-the-latest-updates)).
7. Click **OK**.
8. Deploy the GPO to the VMs you want to test.
-#### Use PowerShell to enable the shared security intelligence feature
+### Use PowerShell to enable the shared security intelligence feature
Use the following cmdlet to enable the feature. You’ll need to then push this as you normally would push PowerShell-based configuration policies onto the VMs:
-
+
```PowerShell
Set-MpPreference -SharedSignaturesPath \\\wdav-update
```
See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what the \ will be.
-### Download and unpackage the latest updates
+## Download and unpackage the latest updates
Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those).
@@ -149,30 +94,29 @@ New-Item -ItemType Directory -Force -Path $vdmpath | Out-Null
Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64' -OutFile $vdmpackage
-cmd /c "cd $vdmpath & c: & mpam-fe.exe /x"
+cmd /c "cd $vdmpath & c: & mpam-fe.exe /x"
```
You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs will receive the new update.
-We suggest starting with once a day – but you should experiment with increasing or decreasing the frequency to understand the impact.
+We suggest starting with once a day — but you should experiment with increasing or decreasing the frequency to understand the impact.
Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isn’t advised because it will increase the network overhead on your management machine for no benefit.
-#### Set a scheduled task to run the powershell script
+### Set a scheduled task to run the PowerShell script
1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task…** on the side panel.
2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Click **New…** Select **Daily** and click **OK**.
-3. Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Click **OK**.
+3. Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Click **OK**.
-4. You can choose to configure additional settings if you wish.
+4. You can choose to configure additional settings if you wish.
5. Click **OK** to save the scheduled task.
-
You can initiate the update manually by right-clicking on the task and clicking **Run**.
-#### Download and unpackage manually
+### Download and unpackage manually
If you would prefer to do everything manually, this what you would need to do to replicate the script’s behavior:
@@ -180,83 +124,85 @@ If you would prefer to do everything manually, this what you would need to do to
2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`; for example `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`.
- Note: In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time.
+ > [!NOTE]
+ > In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time.
3. Download a security intelligence package from [https://www.microsoft.com/wdsi/definitions](https://www.microsoft.com/wdsi/definitions) into the GUID folder. The file should be named `mpam-fe.exe`.
4. Open a cmd prompt window and navigate to the GUID folder you created. Use the **/X** extraction command to extract the files, for example `mpam-fe.exe /X`.
- Note: The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package.
+ > [!NOTE]
+ > The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package.
-### Randomize scheduled scans
+## Randomize scheduled scans
Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md).
-The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Microsoft Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan.
+The start time of the scan itself is still based on the scheduled scan policy — ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Microsoft Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan.
See [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) for other configuration options available for scheduled scans.
-### Use quick scans
+## Use quick scans
You can specify the type of scan that should be performed during a scheduled scan.
Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active.
1. Expand the tree to **Windows components > Windows Defender > Scan**.
-2. Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**.
+2. Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**.
3. Click **OK**.
-### Prevent notifications
+## Prevent notifications
Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Microsoft Defender Antivirus user interface.
-1. Expand the tree to **Windows components > Windows Defender > Client Interface**.
+1. Expand the tree to **Windows components > Windows Defender > Client Interface**.
-2. Double-click **Suppress all notifications** and set the option to **Enabled**.
+2. Double-click **Suppress all notifications** and set the option to **Enabled**.
-3. Click **OK**.
+3. Click **OK**.
This prevents notifications from Microsoft Defender AV appearing in the action center on Windows 10 when scans or remediation is performed.
-### Disable scans after an update
+## Disable scans after an update
This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you've already scanned it when you created the base image).
> [!IMPORTANT]
> Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image.
-1. Expand the tree to **Windows components > Windows Defender > Signature Updates**.
+1. Expand the tree to **Windows components > Windows Defender > Signature Updates**.
-2. Double-click **Turn on scan after signature update** and set the option to **Disabled**.
+2. Double-click **Turn on scan after signature update** and set the option to **Disabled**.
-3. Click **OK**.
+3. Click **OK**.
This prevents a scan from running immediately after an update.
-### Scan VMs that have been offline
+## Scan VMs that have been offline
-1. Expand the tree to **Windows components > Windows Defender > Scan**.
+1. Expand the tree to **Windows components > Windows Defender > Scan**.
-2. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**.
+2. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**.
-3. Click **OK**.
+3. Click **OK**.
This forces a scan if the VM has missed two or more consecutive scheduled scans.
+## Enable headless UI mode
-### Enable headless UI mode
+1. Double-click **Enable headless UI mode** and set the option to **Enabled**.
-1. Double-click **Enable headless UI mode** and set the option to **Enabled**.
-
-2. Click **OK**.
+2. Click **OK**.
This hides the entire Microsoft Defender AV user interface from users.
-### Exclusions
+## Exclusions
-On Windows Server 2016, Microsoft Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus).
+Exclusions can be added, removed, or customized to suit your needs.
+For more details, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md).
## Additional resources
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
index 70611a2a36..0c17ea1575 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Detect and block potentially unwanted applications
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
index dbd8db2df4..e62fd3c943 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
@@ -16,9 +16,12 @@ ms.custom: nextgen
# Enable cloud-delivered protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Microsoft Defender Antivirus
> [!NOTE]
> The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
index f6fcbbbeda..d76667b2a1 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
@@ -17,6 +17,9 @@ manager: dansimp
# Evaluate Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-MEM.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-MEM.png
new file mode 100644
index 0000000000..0b0516183a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-MEM.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
index 75c974ae9b..9b9a68afc6 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
@@ -19,6 +19,9 @@ manager: dansimp
# Use limited periodic scanning in Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
index 8b91ba2fde..2a22aeb079 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
@@ -11,13 +11,16 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer:
+ms.date: 09/17/2018
+ms.reviewer: pahuijbr
manager: dansimp
---
# Manage event-based forced updates
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -82,7 +85,7 @@ You can use Group Policy to force Microsoft Defender Antivirus to check and down
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**.
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**.
@@ -140,16 +143,16 @@ If you have enabled cloud-delivered protection, Microsoft Defender AV will send
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**.
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
5. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**.
6. **Allow notifications to disable definitions-based reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**.
> [!NOTE]
-> "Allow notifications to disable definitions based reports" enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work.
+> **Allow notifications to disable definitions based reports** enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work.
-## Related articles
+## See also
- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
index 690a9eee6a..ab04442450 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
index b626c962ef..9565e809a3 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
@@ -19,6 +19,9 @@ manager: dansimp
# Manage the schedule for when protection updates should be downloaded and applied
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
index 38a6d28737..2ac2800429 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
@@ -17,6 +17,9 @@ ms.custom: nextgen
# Manage the sources for Microsoft Defender Antivirus protection updates
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index 6f73b79b2b..35ef7a7f50 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -13,10 +13,14 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
+ms.date: 09/28/2020
---
# Manage Microsoft Defender Antivirus updates and apply baselines
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -30,9 +34,18 @@ There are two types of updates related to keeping Microsoft Defender Antivirus u
> Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
> This also applies to devices where Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+> [!NOTE]
+> You can use the below URL to find out what are the current versions:
+> [https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info)
+
## Security intelligence updates
-Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
+Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
+
+> [!NOTE]
+> Updates are released under the below KB numbers:
+> Microsoft Defender Antivirus: KB2267602
+> System Center Endpoint Protection: KB2461484
The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
@@ -57,6 +70,45 @@ All our updates contain:
* serviceability improvements
* integration improvements (Cloud, MTP)
+
+ August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)
+
+ Security intelligence update version: **1.323.9.0**
+ Released: **August 27, 2020**
+ Platform: **4.18.2008.9**
+ Engine: **1.1.17400.5**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+* Add more telemetry events
+* Improved scan event telemetry
+* Improved behavior monitoring for memory scans
+* Improved macro streams scanning
+* Added "AMRunningMode" to Get-MpComputerStatus Powershell CmdLet
+
+### Known Issues
+No known issues
+
+
+
+
+ July-2020 (Platform: 4.18.2007.8 | Engine: 1.1.17300.4)
+
+ Security intelligence update version: **1.321.30.0**
+ Released: **July 28, 2020**
+ Platform: **4.18.2007.8**
+ Engine: **1.1.17300.4**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+* Improved telemetry for BITS
+* Improved Authenticode code signing certificate validation
+
+### Known Issues
+No known issues
+
+
+
June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2)
@@ -86,7 +138,7 @@ No known issues
Released: **May 26, 2020**
Platform: **4.18.2005.4**
Engine: **1.1.17100.2**
- Support phase: **Security and Critical Updates**
+ Support phase: **Technical upgrade Support (Only)**
### What's new
* Improved logging for scan events
@@ -108,7 +160,7 @@ No known issues
Released: **April 30, 2020**
Platform: **4.18.2004.6**
Engine: **1.1.17000.2**
- Support phase: **Security and Critical Updates**
+ Support phase: **Technical upgrade Support (Only)**
### What's new
* WDfilter improvements
@@ -182,7 +234,7 @@ Support phase: **Technical upgrade Support (Only)**
* Support platform updates when TMP is redirected to network path
* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates)
* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility)
-* Fix 4.18.1911.10 hang
+* Fix 4.18.1911.3 hang
### Known Issues
[**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
@@ -190,14 +242,17 @@ Support phase: **Technical upgrade Support (Only)**
> [!IMPORTANT]
> This updates is needed by RS1 devices running lower version of the platform to support SHA2.
This update has reboot flag for systems that are experiencing the hang issue.
the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability.
+> [!IMPORTANT]
+> This update is categorized as an "update" due to its reboot requirement and will only be offered with a [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update)
+
- November-2019 (Platform: 4.18.1911.2 | Engine: 1.1.16600.7)
+ November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7)
Security intelligence update version: **1.307.13.0**
Released: **December 7, 2019**
-Platform: **4.18.1911.2**
+Platform: **4.18.1911.3**
Engine: **1.1.17000.7**
Support phase: **No support**
@@ -209,7 +264,7 @@ Support phase: **No support**
* add MRT logs to support files
### Known Issues
-No known issues
+When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
index 86217f98d9..06525a035e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Manage updates for mobile devices and virtual machines (VMs)
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index 200a5cd47a..74c6ee2735 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -13,11 +13,14 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
-ms.date: 08/26/2020
+ms.date: 09/28/2020
---
# Microsoft Defender Antivirus compatibility
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -91,6 +94,8 @@ If you uninstall the other product, and choose to use Microsoft Defender Antivir
> [!WARNING]
> You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+> [!IMPORTANT]
+> If you are using [Microsoft endpoint data loss prevention (Endpoint DLP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview), Microsoft Defender Antivirus real-time protection is enabled even when Microsoft Defender Antivirus is running in passive mode. Endpoint DLP depends on real-time protection to operate.
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
index a8686a586b..e9bcff7d72 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
@@ -18,6 +18,9 @@ ms.custom: nextgen
# Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
index a4a959b83d..76701c22f2 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
@@ -17,6 +17,9 @@ manager: dansimp
# Microsoft Defender Antivirus on Windows Server 2016 and 2019
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Windows Server 2016
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
index e824427101..d2e1ac4fe4 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
@@ -17,6 +17,9 @@ manager: dansimp
# Run and review the results of a Microsoft Defender Offline scan
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
index d32346b285..a6e9c4aa01 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
@@ -17,6 +17,9 @@ manager: dansimp
# Microsoft Defender Antivirus in the Windows Security app
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
index 55931f992b..30030fb3b1 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
@@ -20,6 +20,9 @@ manager: dansimp
# Better together: Microsoft Defender Antivirus and Office 365
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Microsoft Defender Antivirus
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 52690f977b..6b6a753cf0 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -14,10 +14,14 @@ audience: ITPro
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
+ms.date: 08/31/2020
---
# Protect security settings with tamper protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Windows 10
@@ -80,24 +84,20 @@ If you are a home user, or you are not subject to settings managed by a security
## Turn tamper protection on (or off) for your organization using Intune
-If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal ([https://aka.ms/intuneportal](https://aka.ms/intuneportal)).
-
-> [!NOTE]
-> The ability to manage tamper protection in Intune is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below.
+If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) portal.
You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune:
- - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)).
- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.)
- Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.)
- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
- Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
-2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account.
+2. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) and sign in with your work or school account.
-3. Select **Device configuration** > **Profiles**.
+3. Select **Devices** > **Configuration Profiles**.
4. Create a profile as follows:
@@ -109,7 +109,7 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
- Tamper Protection: **Enabled**
- 
+ 
5. Assign the profile to one or more groups.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
index a2c6bdee36..c3358561d8 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
index da205310f1..2705f9bf69 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Report on Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
index 434a02f941..19b05b9f87 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Restore quarantined files in Microsoft Defender AV
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
index d23aa3b802..da893a1b8a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
@@ -11,26 +11,23 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 09/28/2020
ms.reviewer:
manager: dansimp
---
# Review Microsoft Defender Antivirus scan results
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-After an Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results.
+After a Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results.
-## Use Microsoft Intune to review scan results
-
-1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
-
-2. Click the scan results in **Device actions status**.
-
## Use Configuration Manager to review scan results
See [How to monitor Endpoint Protection status](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
@@ -43,7 +40,7 @@ The following cmdlet will return each detection on the endpoint. If there are mu
Get-MpThreatDetection
```
-
+
You can specify `-ThreatID` to limit the output to only show the detections for a specific threat.
@@ -53,7 +50,7 @@ If you want to list threat detections, but combine detections of the same threat
Get-MpThreat
```
-
+
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
index 5266967e27..84a2edacf5 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Configure and run on-demand Microsoft Defender Antivirus scans
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -29,6 +32,9 @@ You can run an on-demand scan on individual endpoints. These scans will start im
Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
+> [!IMPORTANT]
+> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share.
+
Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
index 7c297d11d4..f176529dde 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
@@ -11,13 +11,16 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 07/22/2020
+ms.date: 09/30/2020
ms.reviewer:
manager: dansimp
---
# Configure scheduled quick or full Microsoft Defender Antivirus scans
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -25,14 +28,13 @@ manager: dansimp
> [!NOTE]
> By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
-
In addition to always-on real-time protection and [on-demand](run-scan-microsoft-defender-antivirus.md) scans, you can set up regular, scheduled scans.
You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
-This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
-To configure the Group Policy settings described in this topic:
+## To configure the Group Policy settings described in this article
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -198,7 +200,7 @@ Scan | Specify the time for a daily quick scan | Specify the number of minutes a
Use the following cmdlets:
```PowerShell
-Set-MpPreference -ScanScheduleQuickTime
+Set-MpPreference -ScanScheduleQuickScanTime
```
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
@@ -226,9 +228,7 @@ Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled
-## Related topics
-
-
+## See also
- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
index 07f45f646e..da8cab7cff 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
@@ -18,9 +18,12 @@ ms.custom: nextgen
# Specify the cloud-delivered protection level
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Microsoft Defender Antivirus
You can specify the level of cloud-protection offered by Microsoft Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
index d800c3bebb..bebdd997f5 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
@@ -17,6 +17,9 @@ manager: dansimp
# Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
index a2747a705d..936180ce74 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
@@ -17,6 +17,9 @@ manager: dansimp
# Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
index 97fb2041b9..761dd08cfa 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
@@ -17,6 +17,9 @@ manager: dansimp
# Use Group Policy settings to configure and manage Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
index 71edcfc785..b32ee0bc06 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
index 2bfad82a62..3dc5e33650 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
index 5247002bbc..a517c3bd60 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Use Windows Management Instrumentation (WMI) to configure and manage Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
index 9eb816975e..b24a051f44 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
@@ -16,9 +16,12 @@ ms.custom: nextgen
# Use next-generation technologies in Microsoft Defender Antivirus through cloud-delivered protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Microsoft Defender Antivirus
Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
index 91d3f43edb..dc28f1eb2f 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
@@ -18,6 +18,9 @@ manager: dansimp
# Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md
index 35f40da2a5..52b3bb034e 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md
@@ -4,4 +4,5 @@
## [Install WDAG](install-md-app-guard.md)
## [Configure WDAG policies](configure-md-app-guard.md)
## [Test scenarios](test-scenarios-md-app-guard.md)
+## [Microsoft Defender Application Guard Extension](md-app-guard-browser-extension.md)
## [FAQ](faq-md-app-guard.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
index 4dcd95abef..b3bb7867ee 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 08/17/2020
+ms.date: 09/14/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -22,7 +22,8 @@ Answering frequently asked questions about Microsoft Defender Application Guard
## Frequently Asked Questions
-### Can I enable Application Guard on machines equipped with 4GB RAM? |
+### Can I enable Application Guard on machines equipped with 4GB RAM?
+
We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is 4 cores.)
@@ -87,7 +88,7 @@ To trust a subdomain, you must precede your domain with two dots, for example: `
### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
-When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's standalone mode. However, when using Windows Enterprise you will have access to Application Guard's enterprise-managed mode. This mode has some extra features that the standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
+When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
### Is there a size limit to the domain lists that I need to configure?
@@ -95,80 +96,8 @@ Yes, both the enterprise resource domains hosted in the cloud and the domains ca
### Why does my encryption driver break Microsoft Defender Application Guard?
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work, and will result in an error message (*0x80070013 ERROR_WRITE_PROTECT*).
-
-### Why do the network isolation policies in Group Policy and CSP look different?
-
-There is not a one-to-one mapping among all the network isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
-
-Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources"
-Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
-For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
-
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (*0x80070013 ERROR_WRITE_PROTECT*).
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
### Why did Application Guard stop working after I turned off hyperthreading?
-If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility that Microsoft Defender Application Guard no longer meets the minimum requirements.
-
-### Why am I getting the error message ("ERROR_VIRTUAL_DISK_LIMITATION")?
-
-Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
-
-### Why am I getting the error message ("ERR_NAME_NOT_RESOLVED") after not being able to reach PAC file?
-
-This is a known issue. To mitigate this you need to create two firewall rules.
-For guidance on how to create a firewall rule by using group policy, see:
-- [Create an inbound icmp rule](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule)
-- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
-
-First rule (DHCP Server):
-1. Program path: `%SystemRoot%\System32\svchost.exe`
-2. Local Service: Sid: `S-1-5-80-2009329905-444645132-2728249442-922493431-93864177` (Internet Connection Service (SharedAccess))
-3. Protocol UDP
-4. Port 67
-
-Second rule (DHCP Client)
-This is the same as the first rule, but scoped to local port 68.
-In the Microsoft Defender Firewall user interface go through the following steps:
-1. Right click on inbound rules, create a new rule.
-2. Choose **custom rule**.
-3. Program path: **%SystemRoot%\System32\svchost.exe**.
-4. Protocol Type: UDP, Specific ports: 67, Remote port: any.
-5. Any IP addresses.
-6. Allow the connection.
-7. All profiles.
-8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
-9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
-
-### Why can I not launch Application Guard when Exploit Guard is enabled?
-
-There is a known issue where if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to the **use default**.
-
-
-### How can I have ICS in enabled state yet still use Application Guard?
-
-This is a two step process.
-
-Step 1:
-
-Enable Internet Connection sharing by changing the Group Policy setting **Prohibit use of Internet Connection Sharing on your DNS domain network.** This setting is part of the Microsoft security baseline. Change it from **Enabled** to **Disabled**.
-
-Step 2:
-
-1. Disable IpNat.sys from ICS load:
-`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`.
-2. Configure ICS (SharedAccess) to enabled:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`.
-3. Disable IPNAT (Optional):
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`.
-4. Restart the device.
-
-### Why doesn't Application Guard work, even though it's enabled through Group Policy?
-
-Application Guard must meet all these prerequisites to be enabled in Enterprise mode: [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard).
-To understand why it is not enabled in Enterprise mode, check the status of the evaluation to understand what's missing.
-
-For CSP (Intune) you can query the status node by using **Get**. This is described in the [Application Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/windowsdefenderapplicationguard-csp). On this page, you will see the **status** node as well as the meaning of each bit. If the status is not 63, you are missing a prerequisite.
-
-For Group Policy you need to look at the registry. See **Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HVSIGP** Status. The meaning of each bit is the same as the CSP.
+If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png
new file mode 100644
index 0000000000..4ad77f8a06
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png
new file mode 100644
index 0000000000..25e3ef533b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png
new file mode 100644
index 0000000000..779f647b33
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png
index 1afbd303b0..7ee172b509 100644
Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png and b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
new file mode 100644
index 0000000000..d01a2ef115
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
@@ -0,0 +1,98 @@
+---
+title: Microsoft Defender Application Guard Extension
+description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: martyav
+ms.author: v-maave
+ms.date: 06/12/2020
+ms.reviewer:
+manager: dansimp
+ms.custom: asr
+---
+
+# Microsoft Defender Application Guard Extension
+
+**Applies to:**
+
+- Windows 10
+
+[Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
+
+[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers.
+
+> [!TIP]
+> Application Guard, by default, offers [native support](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard) to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them.
+
+Microsoft Defender Application Guard Extension defends devices in your organization from advanced attacks, by redirecting untrusted websites to an isolated version of [Microsoft Edge](https://www.microsoft.com/edge). If an untrusted website turns out to be malicious, it remains within Application Guard's secure container, keeping the device protected.
+
+## Prerequisites
+
+Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1803 or later:
+
+- Windows 10 Professional
+- Windows 10 Enterprise
+- Windows 10 Education
+
+Application Guard itself is required for the extension to work. It has its own set of [requirements](reqs-md-app-guard.md). Check the Application Guard [installation guide](install-md-app-guard.md) for further steps, if you don't have it installed already.
+
+## Installing the extension
+
+Application Guard can be run under [managed mode](install-md-app-guard.md#enterprise-managed-mode) or [standalone mode](install-md-app-guard.md#standalone-mode). The main difference between the two modes is whether policies have been set to define the organization's boundaries.
+
+Enterprise administrators running Application Guard under managed mode should first define Application Guard's [network isolation settings](configure-md-app-guard.md#network-isolation-settings), so a set of enterprise sites is already in place.
+
+From there, the steps for installing the extension are similar whether Application Guard is running in managed or standalone mode.
+
+1. On the local device, download and install the Application Guard extension for Google [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and/or Mozilla [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
+1. Install the [Windows Defender Application Guard companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8#activetab=pivot:overviewtab) from the Microsoft Store. This companion app enables Application Guard to work with web browsers other than Microsoft Edge or Internet Explorer.
+1. Restart the device.
+
+### Recommended browser group policies
+
+Both Chrome and Firefox have their own browser-specific group policies. We recommend that admins use the following policy settings.
+
+#### Chrome policies
+
+These policies can be found along the filepath, *Software\Policies\Google\Chrome\\*, with each policy name corresponding to the file name (e.g., IncognitoModeAvailability is located at *Software\Policies\Google\Chrome\IncognitoModeAvailability*).
+
+Policy name | Values | Recommended setting | Reason
+-|-|-|-
+[IncognitoModeAvailability](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=IncognitoModeAvailability) | `0` = Enabled
`1` = Disabled
`2` = Forced (i.e. forces pages to only open in Incognito mode) | Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default.
+[BrowserGuestModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BrowserGuestModeEnabled) | `false` or `0` = Disabled
`true`, `1`, or not configured = Enabled | Disabled | This policy allows users to login as *Guest*, which opens a session in Incognito mode. In this mode, all extensions are turned off by default.
+[BackgroundModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BackgroundModeEnabled) | `false` or `0` = Disabled
`true` or `1` = Enabled
**Note:** If this policy is not set, the user can enable or disable background mode through local browser settings. | Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension.
+[ExtensionSettings](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) | This policy accepts a dictionary that configures multiple other management settings for Chrome. See the [Google Cloud documentation](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) for complete schema. | Include an entry for `force_installed` | This policy prevents users from manually removing the extension.
+
+#### Firefox policies
+
+These policies can be found along the filepath, *Software\Policies\Mozilla\Firefox\\*, with each policy name corresponding to the file name (e.g., DisableSafeMode is located at *Software\Policies\Mozilla\Firefox\DisableSafeMode*).
+
+Policy name | Values | Recommended setting | Reason
+-|-|-|-
+[DisableSafeMode](https://github.com/mozilla/policy-templates/blob/master/README.md#DisableSafeMode) | `false` or `0` = Safe mode is enabled
`true` or `1` = Safe mode is disabled | True (i.e. the policy is enabled and Safe mode is *not* allowed to run) | Safe mode can allow users to circumvent Application Guard
+[BlockAboutConfig](https://github.com/mozilla/policy-templates/blob/master/README.md#BlockAboutConfig) | `false` or `0` = User access to *about:config* is allowed
`true` or `1` = User access to *about:config* is not allowed | True (i.e. the policy is enabled and access to about:config is *not* allowed) | *About:config* is a special page within Firefox that offers control over many settings that may compromise security
+[Extensions - Locked](https://github.com/mozilla/policy-templates/blob/master/README.md#Extensions) | This setting accepts a list of UUIDs for extensions (these can be found by searching `extensions.webextensions.uuids` within the about:config page) | Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "`ApplicationGuardRel@microsoft.com`" | This setting allows you to lock the extension, so the user cannot disable or uninstall it.
+
+## Troubleshooting guide
+
+
+
+Error message | Cause | Actions
+-|-|-
+Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot 2. If the companion app is already installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
+ExceptionThrown | An unexpected exception was thrown. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation
+Failed to determine if Application Guard is enabled | The extension was able to communicate with the companion app, but the information request failed in the app. | 1. Restart the browser 2. Check for updates in both the Microsoft store and the respective web store for the affected browser
+Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
+Main page navigation caught an unexpected error | An unexpected exception was thrown during the main page navigation. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation
+Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed. 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
+Protocol out of sync | The extension and native app cannot communicate with each other. This is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser
+Security patch level does not match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser
+Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Check if Edge is working 3. Retry the operation
+
+## Related articles
+
+- [Microsoft Defender Application Guard overview](md-app-guard-overview.md)
+- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 9a278e3b9b..4acd29aa2d 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 03/28/2019
+ms.date: 09/07/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -18,7 +18,8 @@ ms.custom: asr
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
+
+Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
## What is Application Guard and how does it work?
@@ -48,4 +49,5 @@ Application Guard has been created to target several types of systems:
|[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
|[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
|[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.|
+| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a trouble-shooting guide |
|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index e2a6d3e0ec..1b3e19b06b 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -10,69 +10,68 @@ author: denisebmsft
ms.author: deniseb
ms.reviewer:
manager: dansimp
+ms.date: 09/14/2020
ms.custom: asr
---
# Application Guard testing scenarios
+**Applies to:**
-**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
-
## Application Guard in standalone mode
You can see how an employee would use standalone mode with Application Guard.
### To test Application Guard in Standalone mode
-1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
+1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
-2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.
+2. Restart the device, start Microsoft Edge, and then select **New Application Guard window** from the menu.
-
+
3. Wait for Application Guard to set up the isolated environment.
>[!NOTE]
- >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays.
-
+ >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays.
+
4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues.
-## Application Guard in Enterprise-managed mode
+## Application Guard in Enterprise-managed mode
How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode.
### Install, set up, and turn on Application Guard
-Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
+Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard#install-application-guard).
-2. Restart the device and then start Microsoft Edge.
+2. Restart the device, and then start Microsoft Edge.
3. Set up the Network Isolation settings in Group Policy:
- a. Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**.
-
+ a. Click on the **Windows** icon, type `Group Policy`, and then click **Edit Group Policy**.
+
b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting.
- c. For the purposes of this scenario, type _.microsoft.com_ into the **Enterprise cloud resources** box.
+ c. For the purposes of this scenario, type `.microsoft.com` into the **Enterprise cloud resources** box.
d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting.
- e. For the purposes of this scenario, type _bing.com_ into the **Neutral resources** box.
+ e. For the purposes of this scenario, type `bing.com` into the **Neutral resources** box.
-4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Enterprise Mode** setting.
+4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting.
5. Click **Enabled**, choose Option **1**, and click **OK**.
@@ -81,14 +80,14 @@ Before you can use Application Guard in enterprise mode, you must install Window
>[!NOTE]
>Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario.
-6. Start Microsoft Edge and type www.microsoft.com.
-
+6. Start Microsoft Edge and type `https://www.microsoft.com`.
+
After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard.
7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists.
-
+
After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.
@@ -108,6 +107,7 @@ Application Guard provides the following default behavior for your employees:
You have the option to change each of these settings to work with your enterprise from within Group Policy.
**Applies to:**
+
- Windows 10 Enterprise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
@@ -116,24 +116,24 @@ You have the option to change each of these settings to work with your enterpris
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard clipboard settings**.
2. Click **Enabled** and click **OK**.
-
+
3. Choose how the clipboard works:
-
+
- Copy and paste from the isolated session to the host PC
-
+
- Copy and paste from the host PC to the isolated session
-
+
- Copy and paste both directions
4. Choose what can be copied:
-
- - **1.** Only text can be copied between the host PC and the isolated container.
- - **2.** Only images can be copied between the host PC and the isolated container.
+ - Only text can be copied between the host PC and the isolated container.
- - **3.** Both text and images can be copied between the host PC and the isolated container.
+ - Only images can be copied between the host PC and the isolated container.
+
+ - Both text and images can be copied between the host PC and the isolated container.
5. Click **OK**.
@@ -156,21 +156,26 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled** and click **OK**.
-
+
3. Open Microsoft Edge and browse to an untrusted, but safe URL.
- The website opens in the isolated session.
+ The website opens in the isolated session.
4. Add the site to your **Favorites** list and then close the isolated session.
-5. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+5. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
The previously added site should still appear in your **Favorites** list.
- >[!NOTE]
- >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
-
+ > [!NOTE]
+ > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
+ >
+ > If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
+ >
+ > **To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
+
**Applies to:**
+
- Windows 10 Enterprise edition, version 1803
- Windows 10 Professional edition, version 1803
@@ -181,10 +186,10 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled** and click **OK**.
-
+
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
-4. Download a file from Microsoft Defender Application Guard.
+4. Download a file from Microsoft Defender Application Guard.
5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files.
@@ -195,12 +200,13 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled** and click **OK**.
-
-3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session.
-4. Assess the visual experience and battery performance.
+3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session.
+
+4. Assess the visual experience and battery performance.
**Applies to:**
+
- Windows 10 Enterprise edition, version 1809
- Windows 10 Professional edition, version 1809
@@ -210,11 +216,11 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled**, set **Options** to 2, and click **OK**.
- 
-
+ 
+
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
-4. Open a file in Edge, such an Office 365 file.
+4. Open a file in Edge, such an Office 365 file.
5. Check to see that an antivirus scan completed before the file was opened.
@@ -224,11 +230,11 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled** and click **OK**.
- 
-
+ 
+
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
-4. Open an application with video or audio capability in Edge.
+4. Open an application with video or audio capability in Edge.
5. Check that the camera and microphone work as expected.
@@ -238,7 +244,23 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**.
- 
-
+ 
+
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+## Application Guard Extension for third-party web browsers
+
+The [Application Guard Extension](md-app-guard-browser-extension.md) available for Chrome and Firefox allows Application Guard to protect users even when they are running a web browser other than Microsoft Edge or Internet Explorer.
+
+Once a user has the extension and its companion app installed on their enterprise device, you can run through the following scenarios.
+
+1. Open either Firefox or Chrome — whichever browser you have the extension installed on.
+
+2. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
+ 
+
+3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
+ 
+
+4. Open a new Application Guard window, by select the Microsoft Defender Application Guard icon, then **New Application Guard Window**
+ 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
index 647939803c..acb5350c34 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
@@ -19,6 +19,9 @@ ms.topic: article
# Access the Microsoft Defender Security Center MSSP customer portal
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -53,4 +56,4 @@ Use the following steps to obtain the MSSP customer tenant ID and then use the I
## Related topics
- [Grant MSSP access to the portal](grant-mssp-access.md)
- [Configure alert notifications](configure-mssp-notifications.md)
-- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
\ No newline at end of file
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
index 85b5514ca3..3ef821e164 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
@@ -18,6 +18,9 @@ ms.topic: article
# Add or Remove Machine Tags API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
index d5802d8faf..16e7db9ecf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@@ -19,6 +19,9 @@ ms.topic: article
# Configure advanced features in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -198,4 +201,4 @@ After configuring the [Security policy violation indicators](https://docs.micros
- [Update data retention settings](data-retention-settings.md)
- [Configure alert notifications](configure-email-notifications.md)
-- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
index 669be788ad..55a5df13d1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
@@ -19,6 +19,9 @@ ms.topic: article
# Advanced hunting query best practices
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -89,4 +92,4 @@ DeviceProcessEvents
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
\ No newline at end of file
+- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
index cad9c6214b..80b4736768 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
@@ -20,6 +20,9 @@ ms.date: 01/22/2020
# DeviceAlertEvents
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -50,4 +53,4 @@ For information on other tables in the advanced hunting schema, see [the advance
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
\ No newline at end of file
+- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
index a3844f8f21..33fbf6118f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceEvents
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
index 2e1e4ccfe6..e5a328a9db 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
@@ -20,6 +20,9 @@ ms.date: 01/14/2020
# DeviceFileCertificateInfo
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -55,4 +58,4 @@ For information on other tables in the advanced hunting schema, see [the advance
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
\ No newline at end of file
+- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
index 351be8cfc8..246f3b70bd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceFileEvents
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
index 2327ce1a4e..7cd8fd9ebe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceImageLoadEvents
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
index cc3663977a..b939d5ba59 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceInfo
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
index 1f7e4db8a1..17b769e2f3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceLogonEvents
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
index 3defded189..77692cf8fe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceNetworkEvents
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -64,4 +67,4 @@ For information on other tables in the advanced hunting schema, see [the advance
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
\ No newline at end of file
+- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
index 82d860e259..8d919d89c0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceNetworkInfo
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
index 4c9e3d2d15..3d7fc8a005 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceProcessEvents
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
index bff256d499..4ee7217b7c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceRegistryEvents
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
index 0b1624d685..22e4e6aa6b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceTvmSecureConfigurationAssessment
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
index a50f7b4988..d2b7ab5de4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceTvmSecureConfigurationAssessmentKB
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
index 6e83ac102d..a61d3499dc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceTvmSoftwareInventoryVulnerabilities
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
index aa46c9d8a9..36a4097508 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceTvmSoftwareVulnerabilitiesKB
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md
new file mode 100644
index 0000000000..092f10cf8f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md
@@ -0,0 +1,46 @@
+---
+title: Handle errors in advanced hunting for Microsoft Defender ATP
+description: Understand errors displayed when using advanced hunting
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, m365, search, query, telemetry, schema, kusto, timeout, resources, errors, unknown error
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Handle advanced hunting errors
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
+
+
+Advanced hunting displays errors to notify for syntax mistakes and whenever queries hit [predefined limits](advanced-hunting-limits.md). Refer to the table below for tips on how to resolve or avoid errors.
+
+| Error type | Cause | Resolution | Error message examples |
+|--|--|--|--|
+| Syntax errors | The query contains unrecognized names, including references to nonexistent operators, columns, functions, or tables. | Ensure references to [Kusto operators and functions](https://docs.microsoft.com/azure/data-explorer/kusto/query/) are correct. Check [the schema](advanced-hunting-schema-reference.md) for the correct advanced hunting columns, functions, and tables. Enclose variable strings in quotes so they are recognized. While writing your queries, use the autocomplete suggestions from IntelliSense. | `A recognition error occurred.` |
+| Semantic errors | While the query uses valid operator, column, function, or table names, there are errors in its structure and resulting logic. In some cases, advanced hunting identifies the specific operator that caused the error. | Check for errors in the structure of query. Refer to [Kusto documentation](https://docs.microsoft.com/azure/data-explorer/kusto/query/) for guidance. While writing your queries, use the autocomplete suggestions from IntelliSense. | `'project' operator: Failed to resolve scalar expression named 'x'`|
+| Timeouts | A query can only run within a [limited period before timing out](advanced-hunting-limits.md). This error can happen more frequently when running complex queries. | [Optimize the query](advanced-hunting-best-practices.md) | `Query exceeded the timeout period.` |
+| CPU throttling | Queries in the same tenant have exceeded the [CPU resources](advanced-hunting-limits.md) that have been allocated based on tenant size. | The service checks CPU resource usage every 15 minutes and daily and displays warnings after usage exceeds 10% of the allocated limit. If you reach 100% utilization, the service blocks queries until after the next daily or 15-minute cycle. [Optimize your queries to avoid hitting CPU limits](advanced-hunting-best-practices.md) | - `This query used X% of your organization's allocated resources for the current 15 minutes.`
- `You have exceeded processing resources allocated to this tenant. You can run queries again in .` |
+| Result size limit exceeded | The aggregate size of the result set for the query has exceeded the maximum limit. This error can occur if the result set is so large that truncation at the 10,000-record limit can't reduce it to an acceptable size. Results that have multiple columns with sizable content are more likely to be impacted by this error. | [Optimize the query](advanced-hunting-best-practices.md) | `Result size limit exceeded. Use "summarize" to aggregate results, "project" to drop uninteresting columns, or "take" to truncate results.` |
+| Excessive resource consumption | The query has consumed excessive amounts of resources and has been stopped from completing. In some cases, advanced hunting identifies the specific operator that wasn't optimized. | [Optimize the query](advanced-hunting-best-practices.md) | -`Query stopped due to excessive resource consumption.`
-`Query stopped. Adjust use of the operator to avoid excessive resource consumption.` |
+| Unknown errors | The query failed because of an unknown reason. | Try running the query again. Contact Microsoft through the portal if queries continue to return unknown errors. | `An unexpected error occurred during query execution. Please try again in a few minutes.`
+
+## Related topics
+- [Advanced hunting best practices](advanced-hunting-best-practices.md)
+- [Service limits](advanced-hunting-limits.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
+- [Kusto Query Language overview](https://docs.microsoft.com/azure/data-explorer/kusto/query/)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md
new file mode 100644
index 0000000000..66e8db56e7
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md
@@ -0,0 +1,48 @@
+---
+title: Advanced hunting limits in Microsoft Defender ATP
+description: Understand various service limits that keep the advanced hunting service responsive
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, schema, kusto, CPU limit, query limit, resources, maximum results
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Advanced hunting service limits
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
+
+To keep the service performant and responsive, advanced hunting sets various limits for queries run manually and by [custom detection rules](custom-detection-rules.md). Refer to the following table to understand these limits.
+
+| Limit | Size | Refresh cycle | Description |
+|--|--|--|--|
+| Data range | 30 days | Every query | Each query can look up data from up to the past 30 days. |
+| Result set | 10,000 rows | Every query | Each query can return up to 10,000 records. |
+| Timeout | 10 minutes | Every query | Each query can run for up to 10 minutes. If it does not complete within 10 minutes, the service displays an error.
+| CPU resources | Based on tenant size | - On the hour and then every 15 minutes
- Daily at 12 midnight | The service enforces the daily and the 15-minute limit separately. For each limit, the [portal displays an error](advanced-hunting-errors.md) whenever a query runs and the tenant has consumed over 10% of allocated resources. Queries are blocked if the tenant has reached 100% until after the next daily or 15-minute cycle. |
+
+>[!NOTE]
+>A separate set of limits apply to advanced hunting queries performed through the API. [Read about advanced hunting APIs](run-advanced-query-api.md)
+
+Customers who run multiple queries regularly should track consumption and [apply optimization best practices](advanced-hunting-best-practices.md) to minimize disruption resulting from exceeding these limits.
+
+## Related topics
+
+- [Advanced hunting best practices](advanced-hunting-best-practices.md)
+- [Handle advanced hunting errors](advanced-hunting-errors.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Custom detections rules](custom-detection-rules.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
index e6feab4594..576f8e6c89 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
@@ -18,14 +18,20 @@ ms.topic: article
---
# Proactively hunt for threats with advanced hunting
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-Advanced hunting is a query-based threat-hunting tool that lets you explore raw data for the last 30 days. You can proactively inspect events in your network to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats.
+Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.
-You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured devices.
+You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.
+
+>[!TIP]
+>Use [advanced hunting in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview) to hunt for threats using data from Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP. [Turn on Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable)
## Get started with advanced hunting
Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast.
@@ -35,22 +41,25 @@ Watch this video for a quick overview of advanced hunting and a short tutorial t
You can also go through each of the following steps to ramp up your advanced hunting knowledge.
+We recommend going through several steps to quickly get up and running with advanced hunting.
+
| Learning goal | Description | Resource |
|--|--|--|
-| **Get a feel for the language** | Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting-query-language.md) |
+| **Learn the language** | Advanced hunting is based on [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting-query-language.md) |
| **Learn how to use the query results** | Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information. | [Work with query results](advanced-hunting-query-results.md) |
-| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
+| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
-| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | - [Custom detections overview](overview-custom-detections.md)
- [Custom detection rules](custom-detection-rules.md) |
+| **Optimize queries and handle errors** | Understand how to create efficient and error-free queries. | - [Query best practices](advanced-hunting-best-practices.md)
- [Handle errors](advanced-hunting-errors.md) |
+| **Create custom detection rules** | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - [Custom detections overview](overview-custom-detections.md)
- [Custom detection rules](custom-detection-rules.md) |
## Data freshness and update frequency
-Advanced hunting data can be categorized into two distinct types, each consolidated differently:
+Advanced hunting data can be categorized into two distinct types, each consolidated differently.
- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Microsoft Defender ATP.
-- **Entity data**—populates tables with consolidated information about users and devices. To provide fresh data, tables are updated every 15 minutes with any new information, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
+- **Entity data**—populates tables with consolidated information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
## Time zone
-All time information in advanced hunting is currently in the UTC time zone.
+Time information in advanced hunting is currently in the UTC time zone.
## Related topics
- [Learn the query language](advanced-hunting-query-language.md)
@@ -58,4 +67,4 @@ All time information in advanced hunting is currently in the UTC time zone.
- [Use shared queries](advanced-hunting-shared-queries.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
-- [Custom detections overview](overview-custom-detections.md)
+- [Custom detections overview](overview-custom-detections.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
index 1b1ce276f6..7003a2670e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
@@ -19,6 +19,9 @@ ms.topic: article
# Learn the advanced hunting query language
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
index f036dd4418..97391fa308 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
@@ -19,6 +19,9 @@ ms.topic: article
# Work with advanced hunting query results
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -137,4 +140,4 @@ Once you apply the filter to modify the query and then run the query, the result
- [Use shared queries](advanced-hunting-shared-queries.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
-- [Custom detections overview](overview-custom-detections.md)
\ No newline at end of file
+- [Custom detections overview](overview-custom-detections.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
index 0e2f6811ad..6a0361489c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
@@ -20,6 +20,9 @@ ms.date: 01/14/2020
# Understand the advanced hunting schema
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
index 677a74ca65..4eb3858c7f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
@@ -19,6 +19,9 @@ ms.topic: article
# Use shared queries in advanced hunting
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -63,4 +66,4 @@ Microsoft security researchers regularly share advanced hunting queries in a [de
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
\ No newline at end of file
+- [Learn the query language](advanced-hunting-query-language.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
index 4a29f349d6..5e96430994 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
@@ -20,6 +20,9 @@ ms.date: 09/03/2018
---
# Alerts queue in Microsoft Defender Security Center
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
index c745548afb..9bf8d26a01 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
@@ -20,6 +20,9 @@ ms.date: 03/27/2020
# View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
index 34ba31d9cb..67ed2be93e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@@ -18,6 +18,9 @@ ms.topic: article
# Alert resource type
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
index 9022d913df..e8bb4f8847 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
---
# Configure Microsoft Defender ATP for Android features
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
index 20ef58ffa1..079bb71234 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Deploy Microsoft Defender ATP for Android with Microsoft Intune
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
@@ -30,7 +33,7 @@ device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-co
> [!NOTE]
-> **Microsoft Defender ATP for Android is now available on Google Play.**
+> **Microsoft Defender ATP for Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx)**
> You can connect to Google Play from Intune to deploy Microsoft Defender ATP app across Device Administrator and Android Enterprise entrollment modes.
Updates to the app are automatic via Google Play.
@@ -55,7 +58,7 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
- **Name**
- **Description**
- **Publisher** as Microsoft.
- - **Appstore URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Microsoft Defender ATP Preview app Google Play Store URL)
+ - **Appstore URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Microsoft Defender ATP app Google Play Store URL)
Other fields are optional. Select **Next**.
@@ -70,14 +73,14 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
> 
-6. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
+4. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
In a few moments, the Microsoft Defender ATP app would be created successfully, and a notification would show up at the top-right corner of the page.
-7. In the app information page that is displayed, in the **Monitor** section,
+5. In the app information page that is displayed, in the **Monitor** section,
select **Device install status** to verify that the device installation has
completed successfully.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md
new file mode 100644
index 0000000000..800e262876
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md
@@ -0,0 +1,111 @@
+---
+title: Microsoft Defender ATP for Android - Privacy information
+description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Android.
+keywords: microsoft, defender, atp, android, privacy, diagnostic
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Microsoft Defender ATP for Android - Privacy information
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
+
+
+Microsoft Defender ATP for Android collects information from your configured
+Android devices and stores it in the same tenant where you have Microsoft
+Defender ATP.
+
+Information is collected to help keep Microsoft Defender ATP for Android secure,
+up-to-date, performing as expected and to support the service.
+
+## Required Data
+
+Required data consists of data that is necessary to make Microsoft Defender ATP
+for Android work as expected. This data is essential to the operation of the
+service and can include data related to the end user, organization, device, and
+apps. Here's a list of the types of data being collected:
+
+### App information
+
+Information about Android application packages (APKs) on the device including
+
+- Install source
+- Storage location (file path) of the APK
+- Time of install, size of APK and permissions
+
+### Web page / Network information
+
+- Full URL (on supported browsers), when clicked
+- Connection information
+- Protocol type (such as HTTP, HTTPS, etc.)
+
+
+### Device and account information
+
+- Device information such as date & time, Android version, OEM model, CPU
+ info, and Device identifier
+- Device identifier is one of the below:
+ - Wi-Fi adapter MAC address
+ - [Android
+ ID](https://developer.android.com/reference/android/provider/Settings.Secure#ANDROID_ID)
+ (as generated by Android at the time of first boot of the device)
+ - Randomly generated globally unique identifier (GUID)
+
+- Tenant, Device and User information
+ - Azure Active Directory (AD) Device ID and Azure User ID: Uniquely
+ identifies the device, User respectively at Azure Active directory.
+
+ - Azure tenant ID - GUID that identifies your organization within
+ Azure Active Directory
+
+ - Microsoft Defender ATP org ID - Unique identifier associated with
+ the enterprise that the device belongs to. Allows Microsoft to
+ identify whether issues are impacting a select set of enterprises
+ and how many enterprises are impacted
+
+ - User Principal Name – Email ID of the user
+
+### Product and service usage data
+- App package info, including name, version, and app upgrade status
+
+- Actions performed in the app
+
+- Threat detection information, such as threat name, category, etc.
+
+- Crash report logs generated by Android
+
+## Optional Data
+
+Optional data includes diagnostic data and feedback data. Optional diagnostic
+data is additional data that helps us make product improvements and provides
+enhanced information to help us detect, diagnose, and fix issues. Optional
+diagnostic data includes:
+
+- App, CPU, and network usage
+
+- State of the device from the app perspective, including scan status, scan
+ timings, app permissions granted, and upgrade status
+
+- Features configured by the admin
+
+- Basic information about the browsers on the device
+
+**Feedback Data** is collected through in-app feedback provided by the user
+
+- The user’s email address, if they choose to provide it
+
+- Feedback type (smile, frown, idea) and any feedback comments submitted by
+ the user
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md
new file mode 100644
index 0000000000..a989d91d73
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md
@@ -0,0 +1,98 @@
+---
+title: Troubleshoot issues on Microsoft Defender ATP for Android
+ms.reviewer:
+description: Troubleshoot issues for Microsoft Defender ATP for Android
+keywords: microsoft, defender, atp, android, cloud, connectivity, communication
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Troubleshooting issues on Microsoft Defender ATP for Android
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for
+ Android](microsoft-defender-atp-android.md)
+
+During onboarding, you might encounter sign in issues after the app is installed on your device.
+
+This article provides solutions to address the sign on issues.
+
+## Sign in failed - unexpected error
+**Sign in failed:** *Unexpected error, try later*
+
+
+
+**Message:**
+
+Unexpected error, try later
+
+**Cause:**
+
+You have an older version of "Microsoft Authenticator" app installed on your
+device.
+
+**Solution:**
+
+Install latest version and of [Microsoft
+Authenticator](https://play.google.com/store/apps/details?androidid=com.azure.authenticator)
+from Google Play Store and try again
+
+## Sign in failed - invalid license
+
+**Sign in failed:** *Invalid license, please contact administrator*
+
+
+
+**Message:** *Invalid license, please contact administrator*
+
+**Cause:**
+
+You do not have Microsoft 365 license assigned, or your organization does not
+have a license for Microsoft 365 Enterprise subscription.
+
+**Solution:**
+
+Contact your administrator for help.
+
+## Phishing pages are not blocked on specific OEM devices
+
+**Applies to:** Specific OEMs only
+
+- **Xiaomi**
+
+Phishing and harmful web connection threats detected by Microsoft Defender ATP
+for Android are not blocked on some Xiaomi devices. The following functionality does not work on these devices.
+
+
+
+
+**Cause:**
+
+Xiaomi devices introduced a new permission that prevents Microsoft Defender ATP
+for Android app from displaying pop-up windows while running in the background.
+
+Xiaomi devices permission: "Display pop-up windows while running in the
+background."
+
+
+
+**Solution:**
+
+Enable the required permission on Xiaomi devices.
+
+- Display pop-up windows while running in the background.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
index c7309c2bb9..0d6e8dcd1c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
@@ -20,6 +20,9 @@ hideEdit: true
---
# Microsoft Defender ATP for Android application license terms
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
index 09f3293f1a..7bc13986b1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# API Explorer
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
index 88fd42601a..3163df4fcb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
@@ -19,6 +19,9 @@ ms.topic: article
# Microsoft Defender ATP API - Hello World
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
index e4a1dddb18..8d06eb8f1b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
@@ -19,6 +19,9 @@ ms.topic: article
# Microsoft Power Automate (formerly Microsoft Flow), and Azure Functions
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
index 1e157ea511..19a2f46e0c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@@ -19,6 +19,9 @@ ms.topic: article
# Microsoft Defender ATP detections API fields
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
index a7f95c1789..9ed52103d9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
@@ -19,6 +19,9 @@ ms.topic: article
# Create custom reports using Power BI
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
index 1e42b10a63..b5e6b4ffb6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
@@ -18,6 +18,9 @@ ms.topic: article
# Microsoft Defender ATP API license and terms of use
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
## APIs
Microsoft Defender ATP APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
index aac9695165..09205163fe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Access the Microsoft Defender Advanced Threat Protection APIs
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
index 1181ff8181..6eeaf5c729 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
@@ -20,6 +20,9 @@ ms.date: 11/28/2018
# Assign user access to Microsoft Defender Security Center
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Azure Active Directory
- Office 365
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
index 492d7037dc..4726e2223f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
@@ -20,6 +20,9 @@ ms.date: 11/20/2018
# Experience Microsoft Defender ATP through simulated attacks
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -64,4 +67,4 @@ Read the walkthrough document provided with each attack scenario. Each document
## Related topics
- [Onboard devices](onboard-configure.md)
-- [Onboard Windows 10 devices](configure-endpoints.md)
\ No newline at end of file
+- [Onboard Windows 10 devices](configure-endpoints.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
index 992ba51235..0175049c55 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
@@ -18,6 +18,9 @@ ms.custom: asr
# Attack surface reduction frequently asked questions (FAQ)
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index 320472ce86..21443608c3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -18,6 +18,9 @@ ms.custom: asr
# Reduce attack surfaces with attack surface reduction rules
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
index 093a2013f5..8a4304b984 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
@@ -17,6 +17,9 @@ manager: dansimp
# Test how Microsoft Defender ATP features work in audit mode
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index cb7648e275..bca632927a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -14,11 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
+ms.date: 09/24/2020
---
# View details and results of automated investigations
-During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP) is configured for your organization, some remediation actions are taken automatically.
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) is configured for your organization, some remediation actions are taken automatically.
If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation.
@@ -160,5 +165,5 @@ When you click on the pending actions link, you'll be taken to the Action center
- [View and approve remediation actions](manage-auto-investigation.md)
-- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
+- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index bd94cf5240..d422058827 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -1,36 +1,43 @@
---
title: Use automated investigations to investigate and remediate threats
-description: Understand the automated investigation flow in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export
+description: Understand the automated investigation flow in Microsoft Defender for Endpoint.
+keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export, defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
+ms.date: 09/30/2020
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
+ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
+ms.custom: AIR
---
# Overview of automated investigations
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
-Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, and to reduce the volume of alerts that must be investigated individually, Microsoft Defender ATP includes automated investigation and remediation capabilities.
+Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively.
-Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when each investigation was initiated.
+Automated investigation uses various inspection algorithms and processes used by analysts to examine alerts and take immediate action to resolve breaches. These capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
> [!TIP]
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
## How the automated investigation starts
-When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
+When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender for Endpoint checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
>[!NOTE]
>Currently, automated investigation only supports the following OS versions:
@@ -45,15 +52,15 @@ During and after an automated investigation, you can view details about the inve
|Tab |Description |
|--|--|
-|**Alerts**| Shows the alert that started the investigation.|
-|**Devices** |Shows where the alert was seen.|
-|**Evidence** |Shows the entities that were found to be malicious during the investigation.|
-|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
-|**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.|
+|**Alerts**| The alert(s) that started the investigation.|
+|**Devices** |The device(s) where the threat was seen.|
+|**Evidence** |The entities that were found to be malicious during an investigation.|
+|**Entities** |Details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
+|**Log** |The chronological, detailed view of all the investigation actions taken on the alert.|
|**Pending actions** |If there are any actions awaiting approval as a result of the investigation, the **Pending actions** tab is displayed. On the **Pending actions** tab, you can approve or reject each action. |
> [!IMPORTANT]
-> Go to the **Action center** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions.
+> Go to the **[Action center](auto-investigation-action-center.md)** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions.
## How an automated investigation expands its scope
@@ -63,46 +70,33 @@ If an incriminated entity is seen in another device, the automated investigation
## How threats are remediated
-Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically remediates threats.
+Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically takes action to remediate threats.
> [!NOTE]
-> Microsoft Defender ATP tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
+> Microsoft Defender for Endpoint tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
You can configure the following levels of automation:
|Automation level | Description|
|---|---|
-|**Full - remediate threats automatically** | All remediation actions are performed automatically.
*This option is selected by default for Microsoft Defender ATP tenants created on or after August 16, 2020.*|
-|**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.
Files or executables in all other folders are automatically remediated, if needed.|
-|**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders.
Files or executables in temporary folders, such as the user's download folder or the user's temp folder, are automatically be remediated (if needed).|
-|**Semi - require approval for any remediation** | An approval is needed for any remediation action.
*This option is selected by default for Microsoft Defender ATP tenants created before August 16, 2020.*|
-|**No automated response** | Devices do not get any automated investigations run on them.
*This option is not recommended, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* |
+|**Full - remediate threats automatically** | All remediation actions are performed automatically. Remediation actions that were taken can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.
***This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.*
*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.* |
+|**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).
Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). |
+|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).
Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folders can include the following examples:
- `\users\*\appdata\local\temp\*`
- `\documents and settings\*\local settings\temp\*`
- `\documents and settings\*\local settings\temporary\*`
- `\windows\temp\*`
- `\users\*\downloads\*`
- `\program files\`
- `\program files (x86)\*`
- `\documents and settings\*\users\*` |
+|**Semi - require approval for any remediation** | Approval is required for any remediation action. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).
*This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*
*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
+|**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation.
***This option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)* |
> [!IMPORTANT]
-> A few points of clarification regarding automation levels and default settings:
-> - If your tenant already has device groups defined, the automation level settings are not changed.
-> - If your tenant was onboarded to Microsoft Defender ATP before August 16, 2020, your organization's first device group is set to **Semi - require approval for any remediation** by default.
-> - If your tenant is onboarded on or after August 16, 2020, when your organization's first device group is set to **Full - remediate threats automatically**.
-> - To change an automation level, edit your [device groups](configure-automated-investigations-remediation.md#set-up-device-groups).
-
-
-### A few points to keep in mind
-
-- Your level of automation is determined by your device group settings. See [Set up device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
-
-- If your Microsoft Defender ATP tenant was created before August 16, 2020, you have a default device group that is configured for semi-automatic remediation. Any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). You can configure your device groups to use full automation so that no user approval is needed.
-
-- If your Microsoft Defender ATP tenant was created on or after August 16, 2020, you have a default device group that is configured for full automation. Remediation actions are taken automatically for entities that are considered to be malicious. Remediation actions that were taken can be viewed on the **History** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center).
+> If your tenant already has device groups defined, then the automation level settings are not changed for those device groups.
## Next steps
- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
-- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
+- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
-## Related articles
+## See also
-- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
+- [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
-- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
\ No newline at end of file
+- [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
index d9ced772ad..2d1aa8f368 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
@@ -18,6 +18,9 @@ ms.topic: article
---
# Use basic permissions to access the portal
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- Azure Active Directory
diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
index 4fc887a605..e9516735d3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
@@ -20,6 +20,9 @@ ms.collection:
# Behavioral blocking and containment
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
index 621f338029..9e38e27515 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
@@ -20,6 +20,9 @@ ms.date: 04/24/2018
# Check sensor health state in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
index 19fabebbdf..fee9bbd249 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
@@ -20,6 +20,9 @@ ms.collection:
# Client behavioral blocking
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
index d8929fdd67..398305b848 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
@@ -19,6 +19,9 @@ ms.topic: article
# Collect investigation package API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
index 07e42ab409..3642376253 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Microsoft Defender ATP for US Government GCC High customers
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
index bcc6ba7dc3..d34460c4bf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
@@ -18,6 +18,9 @@ ms.topic: article
# Common REST API error codes
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
* The error codes listed in the following table may be returned by an operation on any of Microsoft Defender ATP APIs.
* Note that in addition to the error code, every error response contains an error message which can help resolving the problem.
* Note that the message is a free text that can be changed.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/community.md b/windows/security/threat-protection/microsoft-defender-atp/community.md
index 78f18ff20e..7a83827fc5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/community.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/community.md
@@ -21,6 +21,9 @@ ms.date: 04/24/2018
# Access the Microsoft Defender ATP Community Center
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
index fb8e70489a..edcabf4028 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
@@ -19,6 +19,9 @@ ms.topic: article
# Enable Conditional Access to better protect users, devices, and data
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
index ef4053bac6..2a2e4d3535 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
@@ -19,6 +19,9 @@ ms.topic: article
# Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
index 50726aa946..736ab0b846 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Configure attack surface reduction
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
You can configure attack surface reduction with a number of tools, including:
* Microsoft Intune
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
index a4c17d2c2a..6a3872d1b2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
@@ -1,10 +1,11 @@
---
title: Configure automated investigation and remediation capabilities
-description: Set up your automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
+description: Set up your automated investigation and remediation capabilities in Microsoft Defender for Endpoint.
keywords: configure, setup, automated, investigation, detection, alerts, remediation, response
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -14,16 +15,21 @@ ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
-ms.topic: conceptual
+ms.topic: article
+ms.date: 09/24/2020
+ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
---
-# Configure automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection
+# Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations).
+If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations).
To configure automated investigation and remediation, you [turn on the features](#turn-on-automated-investigation-and-remediation), and then you [set up device groups](#set-up-device-groups).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
index 944a823a64..8946b66493 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
@@ -18,6 +18,9 @@ ms.topic: article
---
# Configure Conditional Access in Microsoft Defender ATP
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
index e605898b2f..18ba591b16 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
@@ -19,6 +19,9 @@ ms.topic: article
# Configure alert notifications in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -95,5 +98,4 @@ This section lists various issues that you may encounter when using email notifi
## Related topics
- [Update data retention settings](data-retention-settings.md)
-- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
- [Configure advanced features](advanced-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
index 413259ce26..36703ec3a4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
@@ -20,6 +20,9 @@ ms.date: 04/24/2018
# Onboard Windows 10 devices using Group Policy
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Group Policy
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
index 50e1369d5f..439c8e61f3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
@@ -19,6 +19,9 @@ ms.topic: article
# Onboard Windows 10 devices using Mobile Device Management tools
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
index e59d230fb9..82e701c6e9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
@@ -19,6 +19,9 @@ ms.topic: article
# Onboard non-Windows devices
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- macOS
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
index 4536ced3cc..edc7d67d77 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
@@ -20,6 +20,9 @@ ms.date: 02/07/2020
# Onboard Windows 10 devices using Configuration Manager
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
index de35e7ec30..70821568d1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
@@ -19,6 +19,9 @@ ms.topic: article
# Onboard Windows 10 devices using a local script
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 771c2b866b..03c9870858 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -20,6 +20,9 @@ ms.date: 04/16/2020
# Onboard non-persistent virtual desktop infrastructure (VDI) devices
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Virtual desktop infrastructure (VDI) devices
@@ -30,6 +33,9 @@ ms.date: 04/16/2020
## Onboard non-persistent virtual desktop infrastructure (VDI) devices
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
Microsoft Defender ATP supports non-persistent VDI session onboarding.
>[!Note]
@@ -63,25 +69,21 @@ The following steps will guide you through onboarding VDI devices and will highl
1. Click **Download package** and save the .zip file.
-2. Copy all the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`.
+2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
- >[!NOTE]
- >If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
+ 1. If you are not implementing a single entry for each device, copy WindowsDefenderATPOnboardingScript.cmd.
-3. The following step is only applicable if you're implementing a single entry for each device:
- **For single entry for each device**:
+ 1. If you are implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd.
- 1. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` and `WindowsDefenderATPOnboardingScript.cmd` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
+ > [!NOTE]
+ > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from File Explorer.
- > [!NOTE]
- > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
-
-4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
+3. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
> [!NOTE]
> Domain Group Policy may also be used for onboarding non-persistent VDI devices.
-5. Depending on the method you'd like to implement, follow the appropriate steps:
+4. Depending on the method you'd like to implement, follow the appropriate steps:
**For single entry for each device**:
Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`.
@@ -90,7 +92,7 @@ The following steps will guide you through onboarding VDI devices and will highl
Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
-6. Test your solution:
+5. Test your solution:
1. Create a pool with one device.
@@ -103,9 +105,9 @@ The following steps will guide you through onboarding VDI devices and will highl
1. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.
**For multiple entries for each device**: Check multiple entries in Microsoft Defender Security Center.
-7. Click **Devices list** on the Navigation pane.
+6. Click **Devices list** on the Navigation pane.
-8. Use the search function by entering the device name and select **Device** as search type.
+7. Use the search function by entering the device name and select **Device** as search type.
## Updating non-persistent virtual desktop infrastructure (VDI) images
As a best practice, we recommend using offline servicing tools to patch golden/master images.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
index 867e457571..b77d79c856 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Onboarding tools and methods for Windows 10 devices
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
@@ -44,4 +47,4 @@ Topic | Description
[Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI devices.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)
\ No newline at end of file
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
index 42f46bd701..db418af7ff 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
@@ -19,6 +19,9 @@ ms.topic: article
# Optimize ASR rule deployment and detections
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
index c189165c5f..eb72937f89 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
@@ -19,6 +19,9 @@ ms.topic: article
# Get devices onboarded to Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
index 958fa4756c..d8200f1502 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
@@ -19,6 +19,9 @@ ms.topic: article
# Increase compliance to the Microsoft Defender ATP security baseline
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
index 3e3bb64cc8..1b1b0495eb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Ensure your devices are configured properly
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -78,4 +81,4 @@ Topic | Description
[Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed devices.
[Optimize ASR rule deployment and detections](configure-machines-asr.md) | Review rule deployment and tweak detections using impact analysis tools in Microsoft 365 security center.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
\ No newline at end of file
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
index 0be1734f27..7503ffcee1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
@@ -19,16 +19,22 @@ ms.topic: article
---
# Configure and manage Microsoft Threat Experts capabilities
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
## Before you begin
+> [!NOTE]
+> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service.
+
Ensure that you have Microsoft Defender ATP deployed in your environment with devices enrolled, and not just on a laboratory set-up.
Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
-If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription.
+If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on-Demand subscription.
## Register to Microsoft Threat Experts managed threat hunting service
If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal.
@@ -76,7 +82,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or device is in view before you send an investigation request.
-2. From the upper right-hand menu, click **?**. Then, select **Consult a threat expert**.
+2. From the upper right-hand menu, click the **?** icon. Then, select **Consult a threat expert**.
@@ -84,7 +90,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
- The following screen shows when you are on a full Microsoft Threat Experts - Experts on Demand subscription.
+ The following screen shows when you are on a full Microsoft Threat Experts - Experts on-Demand subscription.
@@ -107,7 +113,7 @@ Watch this video for a quick overview of the Microsoft Services Hub.
**Alert information**
- We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?
-- We’ve observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
+- We’ve observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
- I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Microsoft Defender ATP see these attempts? What type of sign-ins are being monitored?
- Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”.
@@ -116,7 +122,7 @@ Watch this video for a quick overview of the Microsoft Services Hub.
- Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?
**Threat intelligence details**
-- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events, which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?
+- We detected a phishing email that delivered a malicious Word document to a user. The malicious Word document caused a series of suspicious events, which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?
- I recently saw a [social media reference, for example, Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor?
**Microsoft Threat Experts’ alert communications**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
index b7c4bf19d6..4455735f4f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
@@ -19,6 +19,9 @@ ms.topic: article
# Configure alert notifications that are sent to MSSPs
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -43,4 +46,4 @@ These check boxes must be checked:
## Related topics
- [Grant MSSP access to the portal](grant-mssp-access.md)
- [Access the MSSP customer portal](access-mssp-portal.md)
-- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
\ No newline at end of file
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
index 98599b9d18..fa877ecd83 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
@@ -19,6 +19,9 @@ ms.topic: article
# Configure managed security service provider integration
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -63,6 +66,8 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.
- **Fetch alerts from MSSP customer's tenant using APIs**
This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
+## Multi-tenant access for MSSPs
+For information on how to implement a multi-tenant delegated access, see [Multi-tenant access for Managed Security Service Providers](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/multi-tenant-access-for-managed-security-service-providers/ba-p/1533440).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
index 9469ec674f..d115e3867d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@@ -19,6 +19,9 @@ ms.topic: article
# Configure device proxy and Internet connectivity settings
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index ed06fd8042..38b47a18f9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -19,6 +19,9 @@ ms.topic: article
# Onboard Windows servers to the Microsoft Defender ATP service
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Windows Server 2008 R2 SP1
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
index a72dbb0a7b..2767826ed6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
@@ -19,6 +19,9 @@ ms.topic: article
# Pull detections to your SIEM tools
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md
index bc7f7201e2..69775ff5c3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
---
# Connected applications in Microsoft Defender ATP
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/contact-support.md b/windows/security/threat-protection/microsoft-defender-atp/contact-support.md
new file mode 100644
index 0000000000..252019ef63
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/contact-support.md
@@ -0,0 +1,90 @@
+---
+title: Contact Microsoft Defender ATP support
+description: Learn how to contact Microsoft Defender ATP support
+keywords: support, contact, premier support, solutions, problems, case
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Contact Microsoft Defender ATP support
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+
+Microsoft Defender ATP has recently upgraded the support process to offer a more modern and advanced support experience.
+
+The new widget allows customers to:
+- Find solutions to common problems
+- Submit a support case to the Microsoft support team
+
+## Prerequisites
+It's important to know the specific roles that have permission to open support cases.
+
+At a minimum, you must have a Service Support Administrator **OR** Helpdesk Administrator role.
+
+
+For more information on which roles have permission see, [Security Administrator permissions](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles#security-administrator-permissions). Roles that include the action `microsoft.office365.supportTickets/allEntities/allTasks` can submit a case.
+
+For general information on admin roles, see [About admin roles](https://docs.microsoft.com/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide).
+
+
+## Access the widget
+Accessing the new support widget can be done in one of two ways:
+
+1. Clicking on the question mark on the top right of the portal and then clicking on "Microsoft support":
+
+ 
+
+2. Clicking on the **Need help?** button in the bottom right of the Microsoft Defender Security Center:
+
+
+ 
+
+In the widget you will be offered two options:
+
+- Find solutions to common problems
+- Open a service request
+
+## Find solutions to common problems
+This option includes articles that might be related to the question you may ask. Just start typing the question in the search box and articles related to your search will be surfaced.
+
+
+
+In case the suggested articles are not sufficient, you can open a service request.
+
+## Open a service request
+
+Learn how to open support tickets by contacting Microsoft Defender ATP support.
+
+
+
+
+### Contact support
+This option is available by clicking the icon that looks like a headset. You will then get the following page to submit your support case:
+
+
+
+1. Fill in a title and description for the issue you are facing, as well as a phone number and email address where we may reach you.
+
+2. (Optional) Include up to five attachments that are relevant to the issue in order to provide additional context for the support case.
+
+3. Select your time zone and an alternative language, if applicable. The request will be sent to Microsoft Support Team. The team will respond to your service request shortly.
+
+
+## Related topics
+- [Troubleshoot service issues](troubleshoot-mdatp.md)
+- [Check service health](service-status.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index 74f0ab9e28..e4e8f5ec72 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -19,6 +19,9 @@ ms.custom: asr
# Protect important folders with controlled folder access
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
index fc2674e848..e02de4aa8b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
@@ -18,6 +18,9 @@ ms.topic: article
# Create alert API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index 6021933e52..79ab34fce9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -19,6 +19,9 @@ ms.topic: article
---
# Create custom detection rules
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md
index bae067bcec..855bd65993 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md
@@ -20,6 +20,9 @@ ms.topic: article
# View and manage custom detection rules
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
index 8a8bf44962..2773f28ed5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
@@ -16,6 +16,9 @@ manager: dansimp
# Customize attack surface reduction rules
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
index 0659908d5c..f35a4eefd9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
@@ -16,6 +16,9 @@ manager: dansimp
# Customize controlled folder access
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
index 644ad754c1..081c5218c3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
@@ -16,6 +16,9 @@ manager: dansimp
# Customize exploit protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
index 9cc9cb48ba..f1483165c4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
@@ -18,6 +18,9 @@ ms.topic: conceptual
---
# Verify data storage location and update data retention settings for Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
@@ -50,5 +53,4 @@ You can verify the data location by navigating to **Settings** > **Data retentio
## Related topics
- [Update data retention settings](data-retention-settings.md)
- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md)
-- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
- [Configure advanced features](advanced-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
index 6eb879daae..6e76ce4bee 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Microsoft Defender ATP data storage and privacy
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
index 50ce80ff33..fa43e76e73 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
@@ -20,6 +20,9 @@ ms.date: 04/24/2018
# Microsoft Defender Antivirus compatibility with Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
index 068f605c89..1dd2b90d07 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
@@ -18,6 +18,9 @@ ms.topic: article
# Delete Indicator API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
index 3a379ea946..000dafbddd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
@@ -20,6 +20,9 @@ ms.topic: article
---
# Deployment phases
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
index 47e19acae2..cd066db719 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
@@ -17,6 +17,9 @@ ms.topic: article
---
# Plan your Microsoft Defender ATP deployment strategy
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md b/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md
index f972394dc4..7b99cd69cd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md
@@ -17,6 +17,9 @@ ms.topic: article
---
# Microsoft Defender ATP device timeline event flags
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Event flags in the Microsoft Defender ATP device timeline help you filter and organize specific events when you're investigate potential attacks.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx
index 84b5f2a664..bd35122350 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
index 29b20bcf7f..a92e2b43c4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
@@ -20,6 +20,9 @@ ms.date: 08/21/2020
# Endpoint detection and response (EDR) in block mode
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index a9f51e70aa..36216eb833 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -17,6 +17,9 @@ manager: dansimp
# Enable attack surface reduction rules
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
[Attack surface reduction rules](attack-surface-reduction.md) (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. You can set ASR rules for devices running any of the following editions and versions of Windows:
- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
index 8c811f809d..2986e7ecf0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
@@ -17,6 +17,9 @@ manager: dansimp
# Enable controlled folder access
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 74c12b3f99..5707cf67b8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -16,6 +16,9 @@ manager: dansimp
# Enable exploit protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
index bb2325ee28..a6090f9ae7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
@@ -1,6 +1,6 @@
---
-title: Turning on network protection
-description: Enable Network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager.
+title: Turn on network protection
+description: Enable network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager.
keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -14,7 +14,10 @@ ms.reviewer:
manager: dansimp
---
-# Turning on network protection
+# Turn on network protection
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
@@ -22,6 +25,8 @@ manager: dansimp
[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before you enable it.
+[Learn more about network filtering configuration options](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#network-filtering)
+
## Check if network protection is enabled
Check if network protection has been enabled on a local device by using Registry editor.
@@ -40,9 +45,8 @@ Check if network protection has been enabled on a local device by using Registry
Enable network protection by using any of these methods:
* [PowerShell](#powershell)
-* [Microsoft Intune](#intune)
-* [Mobile Device Management (MDM)](#mobile-device-management-mmd)
-* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
+* [Mobile Device Management (MDM)](#mobile-device-management-mdm)
+* [Microsoft Endpoint Manager / Intune](#microsoft-endpoint-manager-formerly-intune)
* [Group Policy](#group-policy)
### PowerShell
@@ -62,41 +66,17 @@ Enable network protection by using any of these methods:
Use `Disabled` instead of `AuditMode` or `Enabled` to turn off the feature.
-### Intune
-
-1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-
-2. Go to **Device configuration** > **Profiles** > **Create profile**.
-
-3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
-
- 
-
-4. Select **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
-
- 
-
-5. Select **OK** to save each open section and **Create**.
-
-6. Select the profile called **Assignments**, assign to **All Users & All Devices**, and **Save**.
-
-### Mobile Device Management (MMD)
+### Mobile device management (MDM)
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode.
-## Microsoft Endpoint Configuration Manager
+### Microsoft Endpoint Manager (formerly Intune)
-1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. Sign into the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com)
-2. Then go to **Home** > **Create Exploit Guard Policy**.
+2. Create or edit an [endpoint protection configuration profile](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-configure)
-3. Enter a name and a description, select **Network protection**, and then **Next**.
-
-4. Choose whether to block or audit access to suspicious domains and select **Next**.
-
-5. Review the settings and select **Next** to create the policy.
-
-6. After the policy is created, **Close**.
+3. Under "Configuration Settings" in the profile flow, go to **Microsoft Defender Exploit Guard** > **Network filtering** > **Network protection** > **Enable** or **Audit only**
### Group Policy
@@ -112,6 +92,9 @@ Use the following procedure to enable network protection on domain-joined comput
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
+> [!NOTE]
+> On older versions of Windows, the group policy path may say "Windows Defender Antivirus" instead of "Microsoft Defender Antivirus."
+
4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following options:
* **Block** - Users can't access malicious IP addresses and domains
* **Disable (Default)** - The Network protection feature won't work. Users won't be blocked from accessing malicious domains
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
index f827607d8a..8799a37ea2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
@@ -19,6 +19,9 @@ ms.topic: article
# Enable SIEM integration in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -33,7 +36,7 @@ Enable security information and event management (SIEM) integration so you can p
>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
## Prerequisites
-- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role.
+- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is someone with the following roles: Security Administrator and either Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
- During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow pop-ups for this site.
## Enabling SIEM integration
diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
index 1d8f56f5e3..5408508e47 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Enable Microsoft Defender ATP Insider Device
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
Endpoint detection and response capabilities in Microsoft Defender ATP for Mac are now in preview. To get these and other preview features, you must set up your Mac device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune).
>[!IMPORTANT]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
index e78e648ca5..35dc0c89f1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Evaluate Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
You can evaluate Microsoft Defender Advanced Threat Protection in your organization by [starting your free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
index 32432b5025..1c8621e5f2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
@@ -16,6 +16,9 @@ manager: dansimp
# Evaluate attack surface reduction rules
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
index 1df853c6ba..da54fddecf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
@@ -16,6 +16,9 @@ manager: dansimp
# Evaluate controlled folder access
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
index 1946579864..0b95bca029 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
@@ -18,6 +18,9 @@ manager: dansimp
# Evaluate exploit protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
index 1e08e42942..17edc7d5e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
@@ -16,6 +16,9 @@ manager: dansimp
# Evaluate network protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index dd21e36602..2f57d47778 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -19,6 +19,9 @@ ms.topic: article
---
# Microsoft Defender ATP evaluation lab
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
index a856668804..54be37811e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
@@ -21,6 +21,9 @@ ms.date: 05/21/2018
# Review events and errors using Event Viewer
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Event Viewer
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-views.md b/windows/security/threat-protection/microsoft-defender-atp/event-views.md
index d373f292ac..926fa6beef 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-views.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-views.md
@@ -16,6 +16,9 @@ manager: dansimp
# View attack surface reduction events
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
new file mode 100644
index 0000000000..5cb1174b0a
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
@@ -0,0 +1,723 @@
+---
+title: Exploit Protection Reference
+keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
+description: Details on how the Exploit Protection feature works in Windows 10
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+audience: ITPro
+author: appcompatguy
+ms.author: cjacks
+ms.date: 07/20/2020
+ms.reviewer:
+manager: saudm
+ms.custom: asr
+---
+
+# Exploit Protection Reference
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Exploit Protection provides advanced protections for applications which the IT Pro can apply after the developer has compiled and distributed the software.
+
+This article helps you understand how Exploit Protection works, both at the policy level and at the individual mitigation level, to help you successfully build and apply Exploit Protection policies.
+
+## How mitigations are applied
+
+Exploit Protection mitigations are applied per application.
+
+Mitigations are configured via a registry entry for each program that you configure protections for. These settings are stored in the **MitigationOptions** registry entry for each program (**HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ *ImageFileName* \ MitigationOptions**). They take effect when you restart the program and remain effective until you change them and restart the program again.
+
+> [!IMPORTANT]
+> Image File Execution Options only allows you to specify a file name or path, and not a version number, architecture, or any other differentiator. Be careful to target mitigations to apps which have unique names or paths, applying them only on devices where you have tested that version and that architecture of the application.
+
+If you configure Exploit Protection mitigations using an XML configuration file, either via PowerShell, Group Policy, or MDM, when processing this XML configuration file, individual registry settings will be configured for you.
+
+When the policy distributing the XML file is no longer enforced, settings deployed by this XML configuration file will not be automatically removed. To remove Exploit Protection settings, export the XML configuration from a clean Windows 10 device, and deploy this new XML file. Alternately, Microsoft provides an XML file as part of the Windows Security Baselines for resetting Exploit Protection settings.
+
+To reset Exploit Protection settings using PowerShell, you could use the following command:
+
+```powershell
+Set-ProcessMitigation -PolicyFilePath EP-reset.xml
+```
+Following is the EP-reset.xml distributed with the Windows Security Baselines:
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Mitigation Reference
+
+The below sections detail the protections provided by each Exploit Protection mitigation, the compatibility considerations for the mitigation, and the configuration options available.
+
+## Arbitrary code guard
+
+### Description
+
+Arbitrary Code Guard helps protect against a malicious attacker loading the code of their choice into memory through a memory safety vulnerability and being able to execute that code.
+
+Arbitrary Code Guard protects an application from executing dynamically generated code (code that is not loaded, for example, from the exe itself or a dll). Arbitrary Code Guard works by preventing memory from being marked as executable. When an application attempts to [allocate memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc), we check the protection flags. (Memory can be allocated with read, write, and/or execute protection flags.) If the allocation attempts to include the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the memory allocation fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). Similarly, if an application attempts to [change the protection flags of memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) that has already been allocated and includes the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the permission change fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED).
+
+By preventing the *execute* flag from being set, the Data Execution Prevention feature of Windows 10 can then protect against the instruction pointer being set to that memory and running that code.
+
+### Compatibility considerations
+
+Arbitrary Code Guard prevents allocating any memory as executable, which presents a compatibility issue with approaches such as Just-in-Time (JIT) compilers. Most modern browsers, for example, will compile JavaScript into native code in order to optimize performance. In order to support this mitigation, they will need to be rearchitected to move the JIT compilation outside of the protected process. Other applications whose design dynamically generates code from scripts or other intermediate languages will be similarly incompatible with this mitigation.
+
+### Configuration options
+
+**Allow thread opt-out** - You can configure the mitigation to allow an individual thread to opt-out of this protection. The developer must have written the application with awareness of this mitigation, and have called the [**SetThreadInformation**](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadinformation) API with the *ThreadInformation* parameter set to **ThreadDynamicCodePolicy** in order to be allowed to execute dynamic code on this thread.
+
+**Audit only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Block low integrity images
+
+### Description
+
+Block low integrity images prevents the application from loading files which are untrusted, typically because they have been downloaded from the internet from a sandboxed browser.
+
+This mitigation will block image loads if the image has an Access Control Entry (ACE) which grants access to Low IL processes and which does not have a trust label ACE. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a low integrity image, it will trigger a STATUS_ACCESS_DENIED error. For details on how integrity levels work, see [Mandatory Integrity Control](https://docs.microsoft.com/windows/win32/secauthz/mandatory-integrity-control).
+
+### Compatibility considerations
+
+Block low integrity images will prevent the application from loading files which were downloaded from the internet. If your application workflow requires loading images which are downloaded, you will want to ensure that they are downloaded from a higher-trust process, or are explicitly relabeled in order to apply this mitigation.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Block remote images
+
+### Description
+
+Block remote images will prevent the application from loading files which are hosted on a remote device, such as a UNC share. This helps protect against loading binaries into memory which are on an external device controlled by the attacker.
+
+This mitigation will block image loads if the image is determined to be on a remote device. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a remote file, it will trigger a STATUS_ACCESS_DENIED error.
+
+### Compatibility considerations
+
+Block remote images will prevent the application from loading images from remote devices. If your application loads files or plug-ins from remote devices, then it will not be compatible with this mitigation.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Block untrusted fonts
+
+### Description
+
+Block untrusted fonts mitigates the risk of a flaw in font parsing leading to the attacker being able to run code on the device. Only fonts which are installed into the windows\fonts directory will be loaded for processing by GDI.
+
+This mitigation is implemented within GDI, which validates the location of the file. If the file is not in the system fonts directory, the font will not be loaded for parsing and that call will fail.
+
+Note that this mitigation is in addition to the built-in mitigation provided in Windows 10 1607 and later, which moves font parsing out of the kernel and into a user-mode app container. Any exploit based on font parsing, as a result, happens in a sandboxed and isolated context, which reduces the risk significantly. For details on this mitigation, see the blog [Hardening Windows 10 with zero-day exploit mitigations](https://www.microsoft.com/security/blog/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/).
+
+### Compatibility considerations
+
+The most common use of fonts outside of the system fonts directory is with [web fonts](https://docs.microsoft.com/typography/fonts/font-faq#web). Modern browsers, such as Microsoft Edge, use DirectWrite instead of GDI, and are not impacted. However, legacy browsers, such as Internet Explorer 11 (and IE mode in the new Microsoft Edge) can be impacted, particularly with applications such as Office 365 which use font glyphs to display UI.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Code integrity guard
+
+### Description
+
+Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. This includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process.
+
+This mitigation is implemented within the memory manager, which blocks the binary from being mapped into memory. If you attempt to load a binary which is not signed by Microsoft, the memory manger will return the error STATUS_INVALID_IMAGE_HASH. By blocking at the memory manager level, this prevents both binaries loaded by the process and binaries injected into the process.
+
+### Compatibility considerations
+
+This mitigation specifically blocks any binary which is not signed by Microsoft. As such, it will be incompatible with most third party software, unless that software is distributed by (and digitally signed by) the Microsoft Store, and the option to allow loading of images signed by the Microsoft Store is selected.
+
+### Configuration options
+
+**Also allow loading of images signed by Microsoft Store** - Applications which are distributed by the Microsoft Store will be digitally signed by the Microsoft Store, and adding this configuration will allow binaries which have gone through the store certification process to be loaded by the application.
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Control flow guard (CFG)
+
+### Description
+
+Control flow guard (CFG) mitigates the risk of attackers leveraging memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program).
+
+This mitigation is provided by injecting an additional check at compile time. Before each indirect function call, additional instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications which are compiled with CFG support can benefit from this mitigation.
+
+The check for a valid target is provided by the Windows kernel. When executable files are loaded, the metadata for indirect call targets is extracted at load time and marked as valid call targets. Additionally, when memory is allocated and marked as executable (such as for generated code), these memory locations are also marked as valid call targets, to support mechanisms such as JIT compilation.
+
+### Compatibility considerations
+
+Since applications must be compiled to support CFG, they implicitly declare their compatibility with it. Most applications, therefore, should work with this mitigation enabled. Because these checks are compiled into the binary, the configuration you can apply is merely to disable checks within the Windows kernel. In other words, the mitigation is on by default, but you can configure the Windows kernel to always return "yes" if you later determine that there is a compatibility issue that the application developer did not discover in their testing, which should be rare.
+
+### Configuration options
+
+**Use strict CFG** - In strict mode, all binaries loaded into the process must be compiled for Control Flow Guard (or have no executable code in them - such as resource dlls) in order to be loaded.
+
+> [!Note]
+> **Control flow guard** has no audit mode. Binaries are compiled with this mitigation enabled.
+
+## Data Execution Prevention (DEP)
+
+### Description
+
+Data Execution Prevention (DEP) prevents memory which was not explicitly allocated as executable from being executed. This helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code.
+
+If you attempt to set the instruction pointer to a memory address not marked as executable, the processor will throw an exception (general-protection violation), causing the application to crash.
+
+### Compatibility considerations
+
+All x64, ARM, and ARM-64 executables have DEP enabled by default, and it cannot be disabled. Since an application will have never been executed without DEP, compatibility is generally assumed.
+
+All x86 (32-bit) binaries will have DEP enabled by default, but it can be disabled per process. Some very old legacy applications, typically applications developed prior to Windows XP SP2, may not be compatible with DEP. These are typically applications that dynamically generate code (e.g. JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code.
+
+### Configuration options
+
+**Enable ATL Thunk emulation** - This configuration option disables ATL Thunk emulation. ATL, the ActiveX Template Library, is designed to be as small and fast as possible. In order to reduce binary size, it would use a technique called thunking. Thunking is typically thought of for interacting between 32-bit and 16-bit applications, but there are no 16-bit components to ATL here. Rather, in order to optimize for binary size, ATL will store machine code in memory which is not word-aligned (creating a smaller binary), and then invoke that code directly. ATL components compiled with Visual Studio 7.1 or earlier (Visual Studio 2003) do not allocate this memory as executable - thunk emulation resolves that compatibility issue. Applications which have a binary extension model (such as Internet Explorer 11) will often need to have ATL Thunk emulation enabled.
+
+## Disable extension points
+
+### Description
+
+This mitigation disables various extension points for an application, which might be used to establish persistence or elevate privileges of malicious content.
+
+This includes:
+
+- **AppInit DLLs** - Whenever a process starts, the system will load the specified DLL into to context of the newly started process before calling its entry point function. [Details on AppInit DLLs can be found here](https://docs.microsoft.com/windows/win32/winmsg/about-window-classes#application-global-classes). With this mitigation applied, AppInit DLLs are not loaded. Note that, beginning with Windows 7, AppInit DLLs need to be digitally signed, [as described here](https://docs.microsoft.com/windows/win32/win7appqual/appinit-dlls-in-windows-7-and-windows-server-2008-r2). Additionally, beginning with Windows 8, AppInit DLLs will not be loaded if SecureBoot is enabled, [as described here](https://docs.microsoft.com/windows/win32/dlls/secure-boot-and-appinit-dlls).
+- **Legacy IMEs** - An Input Method Editor (IME) allows a user to type text in a language that has more characters than can be represented on a keyboard. Third parties are able to create IMEs. A malicious IME might obtain credentials or other sensitive information from this input capture. Some IMEs, referred to as Legacy IMEs, will only work on Windows Desktop apps, and not UWP apps. This mitigation will also prevent this legacy IME from loading into the specified Windows Desktop app.
+- **Windows Event Hooks** - An application can call the [SetWinEventHook API](https://docs.microsoft.com/windows/win32/api/winuser/nf-winuser-setwineventhook) to register interest in an event taking place. A DLL is specified and can be injected into the process. This mitigation forces the hook to be posted to the registering process rather than running in-process through an injected DLL.
+
+### Compatibility considerations
+
+Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using 3rd party Legacy IMEs which will not work with the protected application.
+
+### Configuration options
+
+There are no configuration options for this mitigation.
+
+> [!Note]
+> **Disable extension points** has no audit mode.
+
+## Disable Win32k system calls
+
+### Description
+
+Win32k.sys provides a broad attack surface for an attacker. As a kernel-mode component, it is frequently targeted as an escape vector for applications that are sandboxed. This mitigation prevents calls into win32k.sys by blocking a thread from converting itself into a GUI thread, which is then given access to invoke Win32k functions. A thread is non-GUI when created, but converted on first call to win32k.sys, or through an API call to [IsGuiThread](https://docs.microsoft.com/windows/win32/api/winuser/nf-winuser-isguithread).
+
+### Compatibility considerations
+
+This mitigation is designed for processes which are dedicated non-UI processes. For example, many modern browsers will leverage process isolation and incorporate non-UI processes. Any application which displays a GUI using a single process will be impacted by this mitigation.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Do not allow child processes
+
+### Description
+
+This mitigation prevents an application from creating new child applications. A common technique used by adversaries is to initiate a trusted process on the device with malicious input (a "living off the land" attack), which often requires launching another application on the device. If there are no legitimate reasons why an application would launch a child process, this mitigation mitigates that potential attack vector. The mitigation is applied by setting a property on the process token, which blocks creating a token for the child process with the error message STATUS_CHILD_PROCESS_BLOCKED.
+
+### Compatibility considerations
+
+If your application launches child applications for any reason, such as supporting hyperlinks which launch a browser or an external browser, or which launch other utilities on the computer, this functionality will be broken with this mitigation applied.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Export address filtering
+
+### Description
+
+Export address filtering (EAF) mitigates the risk of malicious code looking at the export address table of all loaded modules to find modules that contain useful APIs for their attack. This is a common tactic used by shellcode. In order to mitigate the risk of such an attack, this mitigation protects 3 commonly attacked modules:
+
+- ntdll.dll
+- kernelbase.dll
+- kernel32.dll
+
+The mitigation protects the memory page in the [export directory](https://docs.microsoft.com/windows/win32/debug/pe-format#export-directory-table) which points to the [export address table](https://docs.microsoft.com/windows/win32/debug/pe-format#export-address-table). This memory page will have the [PAGE_GUARD](https://docs.microsoft.com/windows/win32/memory/creating-guard-pages) protection applied to it. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated.
+
+### Compatibility considerations
+
+This mitigation is primarily an issue for applications such as debuggers, sandboxed applications, applications using DRM, or applications that implement anti-debugging technology.
+
+### Configuration options
+
+**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for additional commonly attacked modules:
+
+- mshtml.dll
+- flash*.ocx
+- jscript*.ocx
+- vbscript.dll
+- vgx.dll
+- mozjs.dll
+- xul.dll
+- acrord32.dll
+- acrofx32.dll
+- acroform.api
+
+Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection to the page containing the "MZ" header, the first two bytes of the [DOS header in a PE file](https://docs.microsoft.com/windows/win32/debug/pe-format#ms-dos-stub-image-only), which is another aspect of known memory content which shellcode can look for to identify modules potentially of interest in memory.
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Force randomization for images (Mandatory ASLR)
+
+### Description
+
+Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker leveraging techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose.
+
+Mandatory ASLR forces a rebase of all DLLs within the process. A developer can enable ASLR using the [/DYNAMICBASE](https://docs.microsoft.com/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019) linker option, and this mitigation has the same effect.
+
+When the memory manager is mapping in the image into the process, Mandatory ASLR will forcibly rebase DLLs and EXEs that have not opted in to ASLR. Note, however, that this rebasing has no entropy, and can therefore be placed at a predictable location in memory. For rebased and randomized location of binaries, this mitigation should be paired with [Randomize memory allocations (Bottom-up ASLR)](#randomize-memory-allocations-bottom-up-aslr).
+
+### Compatibility considerations
+
+This compatibility impact of ASLR is typically constrained to older applications which were built using compilers which made assumptions about the base address of a binary file or have stripped out base relocation information. This can lead to unpredictable errors as the execution flow attempts to jump to the expected, rather than the actual, location in memory.
+
+### Configuration options
+
+**Do not allow stripped images** - This option blocks the loading of images that have had relocation information stripped. The Windows PE file format contains absolute addresses, and the compiler also generates a [base relocation table](https://docs.microsoft.com/windows/win32/debug/pe-format#the-reloc-section-image-only) which the loader can use to find all relative memory references and their offset, so they can be updated if the binary does not load at its preferred base address. Some older applications strip out this information in production builds, and therefore these binaries cannot be rebased. This mitigation blocks such binaries from being loaded (instead of allowing them to load at their preferred base address).
+
+> [!Note]
+> **Force randomization for images (Mandatory ASLR)** has no audit mode.
+
+## Import address filtering (IAF)
+
+### Description
+
+The Import address filtering (IAF) mitigation helps mitigate the risk of an adversary changing the control flow of an application by modifying the import address table (IAT) to redirect to arbitrary code of the attacker's choice when that function is called. An attacker could use this approach to hijack control, or to intercept, inspect, and potentially block calls to sensitive APIs.
+
+The memory pages for all protected APIs will have the [PAGE_GUARD](https://docs.microsoft.com/windows/win32/memory/creating-guard-pages) protection applied to them. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated.
+
+This mitigation protects the following Windows APIs:
+
+- GetProcAddress
+- GetProcAddressForCaller
+- LoadLibraryA
+- LoadLibraryExA
+- LoadLibraryW
+- LoadLibraryExW
+- LdrGetProcedureAddress
+- LdrGetProcedureAddressEx
+- LdrGetProcedureAddressForCaller
+- LdrLoadDll
+- VirtualProtect
+- VirtualProtectEx
+- VirtualAlloc
+- VirtualAllocEx
+- NtAllocateVirtualMemory
+- NtProtectVirtualMemory
+- CreateProcessA
+- CreateProcessW
+- WinExec
+- CreateProcessAsUserA
+- CreateProcessAsUserW
+- GetModuleHandleA
+- GetModuleHandleW
+- RtlDecodePointer
+- DecodePointer
+
+### Compatibility considerations
+
+Legitimate applications which perform API interception may be detected by this mitigation and cause some applications to crash. Examples include security software and application compatibility shims.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Randomize memory allocations (Bottom-up ASLR)
+
+### Description
+
+Randomize memory allocations (Bottom-up ASLR) adds entropy to relocations, so their location is randomized and therefore less predictable. This mitigation requires Mandatory ASLR to take effect.
+
+Note that the size of the 32-bit address space places practical constraints on the entropy that can be added, and therefore 64-bit applications make it significantly more difficult for an attacker to guess a location in memory.
+
+### Compatibility considerations
+
+Most applications which are compatible with Mandatory ASLR (rebasing) will also be compatible with the additional entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4GB), and thus will be incompatible with the high entropy option (which can be disabled).
+
+### Configuration options
+
+**Don't use high entropy** - this option disables the use of high-entropy ASLR, which adds 24 bits of entropy (1TB of variance) into the bottom-up allocation for 64-bit applications.
+
+> [!Note]
+> **Randomize memory allocations (Bottom-up ASLR)** has no audit mode.
+
+## Simulate execution (SimExec)
+
+### Description
+
+Simulate execution (SimExec) is a mitigation for 32-bit applications only which helps validate that calls to sensitive APIs will return to legitimate caller functions. It does this by intercepting calls into sensitive APIs, and then simulating the execution of those APIs by walking through the encoded assembly language instructions looking for the RET instruction, which should return to the caller. It then inspects that function and walks backwards in memory to find the preceding CALL instruction to compare if the two match and that the RET hasn't been intercepted.
+
+The APIs intercepted by this mitigation are:
+
+- LoadLibraryA
+- LoadLibraryW
+- LoadLibraryExA
+- LoadLibraryExW
+- LdrLoadDll
+- VirtualAlloc
+- VirtualAllocEx
+- NtAllocateVirtualMemory
+- VirtualProtect
+- VirtualProtectEx
+- NtProtectVirtualMemory
+- HeapCreate
+- RtlCreateHeap
+- CreateProcessA
+- CreateProcessW
+- CreateProcessInternalA
+- CreateProcessInternalW
+- NtCreateUserProcess
+- NtCreateProcess
+- NtCreateProcessEx
+- CreateRemoteThread
+- CreateRemoteThreadEx
+- NtCreateThreadEx
+- WriteProcessMemory
+- NtWriteVirtualMemory
+- WinExec
+- CreateFileMappingA
+- CreateFileMappingW
+- CreateFileMappingNumaW
+- NtCreateSection
+- MapViewOfFile
+- MapViewOfFileEx
+- MapViewOfFileFromApp
+- LdrGetProcedureAddressForCaller
+
+If a ROP gadget is detected, the process is terminated.
+
+### Compatibility considerations
+
+Applications which perform API interception, particularly security software, can cause compatibility problems with this mitigation.
+
+This mitigation is incompatible with the Arbitrary Code Guard mitigation.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Validate API invocation (CallerCheck)
+
+### Description
+
+Validate API invocation (CallerCheck) is a mitigation for return oriented programming (ROP) techniques which validates that sensitive APIs were called from a valid caller. This mitigation inspects the passed return address, and then heuristically disassembles backwards to find a call above the return address to determine if the call target matches the parameter passed into the function.
+
+The APIs intercepted by this mitigation are:
+
+- LoadLibraryA
+- LoadLibraryW
+- LoadLibraryExA
+- LoadLibraryExW
+- LdrLoadDll
+- VirtualAlloc
+- VirtualAllocEx
+- NtAllocateVirtualMemory
+- VirtualProtect
+- VirtualProtectEx
+- NtProtectVirtualMemory
+- HeapCreate
+- RtlCreateHeap
+- CreateProcessA
+- CreateProcessW
+- CreateProcessInternalA
+- CreateProcessInternalW
+- NtCreateUserProcess
+- NtCreateProcess
+- NtCreateProcessEx
+- CreateRemoteThread
+- CreateRemoteThreadEx
+- NtCreateThreadEx
+- WriteProcessMemory
+- NtWriteVirtualMemory
+- WinExec
+- CreateFileMappingA
+- CreateFileMappingW
+- CreateFileMappingNumaW
+- NtCreateSection
+- MapViewOfFile
+- MapViewOfFileEx
+- MapViewOfFileFromApp
+- LdrGetProcedureAddressForCaller
+
+If a ROP gadget is detected, the process is terminated.
+
+### Compatibility considerations
+
+Applications which perform API interception, particularly security software, can cause compatibility problems with this mitigation.
+
+This mitigation is incompatible with the Arbitrary Code Guard mitigation.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Validate exception chains (SEHOP)
+
+### Description
+
+Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured Exception Handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can leverage a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice.
+
+This mitigation relies on the design of SEH, where each SEH entry contains both a pointer to the exception handler, as well as a pointer to the next handler in the exception chain. This mitigation is called by the exception dispatcher, which validates the SEH chain when an exception is invoked. It verifies that:
+
+- All exception chain records are within the stack boundaries
+- All exception records are aligned
+- No exception handler pointers are pointing to the stack
+- There are no backward pointers
+- The exception chain ends at a known final exception handler
+
+If these validations fail, then exception handling is aborted, and the exception will not be handled.
+
+### Compatibility considerations
+
+Compatibility issues with SEHOP are relatively rare. It's uncommon for an application to take a dependency on corrupting the exception chain. However, some applications are impacted by the subtle changes in timing, which may manifest as a race condition that reveals a latent multi-threading bug in the application.
+
+### Configuration options
+
+> [!Note]
+> **Validate exception chains (SEHOP)** has no audit mode.
+
+## Validate handle usage
+
+### Description
+
+*Validate handle usage* is a mitigation which helps protect against an attacker leveraging an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE).
+
+This mitigation is automatically applied to Windows Store applications.
+
+### Compatibility considerations
+
+Applications which were not accurately tracking handle references, and which were not wrapping these operations in exception handlers, will potentially be impacted by this mitigation.
+
+### Configuration options
+
+> [!Note]
+> **Validate handle usage** has no audit mode.
+
+## Validate heap integrity
+
+### Description
+
+The *validate heap integrity* mitigation increases the protection level of heap mitigations in Windows, by causing the application to terminate if a heap corruption is detected. The mitigations include:
+
+- Preventing a HEAP handle from being freed
+- Performing additional validation on extended block headers for heap allocations
+- Verifying that heap allocations are not already flagged as in-use
+- Adding guard pages to large allocations, heap segments, and subsegments above a minimum size
+
+### Compatibility considerations
+
+This mitigation is already applied by default for 64-bit applications and for 32-bit applications targeting Windows Vista or later. Legacy applications from Windows XP or earlier are most at-risk, though compatibility issues are rare.
+
+### Configuration options
+
+> [!Note]
+> **Validate heap integrity** has no audit mode.
+
+## Validate image dependency integrity
+
+### Description
+
+The *validate image dependency* mitigation helps protect against attacks which attempt to substitute code for dlls which are statically linked by Windows binaries. The technique of DLL planting abuses the loader's search mechanism to inject malicious code, which can be used to get malicious code running in an elevated context. When the loader is loading a Windows signed binary, and then loads up any dlls that the binary depends on, these binaries will be verified to ensure that they are also digitally signed as a Windows binary. If they fail the signature check, the dll will not be loaded, and will throw an exception, returning a status of STATUS_INVALID_IMAGE_HASH.
+
+### Compatibility considerations
+
+Compatibility issues are uncommon. Applications which depend on replacing Windows binaries with local private versions will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Validate stack integrity (StackPivot)
+
+### Description
+
+The *validate stack integrity (StackPivot)* mitigation helps protect against the Stack Pivot attack, a ROP attack where an attacker creates a fake stack in heap memory, and then tricks the application into returning into the fake stack which controls the flow of execution.
+
+This mitigation intercepts a number of Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated.
+
+The APIs intercepted by this mitigation are:
+
+- LoadLibraryA
+- LoadLibraryW
+- LoadLibraryExA
+- LoadLibraryExW
+- LdrLoadDll
+- VirtualAlloc
+- VirtualAllocEx
+- NtAllocateVirtualMemory
+- VirtualProtect
+- VirtualProtectEx
+- NtProtectVirtualMemory
+- HeapCreate
+- RtlCreateHeap
+- CreateProcessA
+- CreateProcessW
+- CreateProcessInternalA
+- CreateProcessInternalW
+- NtCreateUserProcess
+- NtCreateProcess
+- NtCreateProcessEx
+- CreateRemoteThread
+- CreateRemoteThreadEx
+- NtCreateThreadEx
+- WriteProcessMemory
+- NtWriteVirtualMemory
+- WinExec
+- CreateFileMappingA
+- CreateFileMappingW
+- CreateFileMappingNumaW
+- NtCreateSection
+- MapViewOfFile
+- MapViewOfFileEx
+- MapViewOfFileFromApp
+- LdrGetProcedureAddressForCaller
+
+### Compatibility considerations
+
+Applications which are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications.
+Applications which perform API interception, particularly security software, can cause compatibility problems with this mitigation.
+
+This mitigation is incompatible with the Arbitrary Code Guard mitigation.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
index b330f4798b..e4174dddea 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
@@ -19,6 +19,9 @@ ms.custom: asr
# Protect devices from exploits
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
index 8bdf15c60a..8f4d3dec0e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
@@ -19,6 +19,9 @@ ms.topic: article
# Use Microsoft Defender ATP APIs
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
index 53f48b4a51..2b71b7c2cf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
@@ -19,6 +19,9 @@ ms.topic: article
# Partner access through Microsoft Defender ATP APIs
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
index be3db97ab4..e4a7458f08 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
@@ -19,6 +19,9 @@ ms.topic: article
# Create an app to access Microsoft Defender ATP without a user
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
index f93889cb75..1ad142d2e4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
@@ -19,6 +19,9 @@ ms.date: 09/24/2018
---
# Microsoft Defender ATP APIs using PowerShell
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
index 535ec63d9c..d5115891d3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
@@ -19,6 +19,9 @@ ms.topic: article
# Supported Microsoft Defender ATP APIs
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
index c820d3d69e..e5f5fcad0b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
@@ -19,6 +19,9 @@ ms.topic: article
# OData queries with Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -38,7 +41,7 @@ Not all properties are filterable.
Get 10 latest Alerts with related Evidence
-```
+```http
HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
```
@@ -144,9 +147,9 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
### Example 2
-Get all the alerts last updated after 2019-10-20 00:00:00
+Get all the alerts last updated after 2019-11-22 00:00:00
-```
+```http
HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z
```
@@ -202,7 +205,7 @@ HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTi
Get all the devices with 'High' 'RiskScore'
-```
+```http
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+eq+'High'
```
@@ -241,7 +244,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+
Get top 100 devices with 'HealthStatus' not equals to 'Active'
-```
+```http
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100
```
@@ -280,7 +283,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStat
Get all the devices that last seen after 2018-10-20
-```
+```http
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z
```
@@ -319,7 +322,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen g
Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP
-```
+```http
HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan'
```
@@ -351,7 +354,7 @@ json{
Get the count of open alerts for a specific device:
-```
+```http
HTTP GET https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?$filter=status ne 'Resolved'
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
index 7f62a2a426..0d0ee850c5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
@@ -20,6 +20,9 @@ ms.collection:
# Feedback-loop blocking
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md
index f0ccb1577e..d21ad49611 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md
@@ -1,4 +1,4 @@
----
+---
title: Fetch alerts from MSSP customer tenant
description: Learn how to fetch alerts from a customer tenant
keywords: managed security service provider, mssp, configure, integration
@@ -19,6 +19,9 @@ ms.topic: article
# Fetch alerts from MSSP customer tenant
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -182,7 +185,7 @@ You'll need to have **Manage portal system settings** permission to allow the ap
You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
-- In the ArcSight configuration file / Splunk Authentication Properties file you will have to write your application key manually by settings the secret value.
+- In the ArcSight configuration file / Splunk Authentication Properties file ? you will have to write your application key manually by settings the secret value.
- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
## Fetch alerts from MSSP customer's tenant using APIs
diff --git a/windows/security/threat-protection/microsoft-defender-atp/files.md b/windows/security/threat-protection/microsoft-defender-atp/files.md
index 5ef6fc7ec4..2b27cae459 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/files.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/files.md
@@ -18,6 +18,9 @@ ms.topic: article
# File resource type
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -75,4 +78,4 @@ determinationValue | String | Determination value.
"determinationType": "Pua",
"determinationValue": "PUA:Win32/FusionCore"
}
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md
index 59c2006e13..d0690e63d2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md
@@ -18,6 +18,9 @@ ms.topic: article
# Find device information by internal IP API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
index 9d7a2a71d0..e4a3b8ac99 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
@@ -18,6 +18,9 @@ ms.topic: article
# Find devices by internal IP API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
index 737e32b036..9afb49c31b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
@@ -20,6 +20,9 @@ ms.date: 10/23/2017
# Fix unhealthy sensors in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
index 00887c1ccb..d5ed580340 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get alert information by ID API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
index ac7cf2410a..6b256610ed 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get alert related domain information API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
index 519afaa0e3..5ac0f2d01a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get alert related files information API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
index cf783ffeda..9b841e71af 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get alert related IPs information API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
index 2b030497a2..94132932d5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get alert related machine information API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
index e5d037ad94..4c54267d9a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get alert related user information API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
index 16e865448e..e0b7e0c358 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
@@ -18,6 +18,9 @@ ms.topic: article
# List alerts API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
index 94487dd4ff..c49e958dfb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
@@ -17,6 +17,9 @@ ms.topic: article
---
# List all recommendations
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
index 3ec0c82630..f3be9540c4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
@@ -18,6 +18,9 @@ ms.topic: article
# List vulnerabilities by machine and software
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Retrieves a list of all the vulnerabilities affecting the organization per [machine](machine.md) and [software](software.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
index 8b61f18cfc..262c80a1bf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
@@ -17,6 +17,9 @@ ms.topic: article
---
# List vulnerabilities
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
index 1bb48a3550..d4dac32b7b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
@@ -20,6 +20,9 @@ ROBOTS: NOINDEX
# Get CVE-KB map API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
index b33b579f20..2c896a9943 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get device secure score
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
index 333b21f72f..10ff59d2ea 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get discovered vulnerabilities
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
index d3a4e5bc56..59c2587cda 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get domain related alerts API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
index da65275c62..662f9724e7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get domain related machines API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
index 2da9aa6675..efb793f5cc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get domain statistics API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
index c31cd33d28..77c92c030f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get exposure score
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
index 12b129b43f..db6f1f2f72 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get file information API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
index 446e50982d..7ccb81730f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get file related alerts API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
index 029c7fc1d5..09aef678f7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get file related machines API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
index 6f35b59012..9f480df6b7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get file statistics API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
index 4ae4475d50..79f263d9b0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
@@ -17,6 +17,9 @@ ms.topic: article
---
# Get installed software
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md
index 03fc53560f..676eba4bd3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md
@@ -18,6 +18,9 @@ ms.topic: article
# List Investigations API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md
index 933c2cde60..99fd6a043d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get Investigation API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
index a3093915d5..c8a2ab1f94 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get IP related alerts API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -76,4 +79,4 @@ Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
index 5d0c64e02c..ffd9485045 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get IP statistics API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
index f922b6a35e..d41005cb74 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
@@ -20,6 +20,9 @@ ROBOTS: NOINDEX
# Get KB collection API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -78,4 +81,4 @@ Content-type: application/json
},
…
}
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
index 832b6cd185..3cc89cd33b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get machine by ID API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
index 05b0cbef9d..92b5fae137 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
@@ -16,7 +16,10 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# List exposure score by device group
+# List exposure score by device group
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
index 9856c6c603..e673d96cf0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get machine log on users API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
index 2aa5a05832..f47cdd76d2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get machine related alerts API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
index abd2981676..b7a20c7b89 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get machineAction API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
index c8a2ee671c..5569002ec3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
@@ -18,6 +18,9 @@ ms.topic: article
# List MachineActions API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md
index b3de168061..ff88b78222 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md
@@ -20,6 +20,9 @@ ms.date: 10/07/2018
# Get KB collection API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -78,4 +81,4 @@ Content-type: application/json
"ungrouped":true},
…
}
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
index e066fab80a..d3c3f50dca 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
@@ -18,6 +18,9 @@ ms.topic: article
# List devices by software
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
index 71597be89f..02ea057f59 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
@@ -17,6 +17,9 @@ ms.topic: article
---
# List devices by vulnerability
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
index 5c24fe2ff9..6f6c6177e9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
@@ -18,6 +18,9 @@ ms.topic: article
# List machines API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
index 9c22b88199..0da42db679 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
@@ -19,6 +19,9 @@ ms.topic: article
# Get Machines security states collection API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -84,4 +87,4 @@ Content-type: application/json
…
]
}
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
index 1fa1040fdc..510c7516c2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get missing KBs by device ID
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
index a14e6588c5..6b6bf2db5f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get missing KBs by software ID
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
index 3ecec47c0d..a43102c733 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get package SAS URI API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
index 5b5ce91ff1..b7bc3ab58f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
@@ -17,6 +17,9 @@ ms.topic: article
---
# Get recommendation by ID
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
index fd557b7129..2bdfb4a6e4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
@@ -17,6 +17,9 @@ ms.topic: article
---
# List devices by recommendation
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
index c4654ccd11..449bb2bd1d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
@@ -17,6 +17,9 @@ ms.topic: article
---
# Get recommendation by software
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
index a7218907c7..156cef803c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
@@ -17,6 +17,9 @@ ms.topic: article
---
# List vulnerabilities by recommendation
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
index e071070fba..dffd2a0613 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
@@ -17,6 +17,9 @@ ms.topic: article
---
# Get security recommendations
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
index a596b5e16e..0074439db0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get software by Id
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
index 8263dd34d3..e9b64f2ad1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
@@ -18,6 +18,9 @@ ms.topic: article
# List software version distribution
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
index 5e97985a54..e205e5f5b7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
@@ -18,6 +18,9 @@ ms.topic: article
# List software inventory API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
index 04eec16b78..0b87266339 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Become a Microsoft Defender ATP partner
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -29,7 +32,7 @@ To become a Microsoft Defender ATP solution partner, you'll need to follow and c
Subscribing to the [Microsoft Defender ATP Developer license](https://winatpregistration-prd.trafficmanager.net/Developer/UserAgreement?Length=9) allows you to use a Microsoft Defender ATP tenant with up to 10 devices for developing solutions to integrate with Microsoft Defender ATP.
## Step 2: Fulfill the solution validation and certification requirements
-The best way for technology partners to certify their integration works, is to have a joint customer approve the suggested integration design and have it tested and demoed to the Microsoft Defender ATP team.
+The best way for technology partners to certify that their integration works is to have a joint customer approve the suggested integration design (the customer can use the **Recommend a partner** option in the [Partner Application page](https://securitycenter.microsoft.com/interoperability/partners) in the Microsoft Defender Security Center) and have it tested and demoed to the Microsoft Defender ATP team.
Once the Microsoft Defender ATP team has reviewed and approves the integration, we will direct you to be included as a partner at the Microsoft Intelligent Security Association.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
index 88927d6912..41c5a0ebdd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
@@ -18,6 +18,9 @@ ms.topic: article
# List Indicators API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
index a5efe702fe..80617258d3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
@@ -17,6 +17,9 @@ ms.topic: article
---
# Get user information API
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
index 0a052683b6..3d00668c3b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get user related alerts API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -77,4 +80,4 @@ Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/users/user1/alerts
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
index 7116b8080d..28c129e51c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get user related machines API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
index 056f883007..4a5514ff10 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
@@ -18,6 +18,9 @@ ms.topic: article
# List vulnerabilities by software
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
index 4dd3118f79..27b633e634 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
@@ -17,6 +17,9 @@ ms.topic: article
---
# Get vulnerability by ID
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md b/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md
index fc801373b0..1feba6fc45 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md
@@ -1,4 +1,4 @@
----
+---
title: Grant access to managed security service provider (MSSP)
description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
keywords: managed security service provider, mssp, configure, integration
@@ -19,6 +19,9 @@ ms.topic: article
# Grant managed security service provider (MSSP) access (preview)
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -53,7 +56,7 @@ To implement a multi-tenant delegated access solution, take the following steps:
- Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via “Assigned user groups”.
+ Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via Assigned user groups.
Two possible roles:
@@ -117,13 +120,13 @@ To implement a multi-tenant delegated access solution, take the following steps:
Access requests are managed in the customer My Access, by members of the MSSP Analyst Approvers group.
- To do so, access the customer’s myaccess using:
+ To do so, access the customers myaccess using:
`https://myaccess.microsoft.com/@`.
Example: `https://myaccess.microsoft.com/@M365x440XXX.onmicrosoft.com#/`
2. Approve or deny requests in the **Approvals** section of the UI.
- At this point, analyst access has been provisioned, and each analyst should be able to access the customer’s Microsoft Defender Security Center: `https://securitycenter.Microsoft.com/?tid=`
+ At this point, analyst access has been provisioned, and each analyst should be able to access the customers Microsoft Defender Security Center: `https://securitycenter.Microsoft.com/?tid=`
## Related topics
- [Access the MSSP customer portal](access-mssp-portal.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
index 30e6e789bd..1b411df76d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Helpful Microsoft Defender Advanced Threat Protection resources
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -57,4 +60,4 @@ Access helpful resources such as links to blogs and other resources related to
](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-Evaluation-lab-is-now-available-in-public/ba-p/770271)
- [How automation brings value to your security
- teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297)
\ No newline at end of file
+ teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/04245db47e1456f22d473980089ca69e.png b/windows/security/threat-protection/microsoft-defender-atp/images/04245db47e1456f22d473980089ca69e.png
new file mode 100644
index 0000000000..9a854aad6a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/04245db47e1456f22d473980089ca69e.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/07e6d4119f265037e3b80a20a73b856f.png b/windows/security/threat-protection/microsoft-defender-atp/images/07e6d4119f265037e3b80a20a73b856f.png
index c0227b91bb..eac5e07fae 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/07e6d4119f265037e3b80a20a73b856f.png and b/windows/security/threat-protection/microsoft-defender-atp/images/07e6d4119f265037e3b80a20a73b856f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/099eb1b3e2d9a4fed03e9b7ef1de9765.png b/windows/security/threat-protection/microsoft-defender-atp/images/099eb1b3e2d9a4fed03e9b7ef1de9765.png
new file mode 100644
index 0000000000..33da3dde26
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/099eb1b3e2d9a4fed03e9b7ef1de9765.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/09a275e321268e5e3ac0c0865d3e2db5.png b/windows/security/threat-protection/microsoft-defender-atp/images/09a275e321268e5e3ac0c0865d3e2db5.png
new file mode 100644
index 0000000000..b033d8f6b8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/09a275e321268e5e3ac0c0865d3e2db5.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0adb21c13206861ba9b30a879ade93d3.png b/windows/security/threat-protection/microsoft-defender-atp/images/0adb21c13206861ba9b30a879ade93d3.png
new file mode 100644
index 0000000000..b4a524f421
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/0adb21c13206861ba9b30a879ade93d3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0add8019b85a453b47fa5c402c72761b.png b/windows/security/threat-protection/microsoft-defender-atp/images/0add8019b85a453b47fa5c402c72761b.png
new file mode 100644
index 0000000000..2e663efc76
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/0add8019b85a453b47fa5c402c72761b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0c04975c74746a5cdb085e1d9386e713.png b/windows/security/threat-protection/microsoft-defender-atp/images/0c04975c74746a5cdb085e1d9386e713.png
new file mode 100644
index 0000000000..808a10141e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/0c04975c74746a5cdb085e1d9386e713.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0dde8a4c41110dbc398c485433a81359.png b/windows/security/threat-protection/microsoft-defender-atp/images/0dde8a4c41110dbc398c485433a81359.png
new file mode 100644
index 0000000000..1933fdec00
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/0dde8a4c41110dbc398c485433a81359.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0df36fc308ba569db204ee32db3fb40a.png b/windows/security/threat-protection/microsoft-defender-atp/images/0df36fc308ba569db204ee32db3fb40a.png
new file mode 100644
index 0000000000..cb2c5784fd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/0df36fc308ba569db204ee32db3fb40a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0f79cb37900b57c3e2bb0effad1c19cb.png b/windows/security/threat-protection/microsoft-defender-atp/images/0f79cb37900b57c3e2bb0effad1c19cb.png
index cc772a98e5..6e7df1e6a3 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/0f79cb37900b57c3e2bb0effad1c19cb.png and b/windows/security/threat-protection/microsoft-defender-atp/images/0f79cb37900b57c3e2bb0effad1c19cb.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/10ab98358b2d602f3f67618735fa82fb.png b/windows/security/threat-protection/microsoft-defender-atp/images/10ab98358b2d602f3f67618735fa82fb.png
new file mode 100644
index 0000000000..30b0d05525
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/10ab98358b2d602f3f67618735fa82fb.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1213872db5833aa8be535da57653219f.png b/windows/security/threat-protection/microsoft-defender-atp/images/1213872db5833aa8be535da57653219f.png
new file mode 100644
index 0000000000..211267d73d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1213872db5833aa8be535da57653219f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1359fbfdd8bd9ee74c3bb487a05b956c.png b/windows/security/threat-protection/microsoft-defender-atp/images/1359fbfdd8bd9ee74c3bb487a05b956c.png
new file mode 100644
index 0000000000..ebba81f9c4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1359fbfdd8bd9ee74c3bb487a05b956c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/149cbfdf221cdbde8159d0ab72644cd0.png b/windows/security/threat-protection/microsoft-defender-atp/images/149cbfdf221cdbde8159d0ab72644cd0.png
new file mode 100644
index 0000000000..e1003dbe5c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/149cbfdf221cdbde8159d0ab72644cd0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1626d138e6309c6e87bfaab64f5ccf7b.png b/windows/security/threat-protection/microsoft-defender-atp/images/1626d138e6309c6e87bfaab64f5ccf7b.png
new file mode 100644
index 0000000000..e9ad710109
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1626d138e6309c6e87bfaab64f5ccf7b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/165b9d4795388ab8481a2e6228fdefc0.png b/windows/security/threat-protection/microsoft-defender-atp/images/165b9d4795388ab8481a2e6228fdefc0.png
new file mode 100644
index 0000000000..d631a23a7a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/165b9d4795388ab8481a2e6228fdefc0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/18a50df62cc38749000dbfb48e9a4c9b.png b/windows/security/threat-protection/microsoft-defender-atp/images/18a50df62cc38749000dbfb48e9a4c9b.png
new file mode 100644
index 0000000000..624db40b02
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/18a50df62cc38749000dbfb48e9a4c9b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/196a8e194ac99d84221f405d0f684f8c.png b/windows/security/threat-protection/microsoft-defender-atp/images/196a8e194ac99d84221f405d0f684f8c.png
new file mode 100644
index 0000000000..00757fde1a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/196a8e194ac99d84221f405d0f684f8c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1aa5aaa0a387f4e16ce55b66facc77d1.png b/windows/security/threat-protection/microsoft-defender-atp/images/1aa5aaa0a387f4e16ce55b66facc77d1.png
new file mode 100644
index 0000000000..b0fb764d52
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1aa5aaa0a387f4e16ce55b66facc77d1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png b/windows/security/threat-protection/microsoft-defender-atp/images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png
new file mode 100644
index 0000000000..2da3d1c9ca
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1c08d097829863778d562c10c5f92b67.png b/windows/security/threat-protection/microsoft-defender-atp/images/1c08d097829863778d562c10c5f92b67.png
new file mode 100644
index 0000000000..9604e5fc29
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1c08d097829863778d562c10c5f92b67.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1c9bd3f68db20b80193dac18f33c22d0.png b/windows/security/threat-protection/microsoft-defender-atp/images/1c9bd3f68db20b80193dac18f33c22d0.png
new file mode 100644
index 0000000000..00a6103e30
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1c9bd3f68db20b80193dac18f33c22d0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1f72e9c15eaafcabf1504397e99be311.png b/windows/security/threat-protection/microsoft-defender-atp/images/1f72e9c15eaafcabf1504397e99be311.png
new file mode 100644
index 0000000000..a4a5bb1008
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1f72e9c15eaafcabf1504397e99be311.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2055e4f9b9141525c0eb681e7ba19381.png b/windows/security/threat-protection/microsoft-defender-atp/images/2055e4f9b9141525c0eb681e7ba19381.png
new file mode 100644
index 0000000000..3222b1f66d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2055e4f9b9141525c0eb681e7ba19381.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/206b3d954f06cc58b3466fb7a0bd9f74.png b/windows/security/threat-protection/microsoft-defender-atp/images/206b3d954f06cc58b3466fb7a0bd9f74.png
index 1c1d7284c9..b6a05adc69 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/206b3d954f06cc58b3466fb7a0bd9f74.png and b/windows/security/threat-protection/microsoft-defender-atp/images/206b3d954f06cc58b3466fb7a0bd9f74.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/20e33b98eb54447881dc6c89e58b890f.png b/windows/security/threat-protection/microsoft-defender-atp/images/20e33b98eb54447881dc6c89e58b890f.png
new file mode 100644
index 0000000000..c8722ddd31
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/20e33b98eb54447881dc6c89e58b890f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/216253cbfb6ae738b9f13496b9c799fd.png b/windows/security/threat-protection/microsoft-defender-atp/images/216253cbfb6ae738b9f13496b9c799fd.png
new file mode 100644
index 0000000000..35f0fdcd33
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/216253cbfb6ae738b9f13496b9c799fd.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/219bef7e5ebfdd0e2078f4a27535296a.png b/windows/security/threat-protection/microsoft-defender-atp/images/219bef7e5ebfdd0e2078f4a27535296a.png
new file mode 100644
index 0000000000..ae40584eb5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/219bef7e5ebfdd0e2078f4a27535296a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/21de3658bf58b1b767a17358a3f06341.png b/windows/security/threat-protection/microsoft-defender-atp/images/21de3658bf58b1b767a17358a3f06341.png
new file mode 100644
index 0000000000..f50308e890
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/21de3658bf58b1b767a17358a3f06341.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/22cb439de958101c0a12f3038f905b27.png b/windows/security/threat-protection/microsoft-defender-atp/images/22cb439de958101c0a12f3038f905b27.png
new file mode 100644
index 0000000000..0ee45bfe4d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/22cb439de958101c0a12f3038f905b27.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2466460812371ffae2d19a10c347d6f4.png b/windows/security/threat-protection/microsoft-defender-atp/images/2466460812371ffae2d19a10c347d6f4.png
new file mode 100644
index 0000000000..8979120d8f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2466460812371ffae2d19a10c347d6f4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/24e290f5fc309932cf41f3a280d22c14.png b/windows/security/threat-protection/microsoft-defender-atp/images/24e290f5fc309932cf41f3a280d22c14.png
new file mode 100644
index 0000000000..38c794c2e4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/24e290f5fc309932cf41f3a280d22c14.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/253274b33e74f3f5b8d475cf8692ce4e.png b/windows/security/threat-protection/microsoft-defender-atp/images/253274b33e74f3f5b8d475cf8692ce4e.png
new file mode 100644
index 0000000000..940d23f8e7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/253274b33e74f3f5b8d475cf8692ce4e.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/264493cd01e62c7085659d6fdc26dc91.png b/windows/security/threat-protection/microsoft-defender-atp/images/264493cd01e62c7085659d6fdc26dc91.png
new file mode 100644
index 0000000000..f5e8adcd57
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/264493cd01e62c7085659d6fdc26dc91.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/26f0f7a5f3a6d95aa32a9e3d6d1a38a4.png b/windows/security/threat-protection/microsoft-defender-atp/images/26f0f7a5f3a6d95aa32a9e3d6d1a38a4.png
new file mode 100644
index 0000000000..e887ffeb72
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/26f0f7a5f3a6d95aa32a9e3d6d1a38a4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/289172dbd7bd34d55d24810d9d4d8158.png b/windows/security/threat-protection/microsoft-defender-atp/images/289172dbd7bd34d55d24810d9d4d8158.png
new file mode 100644
index 0000000000..6b378bc697
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/289172dbd7bd34d55d24810d9d4d8158.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2bda9244ec25d1526811da4ea91b1c86.png b/windows/security/threat-protection/microsoft-defender-atp/images/2bda9244ec25d1526811da4ea91b1c86.png
new file mode 100644
index 0000000000..ef1fa51714
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2bda9244ec25d1526811da4ea91b1c86.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2c2e87c5fedc87eba17be0cdeffdb17f.png b/windows/security/threat-protection/microsoft-defender-atp/images/2c2e87c5fedc87eba17be0cdeffdb17f.png
new file mode 100644
index 0000000000..ac2634f33b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2c2e87c5fedc87eba17be0cdeffdb17f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2c49b16cd112729b3719724f581e6882.png b/windows/security/threat-protection/microsoft-defender-atp/images/2c49b16cd112729b3719724f581e6882.png
new file mode 100644
index 0000000000..4b2410ad5e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2c49b16cd112729b3719724f581e6882.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2f66647cbcefaa4088a5df19d9203afb.png b/windows/security/threat-protection/microsoft-defender-atp/images/2f66647cbcefaa4088a5df19d9203afb.png
new file mode 100644
index 0000000000..b33ac87a2c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2f66647cbcefaa4088a5df19d9203afb.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/30be88b63abc5e8dde11b73f1b1ade6a.png b/windows/security/threat-protection/microsoft-defender-atp/images/30be88b63abc5e8dde11b73f1b1ade6a.png
new file mode 100644
index 0000000000..af749f43cc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/30be88b63abc5e8dde11b73f1b1ade6a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3160906404bc5a2edf84d1d015894e3b.png b/windows/security/threat-protection/microsoft-defender-atp/images/3160906404bc5a2edf84d1d015894e3b.png
new file mode 100644
index 0000000000..b7ab38e50d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/3160906404bc5a2edf84d1d015894e3b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/321ba245f14743c1d5d51c15e99deecc.png b/windows/security/threat-protection/microsoft-defender-atp/images/321ba245f14743c1d5d51c15e99deecc.png
new file mode 100644
index 0000000000..14d3cfb8dd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/321ba245f14743c1d5d51c15e99deecc.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/335aff58950ce62d1dabc289ecdce9ed.png b/windows/security/threat-protection/microsoft-defender-atp/images/335aff58950ce62d1dabc289ecdce9ed.png
new file mode 100644
index 0000000000..b536944e24
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/335aff58950ce62d1dabc289ecdce9ed.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/33e2b2a1611fdddf6b5b79e54496e3bb.png b/windows/security/threat-protection/microsoft-defender-atp/images/33e2b2a1611fdddf6b5b79e54496e3bb.png
new file mode 100644
index 0000000000..1a95f07037
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/33e2b2a1611fdddf6b5b79e54496e3bb.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/33f1ecdc7d4872555418bbc3efe4b7a3.png b/windows/security/threat-protection/microsoft-defender-atp/images/33f1ecdc7d4872555418bbc3efe4b7a3.png
new file mode 100644
index 0000000000..06aed3038e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/33f1ecdc7d4872555418bbc3efe4b7a3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/34e6b9a0dae125d085c84593140180ed.png b/windows/security/threat-protection/microsoft-defender-atp/images/34e6b9a0dae125d085c84593140180ed.png
index e08fb904df..c8872c4cfb 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/34e6b9a0dae125d085c84593140180ed.png and b/windows/security/threat-protection/microsoft-defender-atp/images/34e6b9a0dae125d085c84593140180ed.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/368d35b3d6179af92ffdbfd93b226b69.png b/windows/security/threat-protection/microsoft-defender-atp/images/368d35b3d6179af92ffdbfd93b226b69.png
new file mode 100644
index 0000000000..dea45e1206
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/368d35b3d6179af92ffdbfd93b226b69.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/38180219e632d6e4ec7bd25a46398da8.png b/windows/security/threat-protection/microsoft-defender-atp/images/38180219e632d6e4ec7bd25a46398da8.png
new file mode 100644
index 0000000000..157e426bc0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/38180219e632d6e4ec7bd25a46398da8.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3840b1576d6f79a1d72eb14760ef5e8c.png b/windows/security/threat-protection/microsoft-defender-atp/images/3840b1576d6f79a1d72eb14760ef5e8c.png
new file mode 100644
index 0000000000..32a776aef9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/3840b1576d6f79a1d72eb14760ef5e8c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/38c67ee1905c4747c3b26c8eba57726b.png b/windows/security/threat-protection/microsoft-defender-atp/images/38c67ee1905c4747c3b26c8eba57726b.png
new file mode 100644
index 0000000000..fbb8656f8b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/38c67ee1905c4747c3b26c8eba57726b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/39cf120d3ac3652292d8d1b6d057bd60.png b/windows/security/threat-protection/microsoft-defender-atp/images/39cf120d3ac3652292d8d1b6d057bd60.png
new file mode 100644
index 0000000000..6d201f5e90
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/39cf120d3ac3652292d8d1b6d057bd60.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3c0a231f83cfb5a256d99ae575400d9b.png b/windows/security/threat-protection/microsoft-defender-atp/images/3c0a231f83cfb5a256d99ae575400d9b.png
new file mode 100644
index 0000000000..ebe69e0005
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/3c0a231f83cfb5a256d99ae575400d9b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3ced5383a6be788486d89d407d042f28.png b/windows/security/threat-protection/microsoft-defender-atp/images/3ced5383a6be788486d89d407d042f28.png
new file mode 100644
index 0000000000..4ff3e0fb7c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/3ced5383a6be788486d89d407d042f28.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4139848399185472abaa0ce2f34a883a.png b/windows/security/threat-protection/microsoft-defender-atp/images/4139848399185472abaa0ce2f34a883a.png
new file mode 100644
index 0000000000..de3cbeb5bb
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4139848399185472abaa0ce2f34a883a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/41627a709700c324849bf7e13510c516.png b/windows/security/threat-protection/microsoft-defender-atp/images/41627a709700c324849bf7e13510c516.png
new file mode 100644
index 0000000000..fd58d3cb11
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/41627a709700c324849bf7e13510c516.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4239ca0528efb0734e4ca0b490bfb22d.png b/windows/security/threat-protection/microsoft-defender-atp/images/4239ca0528efb0734e4ca0b490bfb22d.png
new file mode 100644
index 0000000000..8bd862cd66
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4239ca0528efb0734e4ca0b490bfb22d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/42acc69d0128ed09804010bdbdf0a43c.png b/windows/security/threat-protection/microsoft-defender-atp/images/42acc69d0128ed09804010bdbdf0a43c.png
new file mode 100644
index 0000000000..9f4126d345
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/42acc69d0128ed09804010bdbdf0a43c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/43ab6aa74471ee2977e154a4a5ef2d39.png b/windows/security/threat-protection/microsoft-defender-atp/images/43ab6aa74471ee2977e154a4a5ef2d39.png
new file mode 100644
index 0000000000..6ffdab3e67
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/43ab6aa74471ee2977e154a4a5ef2d39.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/441aa2ecd36abadcdd8aed03556080b5.png b/windows/security/threat-protection/microsoft-defender-atp/images/441aa2ecd36abadcdd8aed03556080b5.png
new file mode 100644
index 0000000000..9d1b985470
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/441aa2ecd36abadcdd8aed03556080b5.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/45156aa74077fc82cd4223f3dcb8cd76.png b/windows/security/threat-protection/microsoft-defender-atp/images/45156aa74077fc82cd4223f3dcb8cd76.png
new file mode 100644
index 0000000000..041e7d946c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/45156aa74077fc82cd4223f3dcb8cd76.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/45cefc8e4e474321b4d47b4626346597.png b/windows/security/threat-protection/microsoft-defender-atp/images/45cefc8e4e474321b4d47b4626346597.png
new file mode 100644
index 0000000000..7f542a3c8c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/45cefc8e4e474321b4d47b4626346597.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/48318a51adee06bff3908e8ad4944dc9.png b/windows/security/threat-protection/microsoft-defender-atp/images/48318a51adee06bff3908e8ad4944dc9.png
new file mode 100644
index 0000000000..d0679c71a7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/48318a51adee06bff3908e8ad4944dc9.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4922c0fcdde4c7f73242b13bf5e35c19.png b/windows/security/threat-protection/microsoft-defender-atp/images/4922c0fcdde4c7f73242b13bf5e35c19.png
new file mode 100644
index 0000000000..3e31d5e244
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4922c0fcdde4c7f73242b13bf5e35c19.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4bac6ce277aedfb4a674f2d9fcb2599a.png b/windows/security/threat-protection/microsoft-defender-atp/images/4bac6ce277aedfb4a674f2d9fcb2599a.png
new file mode 100644
index 0000000000..15c5639231
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4bac6ce277aedfb4a674f2d9fcb2599a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4cc3cfc683ae36ff906562a61908d132.png b/windows/security/threat-protection/microsoft-defender-atp/images/4cc3cfc683ae36ff906562a61908d132.png
new file mode 100644
index 0000000000..6aee2fb1b1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4cc3cfc683ae36ff906562a61908d132.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4d2d1d4ee13d3f840f425924c3df0d51.png b/windows/security/threat-protection/microsoft-defender-atp/images/4d2d1d4ee13d3f840f425924c3df0d51.png
new file mode 100644
index 0000000000..83ef8509be
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4d2d1d4ee13d3f840f425924c3df0d51.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4e965749ff71178af8873bc91f9fe525.png b/windows/security/threat-protection/microsoft-defender-atp/images/4e965749ff71178af8873bc91f9fe525.png
new file mode 100644
index 0000000000..2f6d99294b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4e965749ff71178af8873bc91f9fe525.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4ec20e72c8aed9a4c16912e01692436a.png b/windows/security/threat-protection/microsoft-defender-atp/images/4ec20e72c8aed9a4c16912e01692436a.png
new file mode 100644
index 0000000000..e3d3692c75
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4ec20e72c8aed9a4c16912e01692436a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/513cf5d59eaaef5d2b5bc122715b5844.png b/windows/security/threat-protection/microsoft-defender-atp/images/513cf5d59eaaef5d2b5bc122715b5844.png
index 46c2427055..ce6de17e48 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/513cf5d59eaaef5d2b5bc122715b5844.png and b/windows/security/threat-protection/microsoft-defender-atp/images/513cf5d59eaaef5d2b5bc122715b5844.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/522d9bb4288dc9c1a957392b51384fdd.png b/windows/security/threat-protection/microsoft-defender-atp/images/522d9bb4288dc9c1a957392b51384fdd.png
new file mode 100644
index 0000000000..88682c78a0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/522d9bb4288dc9c1a957392b51384fdd.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/526b83fbdbb31265b3d0c1e5fbbdc33a.png b/windows/security/threat-protection/microsoft-defender-atp/images/526b83fbdbb31265b3d0c1e5fbbdc33a.png
new file mode 100644
index 0000000000..6b4bd29da7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/526b83fbdbb31265b3d0c1e5fbbdc33a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/526e978761fc571cca06907da7b01fd6.png b/windows/security/threat-protection/microsoft-defender-atp/images/526e978761fc571cca06907da7b01fd6.png
new file mode 100644
index 0000000000..2ee505158e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/526e978761fc571cca06907da7b01fd6.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/54be9c6ed5b24cebe628dc3cd9ca4089.png b/windows/security/threat-protection/microsoft-defender-atp/images/54be9c6ed5b24cebe628dc3cd9ca4089.png
new file mode 100644
index 0000000000..b809759dcb
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/54be9c6ed5b24cebe628dc3cd9ca4089.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/55ecaca0e4a022f0e29d45aeed724e6c.png b/windows/security/threat-protection/microsoft-defender-atp/images/55ecaca0e4a022f0e29d45aeed724e6c.png
new file mode 100644
index 0000000000..ca1ff72715
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/55ecaca0e4a022f0e29d45aeed724e6c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/56dac54634d13b2d3948ab50e8d3ef21.png b/windows/security/threat-protection/microsoft-defender-atp/images/56dac54634d13b2d3948ab50e8d3ef21.png
new file mode 100644
index 0000000000..23770e3a97
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/56dac54634d13b2d3948ab50e8d3ef21.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/56e6f6259b9ce3c1706ed8d666ae4947.png b/windows/security/threat-protection/microsoft-defender-atp/images/56e6f6259b9ce3c1706ed8d666ae4947.png
new file mode 100644
index 0000000000..163da50934
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/56e6f6259b9ce3c1706ed8d666ae4947.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/57aa4d21e2ccc65466bf284701d4e961.png b/windows/security/threat-protection/microsoft-defender-atp/images/57aa4d21e2ccc65466bf284701d4e961.png
new file mode 100644
index 0000000000..d2c3a2f2e5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/57aa4d21e2ccc65466bf284701d4e961.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/57cef926d1b9260fb74a5f460cee887a.png b/windows/security/threat-protection/microsoft-defender-atp/images/57cef926d1b9260fb74a5f460cee887a.png
new file mode 100644
index 0000000000..e3897c4cbe
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/57cef926d1b9260fb74a5f460cee887a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/5856b765a6ce677caacb130ca36b1a62.png b/windows/security/threat-protection/microsoft-defender-atp/images/5856b765a6ce677caacb130ca36b1a62.png
new file mode 100644
index 0000000000..2e85b376b2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/5856b765a6ce677caacb130ca36b1a62.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/58dcd48811147feb4ddc17212b7fe840.png b/windows/security/threat-protection/microsoft-defender-atp/images/58dcd48811147feb4ddc17212b7fe840.png
new file mode 100644
index 0000000000..72a6a9e334
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/58dcd48811147feb4ddc17212b7fe840.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/5a568b6878be8243ea2b9d82d41ed297.png b/windows/security/threat-protection/microsoft-defender-atp/images/5a568b6878be8243ea2b9d82d41ed297.png
new file mode 100644
index 0000000000..5e7cf47523
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/5a568b6878be8243ea2b9d82d41ed297.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/5be573a60cd4fa56a86a6668b62dd808.png b/windows/security/threat-protection/microsoft-defender-atp/images/5be573a60cd4fa56a86a6668b62dd808.png
new file mode 100644
index 0000000000..026b643022
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/5be573a60cd4fa56a86a6668b62dd808.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6104aa33a56fab750cf30ecabef9f5b6.png b/windows/security/threat-protection/microsoft-defender-atp/images/6104aa33a56fab750cf30ecabef9f5b6.png
new file mode 100644
index 0000000000..2775ac9cda
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6104aa33a56fab750cf30ecabef9f5b6.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/619fb877791b1fc8bc7dfae1a579043d.png b/windows/security/threat-protection/microsoft-defender-atp/images/619fb877791b1fc8bc7dfae1a579043d.png
new file mode 100644
index 0000000000..fa53f0826c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/619fb877791b1fc8bc7dfae1a579043d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/625ba6d19e8597f05e4907298a454d28.png b/windows/security/threat-protection/microsoft-defender-atp/images/625ba6d19e8597f05e4907298a454d28.png
new file mode 100644
index 0000000000..b63b06e529
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/625ba6d19e8597f05e4907298a454d28.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/632aaab79ae18d0d2b8e0c16b6ba39e2.png b/windows/security/threat-protection/microsoft-defender-atp/images/632aaab79ae18d0d2b8e0c16b6ba39e2.png
new file mode 100644
index 0000000000..8d43285b82
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/632aaab79ae18d0d2b8e0c16b6ba39e2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/633ad26b8bf24ec683c98b2feb884bdf.png b/windows/security/threat-protection/microsoft-defender-atp/images/633ad26b8bf24ec683c98b2feb884bdf.png
new file mode 100644
index 0000000000..e71d428536
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/633ad26b8bf24ec683c98b2feb884bdf.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/644e0f3af40c29e80ca1443535b2fe32.png b/windows/security/threat-protection/microsoft-defender-atp/images/644e0f3af40c29e80ca1443535b2fe32.png
new file mode 100644
index 0000000000..b37ef7c8b5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/644e0f3af40c29e80ca1443535b2fe32.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/66f724598d9c3319cba27f79dd4617a4.png b/windows/security/threat-protection/microsoft-defender-atp/images/66f724598d9c3319cba27f79dd4617a4.png
new file mode 100644
index 0000000000..d4fd512845
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/66f724598d9c3319cba27f79dd4617a4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/68bdbc5754dfc80aa1a024dde0fce7b0.png b/windows/security/threat-protection/microsoft-defender-atp/images/68bdbc5754dfc80aa1a024dde0fce7b0.png
new file mode 100644
index 0000000000..774f727137
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/68bdbc5754dfc80aa1a024dde0fce7b0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6b728d6e0d71108d768e368b416ff8ba.png b/windows/security/threat-protection/microsoft-defender-atp/images/6b728d6e0d71108d768e368b416ff8ba.png
new file mode 100644
index 0000000000..8db6715ccd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6b728d6e0d71108d768e368b416ff8ba.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6c8b406ee224335a8c65d06953dc756e.png b/windows/security/threat-protection/microsoft-defender-atp/images/6c8b406ee224335a8c65d06953dc756e.png
new file mode 100644
index 0000000000..65870c57ee
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6c8b406ee224335a8c65d06953dc756e.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6daa8d347c98fe94a0d9c22797ff6f28.png b/windows/security/threat-protection/microsoft-defender-atp/images/6daa8d347c98fe94a0d9c22797ff6f28.png
new file mode 100644
index 0000000000..24eede07b8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6daa8d347c98fe94a0d9c22797ff6f28.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6de50b4a897408ddc6ded56a09c09fe2.png b/windows/security/threat-protection/microsoft-defender-atp/images/6de50b4a897408ddc6ded56a09c09fe2.png
new file mode 100644
index 0000000000..4251c7b374
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6de50b4a897408ddc6ded56a09c09fe2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6e48e7b29daf50afddcc6c8c7d59fd64.png b/windows/security/threat-protection/microsoft-defender-atp/images/6e48e7b29daf50afddcc6c8c7d59fd64.png
new file mode 100644
index 0000000000..e811de74c2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6e48e7b29daf50afddcc6c8c7d59fd64.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6eda18a64a660fa149575454e54e7156.png b/windows/security/threat-protection/microsoft-defender-atp/images/6eda18a64a660fa149575454e54e7156.png
new file mode 100644
index 0000000000..edf5e96a06
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6eda18a64a660fa149575454e54e7156.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6f093e42856753a3955cab7ee14f12d9.png b/windows/security/threat-protection/microsoft-defender-atp/images/6f093e42856753a3955cab7ee14f12d9.png
new file mode 100644
index 0000000000..8bb38c4958
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6f093e42856753a3955cab7ee14f12d9.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6f85269276b2278eca4bce84f935f87b.png b/windows/security/threat-protection/microsoft-defender-atp/images/6f85269276b2278eca4bce84f935f87b.png
new file mode 100644
index 0000000000..11d8c78bcf
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6f85269276b2278eca4bce84f935f87b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6fd0cb2bbb0e60a623829c91fd0826ab.png b/windows/security/threat-protection/microsoft-defender-atp/images/6fd0cb2bbb0e60a623829c91fd0826ab.png
new file mode 100644
index 0000000000..32d1b991bd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6fd0cb2bbb0e60a623829c91fd0826ab.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/715ae7ec8d6a262c489f94d14e1e51bb.png b/windows/security/threat-protection/microsoft-defender-atp/images/715ae7ec8d6a262c489f94d14e1e51bb.png
new file mode 100644
index 0000000000..bfe95454d9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/715ae7ec8d6a262c489f94d14e1e51bb.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/718b9d609f9f77c8b13ba88c4c0abe5d.png b/windows/security/threat-protection/microsoft-defender-atp/images/718b9d609f9f77c8b13ba88c4c0abe5d.png
new file mode 100644
index 0000000000..46b0e010bd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/718b9d609f9f77c8b13ba88c4c0abe5d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/7697c33b9fd376ae5a8023d01f9d3857.png b/windows/security/threat-protection/microsoft-defender-atp/images/7697c33b9fd376ae5a8023d01f9d3857.png
new file mode 100644
index 0000000000..a037ed737b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/7697c33b9fd376ae5a8023d01f9d3857.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/770827925b3f572fc027e7d50dcc415d.png b/windows/security/threat-protection/microsoft-defender-atp/images/770827925b3f572fc027e7d50dcc415d.png
new file mode 100644
index 0000000000..82bd4898af
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/770827925b3f572fc027e7d50dcc415d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/77d14ea36bea97c4607af0f70c88b812.png b/windows/security/threat-protection/microsoft-defender-atp/images/77d14ea36bea97c4607af0f70c88b812.png
new file mode 100644
index 0000000000..a3ce68e15e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/77d14ea36bea97c4607af0f70c88b812.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/7a631d17cc42500dacad4e995823ffef.png b/windows/security/threat-protection/microsoft-defender-atp/images/7a631d17cc42500dacad4e995823ffef.png
new file mode 100644
index 0000000000..2159bbe1ad
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/7a631d17cc42500dacad4e995823ffef.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/7acc1b24846d3388d3b29c1d7a2dd141.png b/windows/security/threat-protection/microsoft-defender-atp/images/7acc1b24846d3388d3b29c1d7a2dd141.png
new file mode 100644
index 0000000000..4ef3ad1831
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/7acc1b24846d3388d3b29c1d7a2dd141.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/7f9138053dbcbf928e5182ee7b295ebe.png b/windows/security/threat-protection/microsoft-defender-atp/images/7f9138053dbcbf928e5182ee7b295ebe.png
new file mode 100644
index 0000000000..474e281699
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/7f9138053dbcbf928e5182ee7b295ebe.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/809cef630281b64b8f07f20913b0039b.png b/windows/security/threat-protection/microsoft-defender-atp/images/809cef630281b64b8f07f20913b0039b.png
new file mode 100644
index 0000000000..b31c48693d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/809cef630281b64b8f07f20913b0039b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/846ca6a7a4be5be7111744091d539cba.png b/windows/security/threat-protection/microsoft-defender-atp/images/846ca6a7a4be5be7111744091d539cba.png
new file mode 100644
index 0000000000..b0dd1554ef
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/846ca6a7a4be5be7111744091d539cba.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/847b70e54ed04787e415f5180414b310.png b/windows/security/threat-protection/microsoft-defender-atp/images/847b70e54ed04787e415f5180414b310.png
new file mode 100644
index 0000000000..884a5e815e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/847b70e54ed04787e415f5180414b310.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/86cbe56f88bb6e93e9c63303397fc24f.png b/windows/security/threat-protection/microsoft-defender-atp/images/86cbe56f88bb6e93e9c63303397fc24f.png
index 62e3dfceac..dad2a98f43 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/86cbe56f88bb6e93e9c63303397fc24f.png and b/windows/security/threat-protection/microsoft-defender-atp/images/86cbe56f88bb6e93e9c63303397fc24f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/88efb4c3710493a53f2840c3eac3e3d3.png b/windows/security/threat-protection/microsoft-defender-atp/images/88efb4c3710493a53f2840c3eac3e3d3.png
new file mode 100644
index 0000000000..7935e15763
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/88efb4c3710493a53f2840c3eac3e3d3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/8c3bdc3924488542295f29c93af3881f.png b/windows/security/threat-protection/microsoft-defender-atp/images/8c3bdc3924488542295f29c93af3881f.png
new file mode 100644
index 0000000000..f0b6205a1f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/8c3bdc3924488542295f29c93af3881f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/8d80fe378a31143db9be0bacf7ddc5a3.png b/windows/security/threat-protection/microsoft-defender-atp/images/8d80fe378a31143db9be0bacf7ddc5a3.png
new file mode 100644
index 0000000000..943ede3988
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/8d80fe378a31143db9be0bacf7ddc5a3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/8dde76b5463047423f8637c86b05c29d.png b/windows/security/threat-protection/microsoft-defender-atp/images/8dde76b5463047423f8637c86b05c29d.png
new file mode 100644
index 0000000000..b15631e21b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/8dde76b5463047423f8637c86b05c29d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/8e69f867664668796a3b2904896f0436.png b/windows/security/threat-protection/microsoft-defender-atp/images/8e69f867664668796a3b2904896f0436.png
new file mode 100644
index 0000000000..aba654cde9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/8e69f867664668796a3b2904896f0436.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/8ee0405f1a96c23d2eb6f737f11c1ae5.png b/windows/security/threat-protection/microsoft-defender-atp/images/8ee0405f1a96c23d2eb6f737f11c1ae5.png
new file mode 100644
index 0000000000..82c5aa9d19
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/8ee0405f1a96c23d2eb6f737f11c1ae5.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/8fb4cc03721e1efb4a15867d5241ebfb.png b/windows/security/threat-protection/microsoft-defender-atp/images/8fb4cc03721e1efb4a15867d5241ebfb.png
new file mode 100644
index 0000000000..df6134c572
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/8fb4cc03721e1efb4a15867d5241ebfb.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/900c0197aa59f9b7abd762ab2b32e80c.png b/windows/security/threat-protection/microsoft-defender-atp/images/900c0197aa59f9b7abd762ab2b32e80c.png
index 246439b6ea..304ca9217b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/900c0197aa59f9b7abd762ab2b32e80c.png and b/windows/security/threat-protection/microsoft-defender-atp/images/900c0197aa59f9b7abd762ab2b32e80c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/920e433f440fa1d3d298e6a2a43d4811.png b/windows/security/threat-protection/microsoft-defender-atp/images/920e433f440fa1d3d298e6a2a43d4811.png
new file mode 100644
index 0000000000..95f726c325
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/920e433f440fa1d3d298e6a2a43d4811.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9341428b2d3164ca63d7d4eaa5cff642.png b/windows/security/threat-protection/microsoft-defender-atp/images/9341428b2d3164ca63d7d4eaa5cff642.png
new file mode 100644
index 0000000000..41be549fd6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9341428b2d3164ca63d7d4eaa5cff642.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/95313facfdd5e1ea361981e0a2478fec.png b/windows/security/threat-protection/microsoft-defender-atp/images/95313facfdd5e1ea361981e0a2478fec.png
new file mode 100644
index 0000000000..d4638f0643
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/95313facfdd5e1ea361981e0a2478fec.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/98acea3750113b8dbab334296e833003.png b/windows/security/threat-protection/microsoft-defender-atp/images/98acea3750113b8dbab334296e833003.png
new file mode 100644
index 0000000000..12867aecde
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/98acea3750113b8dbab334296e833003.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/990742cd9a15ca9fdd37c9f695d1b9f4.png b/windows/security/threat-protection/microsoft-defender-atp/images/990742cd9a15ca9fdd37c9f695d1b9f4.png
new file mode 100644
index 0000000000..0de20fa301
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/990742cd9a15ca9fdd37c9f695d1b9f4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/99679a7835b0d27d0a222bc3fdaf7f3b.png b/windows/security/threat-protection/microsoft-defender-atp/images/99679a7835b0d27d0a222bc3fdaf7f3b.png
new file mode 100644
index 0000000000..fd2706aa68
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/99679a7835b0d27d0a222bc3fdaf7f3b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9970046795448057693973a976da3d1d.png b/windows/security/threat-protection/microsoft-defender-atp/images/9970046795448057693973a976da3d1d.png
new file mode 100644
index 0000000000..b4e92a0f51
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9970046795448057693973a976da3d1d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9d6e5386e652e00715ff348af72671c6.png b/windows/security/threat-protection/microsoft-defender-atp/images/9d6e5386e652e00715ff348af72671c6.png
new file mode 100644
index 0000000000..7c4bf5f298
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9d6e5386e652e00715ff348af72671c6.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9e31ba00bcdd0bd8c1d1e53808581a2d.png b/windows/security/threat-protection/microsoft-defender-atp/images/9e31ba00bcdd0bd8c1d1e53808581a2d.png
new file mode 100644
index 0000000000..a604180a07
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9e31ba00bcdd0bd8c1d1e53808581a2d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9f09cc4cd841559dd389fba7dc57e5e0.png b/windows/security/threat-protection/microsoft-defender-atp/images/9f09cc4cd841559dd389fba7dc57e5e0.png
new file mode 100644
index 0000000000..c636679f40
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9f09cc4cd841559dd389fba7dc57e5e0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9fc17529e5577eefd773c658ec576a7d.png b/windows/security/threat-protection/microsoft-defender-atp/images/9fc17529e5577eefd773c658ec576a7d.png
new file mode 100644
index 0000000000..f352977ac3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9fc17529e5577eefd773c658ec576a7d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9fe378a1dce0f143005c3aa53d8c4f51.png b/windows/security/threat-protection/microsoft-defender-atp/images/9fe378a1dce0f143005c3aa53d8c4f51.png
index fac1c0ebaf..e300b1d2fc 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/9fe378a1dce0f143005c3aa53d8c4f51.png and b/windows/security/threat-protection/microsoft-defender-atp/images/9fe378a1dce0f143005c3aa53d8c4f51.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/Support3.png b/windows/security/threat-protection/microsoft-defender-atp/images/Support3.png
new file mode 100644
index 0000000000..f58a56ffd2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/Support3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/Support4.png b/windows/security/threat-protection/microsoft-defender-atp/images/Support4.png
new file mode 100644
index 0000000000..18a8ab7afe
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/Support4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a26bd4967cd54bb113a2c8d32894c3de.png b/windows/security/threat-protection/microsoft-defender-atp/images/a26bd4967cd54bb113a2c8d32894c3de.png
new file mode 100644
index 0000000000..4ec19ffeb2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a26bd4967cd54bb113a2c8d32894c3de.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a347307458d6a9bbfa88df7dbe15398f.png b/windows/security/threat-protection/microsoft-defender-atp/images/a347307458d6a9bbfa88df7dbe15398f.png
new file mode 100644
index 0000000000..bfcfa8f717
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a347307458d6a9bbfa88df7dbe15398f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a422e57fe8d45689227e784443e51bd1.png b/windows/security/threat-protection/microsoft-defender-atp/images/a422e57fe8d45689227e784443e51bd1.png
new file mode 100644
index 0000000000..c734a1763a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a422e57fe8d45689227e784443e51bd1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a43bdc97f961de41946baca0e7405138.png b/windows/security/threat-protection/microsoft-defender-atp/images/a43bdc97f961de41946baca0e7405138.png
new file mode 100644
index 0000000000..1c78719148
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a43bdc97f961de41946baca0e7405138.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png b/windows/security/threat-protection/microsoft-defender-atp/images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png
new file mode 100644
index 0000000000..be6531a2f0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a5b2d23bdd50b160fef4afd25dda28d4.png b/windows/security/threat-protection/microsoft-defender-atp/images/a5b2d23bdd50b160fef4afd25dda28d4.png
new file mode 100644
index 0000000000..2111e5ee9c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a5b2d23bdd50b160fef4afd25dda28d4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a621b699899f1b41db211170074ea59e.png b/windows/security/threat-protection/microsoft-defender-atp/images/a621b699899f1b41db211170074ea59e.png
new file mode 100644
index 0000000000..f0d844cbf7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a621b699899f1b41db211170074ea59e.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a657018ab7c25284f0a631e83fc63c20.png b/windows/security/threat-protection/microsoft-defender-atp/images/a657018ab7c25284f0a631e83fc63c20.png
new file mode 100644
index 0000000000..3aea41c5e9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a657018ab7c25284f0a631e83fc63c20.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a790e02892e09857213331be078b9c28.png b/windows/security/threat-protection/microsoft-defender-atp/images/a790e02892e09857213331be078b9c28.png
new file mode 100644
index 0000000000..6221e07cb5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a790e02892e09857213331be078b9c28.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a7d738dd4509d65407b7d12beaa3e917.png b/windows/security/threat-protection/microsoft-defender-atp/images/a7d738dd4509d65407b7d12beaa3e917.png
new file mode 100644
index 0000000000..696a84fc1b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a7d738dd4509d65407b7d12beaa3e917.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/aa9f8f0f5772b7032e0f5606a9094c79.png b/windows/security/threat-protection/microsoft-defender-atp/images/aa9f8f0f5772b7032e0f5606a9094c79.png
new file mode 100644
index 0000000000..ef720de702
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/aa9f8f0f5772b7032e0f5606a9094c79.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/abccba0b620cec06b03d219832667fe1.png b/windows/security/threat-protection/microsoft-defender-atp/images/abccba0b620cec06b03d219832667fe1.png
new file mode 100644
index 0000000000..d7d0f281c2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/abccba0b620cec06b03d219832667fe1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ae3597247b6bc7c5347cf56ab1e820c0.png b/windows/security/threat-protection/microsoft-defender-atp/images/ae3597247b6bc7c5347cf56ab1e820c0.png
new file mode 100644
index 0000000000..0dab513560
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ae3597247b6bc7c5347cf56ab1e820c0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/analyzer-commands.png b/windows/security/threat-protection/microsoft-defender-atp/images/analyzer-commands.png
new file mode 100644
index 0000000000..5e66e9efc4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/analyzer-commands.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/analyzer-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/analyzer-file.png
new file mode 100644
index 0000000000..0673d134b3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/analyzer-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/android-create-app.png b/windows/security/threat-protection/microsoft-defender-atp/images/android-create-app.png
index bc91973dc7..68e16ed3f6 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/android-create-app.png and b/windows/security/threat-protection/microsoft-defender-atp/images/android-create-app.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/android-review-create.png b/windows/security/threat-protection/microsoft-defender-atp/images/android-review-create.png
index aeedcfb63e..60e08adef5 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/android-review-create.png and b/windows/security/threat-protection/microsoft-defender-atp/images/android-review-create.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/arcsight-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/arcsight-logo.png
new file mode 100644
index 0000000000..5ec3542ebe
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/arcsight-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/aruba-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/aruba-logo.png
new file mode 100644
index 0000000000..037ca3b833
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/aruba-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/attackiq-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/attackiq-logo.png
new file mode 100644
index 0000000000..e27d84fd76
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/attackiq-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b1e0206d675ad07db218b63cd9b9abc3.png b/windows/security/threat-protection/microsoft-defender-atp/images/b1e0206d675ad07db218b63cd9b9abc3.png
new file mode 100644
index 0000000000..feff40a8fa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b1e0206d675ad07db218b63cd9b9abc3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b334974590d1a1fa4bc034b6190663ea.png b/windows/security/threat-protection/microsoft-defender-atp/images/b334974590d1a1fa4bc034b6190663ea.png
new file mode 100644
index 0000000000..778c97d70a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b334974590d1a1fa4bc034b6190663ea.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b418a232a12b3d0a65fc98248dbb0e31.png b/windows/security/threat-protection/microsoft-defender-atp/images/b418a232a12b3d0a65fc98248dbb0e31.png
new file mode 100644
index 0000000000..1b3302994b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b418a232a12b3d0a65fc98248dbb0e31.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b64986618ecc9eec016a7e4c504d9d27.png b/windows/security/threat-protection/microsoft-defender-atp/images/b64986618ecc9eec016a7e4c504d9d27.png
new file mode 100644
index 0000000000..55aced9e5e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b64986618ecc9eec016a7e4c504d9d27.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b6c7ad56d50f497c38fc14c1e315456c.png b/windows/security/threat-protection/microsoft-defender-atp/images/b6c7ad56d50f497c38fc14c1e315456c.png
new file mode 100644
index 0000000000..cb1009d9ab
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b6c7ad56d50f497c38fc14c1e315456c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b6d671b2f18b89d96c1c8e2ea1991242.png b/windows/security/threat-protection/microsoft-defender-atp/images/b6d671b2f18b89d96c1c8e2ea1991242.png
new file mode 100644
index 0000000000..168b4103a5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b6d671b2f18b89d96c1c8e2ea1991242.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b7b677c6b06dfa9a00223ec6c58685d6.png b/windows/security/threat-protection/microsoft-defender-atp/images/b7b677c6b06dfa9a00223ec6c58685d6.png
new file mode 100644
index 0000000000..f889ed6a06
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b7b677c6b06dfa9a00223ec6c58685d6.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ba3d40399e1a6d09214ecbb2b341923f.png b/windows/security/threat-protection/microsoft-defender-atp/images/ba3d40399e1a6d09214ecbb2b341923f.png
new file mode 100644
index 0000000000..3effc79498
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ba3d40399e1a6d09214ecbb2b341923f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ba44cdb77e4781aa8b940fb83e3c21f7.png b/windows/security/threat-protection/microsoft-defender-atp/images/ba44cdb77e4781aa8b940fb83e3c21f7.png
new file mode 100644
index 0000000000..9d9988e39f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ba44cdb77e4781aa8b940fb83e3c21f7.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bcd4920afadbc158f8d7de88c11096fb.png b/windows/security/threat-protection/microsoft-defender-atp/images/bcd4920afadbc158f8d7de88c11096fb.png
new file mode 100644
index 0000000000..cdf08c8f7b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bcd4920afadbc158f8d7de88c11096fb.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bd93e78b74c2660a0541af4690dd9485.png b/windows/security/threat-protection/microsoft-defender-atp/images/bd93e78b74c2660a0541af4690dd9485.png
new file mode 100644
index 0000000000..b30f65c374
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bd93e78b74c2660a0541af4690dd9485.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bdo-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/bdo-logo.png
new file mode 100644
index 0000000000..d51d5e1ec8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bdo-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bettermobile-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/bettermobile-logo.png
new file mode 100644
index 0000000000..03c731e2d6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bettermobile-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bf187f62ea1ae024d87a933cf97a00d3.png b/windows/security/threat-protection/microsoft-defender-atp/images/bf187f62ea1ae024d87a933cf97a00d3.png
new file mode 100644
index 0000000000..2bd24757a9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bf187f62ea1ae024d87a933cf97a00d3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bitdefender-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/bitdefender-logo.png
new file mode 100644
index 0000000000..a04e552d0e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bitdefender-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bluehexagon-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/bluehexagon-logo.png
new file mode 100644
index 0000000000..73c502b488
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bluehexagon-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bluevoyant-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/bluevoyant-logo.png
new file mode 100644
index 0000000000..290da40140
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bluevoyant-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c06fa3bbc2f70d59dfe1e106cd9a4683.png b/windows/security/threat-protection/microsoft-defender-atp/images/c06fa3bbc2f70d59dfe1e106cd9a4683.png
new file mode 100644
index 0000000000..b7a63ecc3e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/c06fa3bbc2f70d59dfe1e106cd9a4683.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c1022b886c359a2969b9a3fea4bcc6ed.png b/windows/security/threat-protection/microsoft-defender-atp/images/c1022b886c359a2969b9a3fea4bcc6ed.png
new file mode 100644
index 0000000000..e0c1d3c59c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/c1022b886c359a2969b9a3fea4bcc6ed.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c254c437d5bdb4c28df8b25ba0a5e4a2.png b/windows/security/threat-protection/microsoft-defender-atp/images/c254c437d5bdb4c28df8b25ba0a5e4a2.png
new file mode 100644
index 0000000000..f973186aa0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/c254c437d5bdb4c28df8b25ba0a5e4a2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c2e647fc8fa31c4f2349c76f2497bc0e.png b/windows/security/threat-protection/microsoft-defender-atp/images/c2e647fc8fa31c4f2349c76f2497bc0e.png
index 6e16d764c8..cdb053fdd9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/c2e647fc8fa31c4f2349c76f2497bc0e.png and b/windows/security/threat-protection/microsoft-defender-atp/images/c2e647fc8fa31c4f2349c76f2497bc0e.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c9820a5ff84aaf21635c04a23a97ca93.png b/windows/security/threat-protection/microsoft-defender-atp/images/c9820a5ff84aaf21635c04a23a97ca93.png
new file mode 100644
index 0000000000..a33cc304f5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/c9820a5ff84aaf21635c04a23a97ca93.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c9f85bba3e96d627fe00fc5a8363b83a.png b/windows/security/threat-protection/microsoft-defender-atp/images/c9f85bba3e96d627fe00fc5a8363b83a.png
new file mode 100644
index 0000000000..d01d4b01da
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/c9f85bba3e96d627fe00fc5a8363b83a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cb0260d4b2636814e37eee427211fe71.png b/windows/security/threat-protection/microsoft-defender-atp/images/cb0260d4b2636814e37eee427211fe71.png
new file mode 100644
index 0000000000..7c2c572329
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cb0260d4b2636814e37eee427211fe71.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png b/windows/security/threat-protection/microsoft-defender-atp/images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png
new file mode 100644
index 0000000000..2b44054fc5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ce580aec080512d44a37ff8e82e5c2ac.png b/windows/security/threat-protection/microsoft-defender-atp/images/ce580aec080512d44a37ff8e82e5c2ac.png
new file mode 100644
index 0000000000..1b3179853c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ce580aec080512d44a37ff8e82e5c2ac.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cea7e288b5d42a9baf1aef0754ade910.png b/windows/security/threat-protection/microsoft-defender-atp/images/cea7e288b5d42a9baf1aef0754ade910.png
new file mode 100644
index 0000000000..85d6d6dd51
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cea7e288b5d42a9baf1aef0754ade910.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cf30438b5512ac89af1d11cbf35219a6.png b/windows/security/threat-protection/microsoft-defender-atp/images/cf30438b5512ac89af1d11cbf35219a6.png
new file mode 100644
index 0000000000..ac3ffa8237
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cf30438b5512ac89af1d11cbf35219a6.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/choose-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/choose-file.png
new file mode 100644
index 0000000000..c82cab2cb8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/choose-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cloudsecuritycenter-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/cloudsecuritycenter-logo.png
new file mode 100644
index 0000000000..743ebbe1d5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cloudsecuritycenter-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cloudsoc-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/cloudsoc-logo.png
new file mode 100644
index 0000000000..745fe3da44
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cloudsoc-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/contoso-machine-group.png b/windows/security/threat-protection/microsoft-defender-atp/images/contoso-machine-group.png
new file mode 100644
index 0000000000..954724e574
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/contoso-machine-group.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/corrata-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/corrata-logo.png
new file mode 100644
index 0000000000..be75af835c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/corrata-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/csis-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/csis-logo.png
new file mode 100644
index 0000000000..8c3037339e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/csis-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cybermdx-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/cybermdx-logo.png
new file mode 100644
index 0000000000..90d32e2508
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cybermdx-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cybersponse-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/cybersponse-logo.png
new file mode 100644
index 0000000000..dbe2849a0b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cybersponse-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cymulate-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/cymulate-logo.png
new file mode 100644
index 0000000000..daa2aef8f8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cymulate-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cyren-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/cyren-logo.png
new file mode 100644
index 0000000000..155137e4fd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cyren-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/d0e0bee1e23464ab729191bbea5c2604.png b/windows/security/threat-protection/microsoft-defender-atp/images/d0e0bee1e23464ab729191bbea5c2604.png
new file mode 100644
index 0000000000..2f8b727669
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/d0e0bee1e23464ab729191bbea5c2604.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/d8254adf4bd30290f9a8a0c131830a1f.png b/windows/security/threat-protection/microsoft-defender-atp/images/d8254adf4bd30290f9a8a0c131830a1f.png
new file mode 100644
index 0000000000..82131ac913
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/d8254adf4bd30290f9a8a0c131830a1f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/db15f147dd959e872a044184711d7d46.png b/windows/security/threat-protection/microsoft-defender-atp/images/db15f147dd959e872a044184711d7d46.png
new file mode 100644
index 0000000000..a8cd37acf4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/db15f147dd959e872a044184711d7d46.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dc9f016cf649f8baaa89eaa0511ebb85.png b/windows/security/threat-protection/microsoft-defender-atp/images/dc9f016cf649f8baaa89eaa0511ebb85.png
new file mode 100644
index 0000000000..dd86cc8585
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/dc9f016cf649f8baaa89eaa0511ebb85.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dd0c00efe615a64a4a368f54257777d0.png b/windows/security/threat-protection/microsoft-defender-atp/images/dd0c00efe615a64a4a368f54257777d0.png
new file mode 100644
index 0000000000..e49c575125
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/dd0c00efe615a64a4a368f54257777d0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dd55405106da0dfc2f50f8d4525b01c8.png b/windows/security/threat-protection/microsoft-defender-atp/images/dd55405106da0dfc2f50f8d4525b01c8.png
new file mode 100644
index 0000000000..6e5f3fa9dc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/dd55405106da0dfc2f50f8d4525b01c8.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/de180771f31278a2a6225857f73caf0d.png b/windows/security/threat-protection/microsoft-defender-atp/images/de180771f31278a2a6225857f73caf0d.png
new file mode 100644
index 0000000000..89a9591408
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/de180771f31278a2a6225857f73caf0d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dell-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/dell-logo.png
new file mode 100644
index 0000000000..e8ebeabdda
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/dell-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/delta-risk-activeeye-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/delta-risk-activeeye-logo.png
new file mode 100644
index 0000000000..eb5d7a2d36
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/delta-risk-activeeye-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/demisto-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/demisto-logo.png
new file mode 100644
index 0000000000..205a91f2a4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/demisto-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/df0c64001b9219cfbd10f8f81a273190.png b/windows/security/threat-protection/microsoft-defender-atp/images/df0c64001b9219cfbd10f8f81a273190.png
new file mode 100644
index 0000000000..2dd6492036
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/df0c64001b9219cfbd10f8f81a273190.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dfdadab79112d61bd3693d957084b0ec.png b/windows/security/threat-protection/microsoft-defender-atp/images/dfdadab79112d61bd3693d957084b0ec.png
new file mode 100644
index 0000000000..912ae2f634
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/dfdadab79112d61bd3693d957084b0ec.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dxc-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/dxc-logo.png
new file mode 100644
index 0000000000..1ec8acb23e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/dxc-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/e07f270419f7b1e5ee6744f8b38ddeaf.png b/windows/security/threat-protection/microsoft-defender-atp/images/e07f270419f7b1e5ee6744f8b38ddeaf.png
new file mode 100644
index 0000000000..f5448c34d3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/e07f270419f7b1e5ee6744f8b38ddeaf.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/e1cc1e48ec9d5d688087b4d771e668d2.png b/windows/security/threat-protection/microsoft-defender-atp/images/e1cc1e48ec9d5d688087b4d771e668d2.png
new file mode 100644
index 0000000000..d730bb042b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/e1cc1e48ec9d5d688087b4d771e668d2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/e74f6f6c150d017a286e6ed3dffb7757.png b/windows/security/threat-protection/microsoft-defender-atp/images/e74f6f6c150d017a286e6ed3dffb7757.png
new file mode 100644
index 0000000000..741d4af9b9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/e74f6f6c150d017a286e6ed3dffb7757.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/e925142786fa5c0e9309fafc128a5ef7.png b/windows/security/threat-protection/microsoft-defender-atp/images/e925142786fa5c0e9309fafc128a5ef7.png
new file mode 100644
index 0000000000..f47188ab2e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/e925142786fa5c0e9309fafc128a5ef7.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ea06643280075f16265a596fb9a96042.png b/windows/security/threat-protection/microsoft-defender-atp/images/ea06643280075f16265a596fb9a96042.png
index 89da77d866..e0aadcc880 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ea06643280075f16265a596fb9a96042.png and b/windows/security/threat-protection/microsoft-defender-atp/images/ea06643280075f16265a596fb9a96042.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/eaba2a23dd34f73bf59e826217ba6f15.png b/windows/security/threat-protection/microsoft-defender-atp/images/eaba2a23dd34f73bf59e826217ba6f15.png
new file mode 100644
index 0000000000..790aae6d4d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/eaba2a23dd34f73bf59e826217ba6f15.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ef844f52ec2c0d737ce793f68b5e8408.png b/windows/security/threat-protection/microsoft-defender-atp/images/ef844f52ec2c0d737ce793f68b5e8408.png
new file mode 100644
index 0000000000..a588c74aae
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ef844f52ec2c0d737ce793f68b5e8408.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/elastic-security-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/elastic-security-logo.png
new file mode 100644
index 0000000000..30352fe3b7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/elastic-security-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/f504b2ae0a28a10778b0fa70378c355c.png b/windows/security/threat-protection/microsoft-defender-atp/images/f504b2ae0a28a10778b0fa70378c355c.png
new file mode 100644
index 0000000000..b4da9a44be
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/f504b2ae0a28a10778b0fa70378c355c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/f624de59b3cc86e3e2d32ae5de093e02.png b/windows/security/threat-protection/microsoft-defender-atp/images/f624de59b3cc86e3e2d32ae5de093e02.png
new file mode 100644
index 0000000000..314479f578
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/f624de59b3cc86e3e2d32ae5de093e02.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/f878f8efa5ebc92d069f4b8f79f62c7f.png b/windows/security/threat-protection/microsoft-defender-atp/images/f878f8efa5ebc92d069f4b8f79f62c7f.png
new file mode 100644
index 0000000000..7bf897ae75
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/f878f8efa5ebc92d069f4b8f79f62c7f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/f9c3bad127d636c1f150d79814f35d4c.png b/windows/security/threat-protection/microsoft-defender-atp/images/f9c3bad127d636c1f150d79814f35d4c.png
new file mode 100644
index 0000000000..8c99263f26
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/f9c3bad127d636c1f150d79814f35d4c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/fa4ac18a6333335db3775630b8e6b353.png b/windows/security/threat-protection/microsoft-defender-atp/images/fa4ac18a6333335db3775630b8e6b353.png
index 101020a8fb..738869b471 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/fa4ac18a6333335db3775630b8e6b353.png and b/windows/security/threat-protection/microsoft-defender-atp/images/fa4ac18a6333335db3775630b8e6b353.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/fb2220fed3a530f4b3ef36f600da0c27.png b/windows/security/threat-protection/microsoft-defender-atp/images/fb2220fed3a530f4b3ef36f600da0c27.png
new file mode 100644
index 0000000000..b16f4b9326
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/fb2220fed3a530f4b3ef36f600da0c27.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/fc3525e20752da026ec9f46ab4fec64f.png b/windows/security/threat-protection/microsoft-defender-atp/images/fc3525e20752da026ec9f46ab4fec64f.png
new file mode 100644
index 0000000000..835c7fbd32
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/fc3525e20752da026ec9f46ab4fec64f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ffecfdda1c4df14148f1526c22cc0236.png b/windows/security/threat-protection/microsoft-defender-atp/images/ffecfdda1c4df14148f1526c22cc0236.png
index 2045d1c748..880d92d76a 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ffecfdda1c4df14148f1526c22cc0236.png and b/windows/security/threat-protection/microsoft-defender-atp/images/ffecfdda1c4df14148f1526c22cc0236.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ibm-qradar-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/ibm-qradar-logo.png
new file mode 100644
index 0000000000..47a6790a6f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ibm-qradar-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamf-login1.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-login1.png
new file mode 100644
index 0000000000..4668be81df
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-login1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-configure-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-configure-profile.png
new file mode 100644
index 0000000000..879ecf9575
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-configure-profile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-dashboard.png
new file mode 100644
index 0000000000..c54729166f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-portal1.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-portal1.png
new file mode 100644
index 0000000000..a3f59fcea3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-portal1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-static-group.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-static-group.png
new file mode 100644
index 0000000000..062a297f8c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-static-group.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-ca-certificate.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-ca-certificate.png
new file mode 100644
index 0000000000..89a3a9fa29
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-ca-certificate.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-configuration-policies.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-configuration-policies.png
new file mode 100644
index 0000000000..0c14cc2d3a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-configuration-policies.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-deployment-target.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-deployment-target.png
new file mode 100644
index 0000000000..c533d9000c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-deployment-target.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-download.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-download.png
new file mode 100644
index 0000000000..a3c7524472
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-download.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-install-mdm-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-install-mdm-profile.png
new file mode 100644
index 0000000000..b543f8a02a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-install-mdm-profile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-install-mdm.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-install-mdm.png
new file mode 100644
index 0000000000..4377bc50e3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-install-mdm.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-mac-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-mac-profile.png
new file mode 100644
index 0000000000..ea36ebff47
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-mac-profile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-machine-group.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-machine-group.png
new file mode 100644
index 0000000000..eaea373077
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-machine-group.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-mdm-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-mdm-profile.png
new file mode 100644
index 0000000000..bf5017bdbd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-mdm-profile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-mdm-unverified.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-mdm-unverified.png
new file mode 100644
index 0000000000..0900e110f6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-mdm-unverified.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist-file-onboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist-file-onboard.png
new file mode 100644
index 0000000000..76b784f0fa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist-file-onboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist-file.png
new file mode 100644
index 0000000000..b3e820638e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist-upload.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist-upload.png
new file mode 100644
index 0000000000..62422eaa2d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist-upload.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist.png
new file mode 100644
index 0000000000..53fd89f311
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-policies.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-policies.png
new file mode 100644
index 0000000000..bf7d34f9d9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-policies.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-scope-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-scope-tab.png
new file mode 100644
index 0000000000..5850b5fc1f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-scope-tab.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-settings.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-settings.png
new file mode 100644
index 0000000000..8c390217ba
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-settings.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-target-computer.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-target-computer.png
new file mode 100644
index 0000000000..0f85e9a99d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-target-computer.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-target-group.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-target-group.png
new file mode 100644
index 0000000000..6073a576d5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-target-group.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-target-selected.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-target-selected.png
new file mode 100644
index 0000000000..6bedad674d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-target-selected.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-targets.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-targets.png
new file mode 100644
index 0000000000..75eb399e74
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-targets.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-upload-plist.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-upload-plist.png
new file mode 100644
index 0000000000..b8c139d6f7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-upload-plist.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/lookout-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/lookout-logo.png
new file mode 100644
index 0000000000..7d3c2f51e4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/lookout-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mda-properties.png b/windows/security/threat-protection/microsoft-defender-atp/images/mda-properties.png
index 9c0ce1f98b..9a1f5ba312 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mda-properties.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mda-properties.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/misp-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/misp-logo.png
new file mode 100644
index 0000000000..39c75e6b09
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/misp-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/morphisec-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/morphisec-logo.png
new file mode 100644
index 0000000000..a0a63ce9d6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/morphisec-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ms-flow-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/ms-flow-logo.png
new file mode 100644
index 0000000000..c28a05a8ba
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ms-flow-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/need-help.png b/windows/security/threat-protection/microsoft-defender-atp/images/need-help.png
new file mode 100644
index 0000000000..0b563802c7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/need-help.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/nextron-thor-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/nextron-thor-logo.png
new file mode 100644
index 0000000000..e0b5860da6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/nextron-thor-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ntt-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/ntt-logo.png
new file mode 100644
index 0000000000..9dc4f32e3c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ntt-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/onboarding-macos.png b/windows/security/threat-protection/microsoft-defender-atp/images/onboarding-macos.png
new file mode 100644
index 0000000000..e0cbad4ba1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/onboarding-macos.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/paloalto-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/paloalto-logo.png
new file mode 100644
index 0000000000..fbd16e8c9c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/paloalto-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/plist-onboarding-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/plist-onboarding-file.png
new file mode 100644
index 0000000000..6c87d56c5f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/plist-onboarding-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/rapid7-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/rapid7-logo.png
new file mode 100644
index 0000000000..9683cf58e0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/rapid7-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/redcanary-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/redcanary-logo.png
new file mode 100644
index 0000000000..dd97b57c10
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/redcanary-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/rsa-netwitness-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/rsa-netwitness-logo.png
new file mode 100644
index 0000000000..b590724e54
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/rsa-netwitness-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/safebreach-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/safebreach-logo.png
new file mode 100644
index 0000000000..63a7f90e35
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/safebreach-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secureworks-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/secureworks-logo.png
new file mode 100644
index 0000000000..631e156cd1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secureworks-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sentinel-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/sentinel-logo.png
new file mode 100644
index 0000000000..f48e0a6b9c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sentinel-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sepago-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/sepago-logo.png
new file mode 100644
index 0000000000..6aea4a45f8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sepago-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/servicenow-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/servicenow-logo.png
new file mode 100644
index 0000000000..0c9f72b10a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/servicenow-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/skybox-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/skybox-logo.png
new file mode 100644
index 0000000000..dcb39ef9bb
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/skybox-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/splunk-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/splunk-logo.png
new file mode 100644
index 0000000000..925f90b44b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/splunk-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/support-widget.png b/windows/security/threat-protection/microsoft-defender-atp/images/support-widget.png
new file mode 100644
index 0000000000..02a0088669
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/support-widget.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/swimlane-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/swimlane-logo.png
new file mode 100644
index 0000000000..dfb025884c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/swimlane-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/symantec-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/symantec-logo.png
new file mode 100644
index 0000000000..856c312fcd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/symantec-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/testflight-get.png b/windows/security/threat-protection/microsoft-defender-atp/images/testflight-get.png
new file mode 100644
index 0000000000..5a2af54c14
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/testflight-get.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/threatconnect-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/threatconnect-logo.png
new file mode 100644
index 0000000000..f06fcc7589
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/threatconnect-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/trustwave-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/trustwave-logo.png
new file mode 100644
index 0000000000..f92fc87efe
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/trustwave-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/upload-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/upload-file.png
new file mode 100644
index 0000000000..6d348e5933
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/upload-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/vectra-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/vectra-logo.png
new file mode 100644
index 0000000000..a7b6dbc9a9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/vectra-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/wortell-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/wortell-logo.png
new file mode 100644
index 0000000000..ab1cf389fe
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/wortell-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/xmcyber-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/xmcyber-logo.png
new file mode 100644
index 0000000000..791edfa7ef
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/xmcyber-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/zimperium-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/zimperium-logo.png
new file mode 100644
index 0000000000..5f5451d743
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/zimperium-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ztap-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/ztap-logo.png
new file mode 100644
index 0000000000..6a61fa3d9f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ztap-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
index 3e4e0b9f14..ad7c9cbaa9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
@@ -17,6 +17,9 @@ manager: dansimp
# Import, export, and deploy exploit protection configurations
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](microsoft-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md
index a60e510583..cfff5ce687 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md
@@ -20,6 +20,9 @@ ms.topic: article
# Create indicators based on certificates
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -38,7 +41,7 @@ It's important to understand the following requirements prior to creating indica
- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
- The Antimalware client version must be 4.18.1901.x or later.
-- Supported on machines on Windows 10, version 1703 or later.
+- Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019.
- The virus and threat protection definitions must be up-to-date.
- This feature currently supports entering .CER or .PEM file extensions.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
index c3312ea5e8..8a5a15bf39 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
@@ -20,6 +20,9 @@ ms.topic: article
# Create indicators for files
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -37,7 +40,7 @@ It's important to understand the following prerequisites prior to creating indic
- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
- The Antimalware client version must be 4.18.1901.x or later.
-- Supported on machines on Windows 10, version 1703 or later.
+- Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019.
- To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
@@ -76,4 +79,4 @@ Files automatically blocked by an indicator won't show up in the file's Action c
- [Create indicators](manage-indicators.md)
- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
- [Create indicators based on certificates](indicator-certificates.md)
-- [Manage indicators](indicator-manage.md)
\ No newline at end of file
+- [Manage indicators](indicator-manage.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
index 90e188b28e..4769eb6666 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
@@ -1,4 +1,4 @@
----
+---
title: Create indicators for IPs and URLs/domains
ms.reviewer:
description: Create indicators for IPs and URLs/domains that define the detection, prevention, and exclusion of entities.
@@ -20,6 +20,9 @@ ms.topic: article
# Create indicators for IPs and URLs/domains
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -46,6 +49,7 @@ It's important to understand the following prerequisites prior to creating indic
> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:
> NOTE:
>- IP is supported for all three protocols
+>- Only single IP addresses are supported (no CIDR blocks or IP ranges)
>- Encrypted URLs (full path) can only be blocked on first party browsers
>- Encrypted URLS (FQDN only) can be blocked outside of first party browsers
>- Full URL path blocks can be applied on the domain level and all unencrypted URLs
@@ -59,7 +63,7 @@ It's important to understand the following prerequisites prior to creating indic
2. Select the **IP addresses or URLs/Domains** tab.
-3. Select **Add indicator**.
+3. Select **Add item**.
4. Specify the following details:
- Indicator - Specify the entity details and define the expiration of the indicator.
@@ -72,4 +76,4 @@ It's important to understand the following prerequisites prior to creating indic
- [Create indicators](manage-indicators.md)
- [Create indicators for files](indicator-file.md)
- [Create indicators based on certificates](indicator-certificates.md)
-- [Manage indicators](indicator-manage.md)
\ No newline at end of file
+- [Manage indicators](indicator-manage.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md
index 2c3ba958b9..54d2c70de6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md
@@ -20,6 +20,9 @@ ms.topic: article
# Manage indicators
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
index 0c80426a9f..17b7c51fcd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Information protection in Windows overview
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
index b3c0ba3d56..4c595bdec5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
@@ -18,6 +18,9 @@ ms.topic: article
# Use sensitivity labels to prioritize incident response
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -59,4 +62,4 @@ Learn how to use data sensitivity labels to prioritize incident investigation.
>[!TIP]
->These data points are also exposed through the ‘DeviceFileEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.
\ No newline at end of file
+>These data points are also exposed through the ‘DeviceFileEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
index e8685bb77b..f464c54bde 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
@@ -18,6 +18,9 @@ ms.topic: article
# Start Investigation API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
index f4d0a71105..892f860dff 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
@@ -20,6 +20,9 @@ ms.date: 04/24/2018
# Investigate Microsoft Defender Advanced Threat Protection alerts
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
index 424ed0cb61..0738fd810b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
@@ -19,6 +19,9 @@ ms.topic: article
# Investigate connection events that occur behind forward proxies
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
index 3ab170260a..65739231df 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
@@ -19,6 +19,9 @@ ms.date: 04/24/2018
---
# Investigate a domain associated with a Microsoft Defender ATP alert
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
index ee59109437..0c25dc5114 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
@@ -20,6 +20,9 @@ ms.date: 04/24/2018
# Investigate a file associated with a Microsoft Defender ATP alert
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
index 1bdc888c78..2c7b5a46cc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
@@ -19,6 +19,9 @@ ms.topic: article
# Investigate incidents in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -83,4 +86,4 @@ You can click the circles on the incident graph to view the details of the malic
## Related topics
- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue)
- [Investigate incidents in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents)
-- [Manage Microsoft Defender ATP incidents](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-incidents)
\ No newline at end of file
+- [Manage Microsoft Defender ATP incidents](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-incidents)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
index 81a124863d..5bcdb3f2c1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
@@ -20,6 +20,9 @@ ms.date: 04/24/2018
# Investigate an IP address associated with a Microsoft Defender ATP alert
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
index bd6a081f9a..6e97ffcfa7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
@@ -19,6 +19,9 @@ ms.topic: article
# Investigate devices in the Microsoft Defender ATP Devices list
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
index 841262e0fe..dd1a9f6766 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
@@ -19,6 +19,9 @@ ms.date: 04/24/2018
---
# Investigate a user account in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigation.md b/windows/security/threat-protection/microsoft-defender-atp/investigation.md
index 9b1015434d..6f499c34c0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigation.md
@@ -18,6 +18,9 @@ ms.topic: article
# Investigation resource type
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -61,4 +64,4 @@ triggeringAlertId | String | The ID of the alert that triggered the investigatio
"computerDnsName": "desktop-test123",
"triggeringAlertId": "da637139127150012465_1011995739"
}
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
new file mode 100644
index 0000000000..95350170ab
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
@@ -0,0 +1,47 @@
+---
+title: Configure Microsoft Defender ATP for iOS features
+ms.reviewer:
+description: Describes how to deploy Microsoft Defender ATP for iOS features
+keywords: microsoft, defender, atp, ios, configure, features, ios
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Configure Microsoft Defender ATP for iOS features
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> **PUBLIC PREVIEW EDITION**
+>
+> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
+>
+> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
+
+
+## Configure custom indicators
+Microsoft Defender ATP for iOS enables admins to configure custom indicators on
+iOS devices as well. Refer to [Manage
+indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators)
+on how to configure custom indicators
+
+## Web Protection
+By default, Microsoft Defender ATP for iOS includes and enables the web
+protection feature. [Web
+protection](web-protection-overview.md) helps
+to secure devices against web threats and protect users from phishing attacks.
+
+>[!NOTE]
+>Microsoft Defender ATP for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-install.md b/windows/security/threat-protection/microsoft-defender-atp/ios-install.md
new file mode 100644
index 0000000000..d4f6077795
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-install.md
@@ -0,0 +1,80 @@
+---
+title: App-based deployment for Microsoft Defender ATP for iOS
+ms.reviewer:
+description: Describes how to deploy Microsoft Defender ATP for iOS using an app
+keywords: microsoft, defender, atp, ios, app, installation, deploy, uninstallation, intune
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# App-based deployment for Microsoft Defender ATP for iOS
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> **PUBLIC PREVIEW EDITION**
+>
+> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
+>
+> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
+
+Microsoft Defender ATP for iOS is currently available as a preview app on TestFlight, Apple's beta testing platform. In GA, it will be available on the Apple App store.
+
+Deployment devices need to be enrolled on Intune Company portal. Refer to
+[Enroll your
+device](https://docs.microsoft.com/mem/intune/enrollment/ios-enroll) to
+learn more about Intune device enrollment
+
+## Before you begin
+
+- Ensure you have access to [Microsoft Endpoint manager admin
+ center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+- Ensure iOS enrollment is done for your users. Users need to have Microsoft Defender ATP
+ license assigned in order to use Microsoft Defender ATP for iOS. Refer [Assign licenses to
+ users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
+ for instructions on how to assign licenses.
+
+
+## Deployment steps
+
+To install Microsoft Defender ATP for iOS, end-users can visit
+ on their iOS devices. This link will open the
+TestFlight application on their device or prompt them to install TestFlight. On
+the TestFlight app, follow the onscreen instructions to install Microsoft
+Defender ATP.
+
+
+
+
+## Complete onboarding and check status
+
+1. Once Microsoft Defender ATP for iOS has been installed on the device, you
+ will see the app icon.
+
+ 
+
+2. Tap the Microsoft Defender ATP app icon and follow the on-screen
+ instructions to complete the onboarding steps. The details include end-user
+ acceptance of iOS permissions required by Microsoft Defender ATP for iOS.
+
+3. Upon successful onboarding, the device will start showing up on the Devices
+ list in Microsoft Defender Security Center.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+## Next Steps
+
+[Configure Microsoft Defender ATP for iOS features](ios-configure-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md
new file mode 100644
index 0000000000..f775848c86
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md
@@ -0,0 +1,58 @@
+---
+title: Microsoft Defender ATP for iOS note on Privacy
+ms.reviewer:
+description: Describes the Microsoft Defender ATP for iOS Privacy
+keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope,
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: sunasing
+author: sunasing
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+hideEdit: true
+---
+
+# Microsoft Defender ATP for iOS note on Privacy
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+## What information can my organization see when I use Microsoft Defender ATP on iOS
+
+Your organization cannot see your personal information when you use Microsoft Defender ATP. Microsoft Defender ATP sends certain pieces of information from your device to the ATP portal, such as device threat level, device model, and serial number. Your organization uses this information to help protect you from web-based attacks.
+
+**What your organization can never see:**
+
+- Calling and web browsing history
+- Email and text messages
+- Contacts
+- Calendar
+- Passwords
+- Pictures, including what's in the photos app or camera roll
+- Files
+
+**What your organization can see:**
+
+- Malicious Connections that were blocked by Microsoft Defender ATP
+- Device model, like iPhone 11
+- Operating system and version, like iOS 12.0.1
+- Device name
+- Device serial number
+
+## VPN Usage
+
+Microsoft Defender ATP for iOS uses VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
+
+## More on Privacy
+
+[More information about Privacy](https://aka.ms/mdatpiosmainprivacystatement)
+
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md
new file mode 100644
index 0000000000..6969f1c941
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md
@@ -0,0 +1,229 @@
+---
+title: Microsoft Defender ATP for iOS Application license terms
+ms.reviewer:
+description: Describes the Microsoft Defender ATP for iOS license terms
+keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope,
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: sunasing
+author: sunasing
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+hideEdit: true
+---
+
+# Microsoft Defender ATP for iOS application license terms
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER ATP
+
+These license terms ("Terms") are an agreement between Microsoft Corporation (or
+based on where you live, one of its affiliates) and you. Please read them. They
+apply to the application named above. These Terms also apply to any Microsoft
+
+- updates,
+
+- supplements,
+
+- Internet-based services, and
+
+- support services
+
+for this application, unless other terms accompany those items. If so, those
+terms apply.
+
+**BY USING THE APPLICATION, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM,
+DO NOT USE THE APPLICATION.**
+
+**If you comply with these Terms, you have the perpetual rights below.**
+
+1. **INSTALLATION AND USE RIGHTS.**
+
+ 1. **Installation and Use.** You may install and use any number of copies
+ of this application on iOS enabled device or devices which you own
+ or control. You may use this application with your company's valid
+ subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or
+ an online service that includes MDATP functionalities.
+
+ 2. **Updates.** Updates or upgrades to MDATP may be required for full
+ functionality. Some functionality may not be available in all countries.
+
+ 3. **Third Party Programs.** The application may include third party
+ programs that Microsoft, not the third party, licenses to you under this
+ agreement. Notices, if any, for the third-party program are included for
+ your information only.
+
+2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to
+ Internet access, data transfer and other services per the terms of the data
+ service plan and any other agreement you have with your network operator due
+ to use of the application. You are solely responsible for any network
+ operator charges.
+
+3. **INTERNET-BASED SERVICES.** Microsoft provides Internet-based services with
+ the application. It may change or cancel them at any time.
+
+ 1. Consent for Internet-Based or Wireless Services. The application may
+ connect to Internet-based wireless services. Your use of the application
+ operates as your consent to the transmission of standard device
+ information (including but not limited to technical information about
+ your device, system and application software, and peripherals) for
+ Internet-based or wireless services. If other terms are provided in
+ connection with your use of the services, those terms also apply.
+
+ - Data. Some online services require, or may be enhanced by, the
+ installation of local software like this one. At your, or your
+ admin's direction, this software may send data from a device to or
+ from an online service.
+
+ - Usage Data. Microsoft automatically collects usage and performance
+ data over the internet. This data will be used to provide and
+ improve Microsoft products and services and enhance your experience.
+ You may limit or control collection of some usage and performance
+ data through your device settings. Doing so may disrupt your use of
+ certain features of the application. For additional information on
+ Microsoft's data collection and use, see the [Online Services
+ Terms](https://go.microsoft.com/fwlink/?linkid=2106777).
+
+ 2. Misuse of Internet-based Services. You may not use any Internet-based
+ service in any way that could harm it or impair anyone else's use of it
+ or the wireless network. You may not use the service to try to gain
+ unauthorized access to any service, data, account or network by any
+ means.
+
+4. **FEEDBACK.** If you give feedback about the application to Microsoft, you
+ give to Microsoft, without charge, the right to use, share and commercialize
+ your feedback in any way and for any purpose. You also give to third
+ parties, without charge, any patent rights needed for their products,
+ technologies and services to use or interface with any specific parts of a
+ Microsoft software or service that includes the feedback. You will not give
+ feedback that is subject to a license that requires Microsoft to license its
+ software or documentation to third parties because we include your feedback
+ in them. These rights survive this agreement.
+
+5. **SCOPE OF LICENSE.** The application is licensed, not sold. This agreement
+ only gives you some rights to use the application. Microsoft reserves all
+ other rights. Unless applicable law gives you more rights despite this
+ limitation, you may use the application only as expressly permitted in this
+ agreement. In doing so, you must comply with any technical limitations in
+ the application that only allow you to use it in certain ways. You may not
+
+ - work around any technical limitations in the application;
+
+ - reverse engineer, decompile or disassemble the application, except and
+ only to the extent that applicable law expressly permits, despite this
+ limitation;
+
+ - make more copies of the application than specified in this agreement or
+ allowed by applicable law, despite this limitation;
+
+ - publish the application for others to copy;
+
+ - rent, lease or lend the application; or
+
+ - transfer the application or this agreement to any third party.
+
+6. **EXPORT RESTRICTIONS.** The application is subject to United States export
+ laws and regulations. You must comply with all domestic and international
+ export laws and regulations that apply to the application. These laws
+ include restrictions on destinations, end users and end use. For additional
+ information,
+ see [www.microsoft.com/exporting](https://www.microsoft.com/exporting).
+
+7. **SUPPORT SERVICES.** Because this application is "as is," we may not
+ provide support services for it. If you have any issues or questions about
+ your use of this application, including questions about your company's
+ privacy policy, please contact your company's admin. Do not contact the
+ application store, your network operator, device manufacturer, or Microsoft.
+ The application store provider has no obligation to furnish support or
+ maintenance with respect to the application.
+
+8. **APPLICATION STORE.**
+
+ 1. If you obtain the application through an application store (e.g., App
+ Store), please review the applicable application store terms to ensure
+ your download and use of the application complies with such terms.
+ Please note that these Terms are between you and Microsoft and not with
+ the application store.
+
+ 2. The respective application store provider and its subsidiaries are third
+ party beneficiaries of these Terms, and upon your acceptance of these
+ Terms, the application store provider(s) will have the right to directly
+ enforce and rely upon any provision of these Terms that grants them a
+ benefit or rights.
+
+9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender ATP, MDATP, and
+ Microsoft 365 are registered or common-law trademarks of Microsoft
+ Corporation in the United States and/or other countries.
+
+10. **ENTIRE AGREEMENT.** This agreement and the terms for supplements, updates,
+ Internet-based services, and support services that you use are the entire
+ agreement for the application and support services.
+
+11. **APPLICABLE LAW.**
+
+ 1. **United States.** If you acquired the application in the United States,
+ Washington state law governs the interpretation of this agreement and
+ applies to claims for breach of it, regardless of conflict of laws
+ principles. The laws of the state where you live govern all other
+ claims, including claims under state consumer protection laws, unfair
+ competition laws, and in tort.
+
+ 2. **Outside the United States.** If you acquired the application in any
+ other country, the laws of that country apply.
+
+12. **LEGAL EFFECT.** This agreement describes certain legal rights. You may
+ have other rights under the laws of your country. You may also have rights
+ with respect to the party from whom you acquired the application. This
+ agreement does not change your rights under the laws of your country if the
+ laws of your country do not permit it to do so.
+
+13. **DISCLAIMER OF WARRANTY. THE APPLICATION IS LICENSED "AS-IS." "WITH ALL
+ FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND
+ WIRELESS CARRIERS OVER WHOSE NETWORK THE APPLICATION IS DISTRIBUTED, AND
+ EACH OF OUR RESPECTIVE AFFILIATES, AND SUPPLIERS ("COVERED PARTIES") GIVE NO
+ EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS UNDER OR IN RELATION TO THE
+ APPLICATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
+ APPLICATION IS WITH YOU. SHOULD THE APPLICATION BE DEFECTIVE, YOU ASSUME THE
+ ENTIRE COST OF ALL NECESSARY SERVICING OR REPAIR. YOU MAY HAVE ADDITIONAL
+ CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
+ THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, COVERED PARTIES EXCLUDE THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ NON-INFRINGEMENT.**
+
+ **FOR AUSTRALIA - YOU HAVE STATUTORY GUARANTEES UNDER THE AUSTRALIAN CONSUMER LAW AND NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS.**
+
+14. **LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT
+ PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT ONLY DIRECT DAMAGES UP TO
+ ONE U.S. DOLLAR (\$1.00). YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER
+ DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR
+ INCIDENTAL DAMAGES FROM ANY COVERED PARTIES.**
+
+This limitation applies to:
+
+- anything related to the application, services, content (including code) on
+ third party Internet sites, or third party programs; and
+
+- claims for breach of contract, warranty, guarantee or condition; consumer
+ protection; deception; unfair competition; strict liability, negligence,
+ misrepresentation, omission, trespass or other tort; violation of statute or
+ regulation; or unjust enrichment; all to the extent permitted by applicable
+ law.
+
+It also applies even if:
+
+a. Repair, replacement or refund for the application does not fully compensate
+ you for any losses; or
+
+b. Covered Parties knew or should have known about the possibility of the
+ damages.
+
+The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
index a74c4a0187..c16a3f2448 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
@@ -18,6 +18,9 @@ ms.topic: article
# Isolate machine API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
index 27d42d2a2c..baf41c376e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Configure and validate exclusions for Microsoft Defender ATP for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
@@ -46,6 +49,9 @@ File | A specific file identified by the full path | `/var/log/test.log`
`/v
Folder | All files under the specified folder (recursively) | `/var/log/`
`/var/*/`
Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
`cat`
`c?t`
+> [!IMPORTANT]
+> The paths above must be hard links, not symbolic links, in order to be successfully excluded. You can check if a path is a symbolic link by running `file `.
+
File, folder, and process exclusions support the following wildcards:
Wildcard | Description | Example | Matches | Does not match
@@ -104,6 +110,16 @@ Examples:
```bash
mdatp exclusion folder add --path "/var/*/"
```
+
+ > [!NOTE]
+ > This will only exclude paths one level below */var/*, but not folders which are more deeply nested; for example, */var/this-subfolder/but-not-this-subfolder*.
+
+ ```bash
+ mdatp exclusion folder add --path "/var/"
+ ```
+ > [!NOTE]
+ > This will exclude all paths whose parent is */var/*; for example, */var/this-subfolder/and-this-subfolder-as-well*.
+
```Output
Folder exclusion configured successfully
```
@@ -157,4 +173,4 @@ For example, to add `EICAR-Test-File (not a virus)` (the threat name associated
```bash
mdatp threat allowed add --name "EICAR-Test-File (not a virus)"
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
index 1746f4fcb3..157c193e75 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Deploy Microsoft Defender ATP for Linux manually
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
@@ -328,4 +331,4 @@ When upgrading your operating system to a new major version, you must first unin
## Uninstallation
-See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices.
\ No newline at end of file
+See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
index 52f85ffb99..4e622f504d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Deploy Microsoft Defender ATP for Linux with Ansible
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
index 14677aa8a3..a89c89272b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Deploy Microsoft Defender ATP for Linux with Puppet
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
index bc9ddc57fc..22cebfbcda 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Set preferences for Microsoft Defender ATP for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
@@ -215,6 +218,28 @@ Specifies the merge policy for threat type settings. This can be a combination o
| **Possible values** | merge (default)
admin_only |
| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
+#### Antivirus scan history retention (in days)
+
+Specify the number of days that results are retained in the scan history on the device. Old scan results are removed from the history. Old quarantined files that are also removed from the disk.
+
+|||
+|:---|:---|
+| **Key** | scanResultsRetentionDays |
+| **Data type** | String |
+| **Possible values** | 90 (default). Allowed values are from 1 day to 180 days. |
+| **Comments** | Available in Microsoft Defender ATP version 101.04.76 or higher. |
+
+#### Maximum number of items in the antivirus scan history
+
+Specify the maximum number of entries to keep in the scan history. Entries include all on-demand scans performed in the past and all antivirus detections.
+
+|||
+|:---|:---|
+| **Key** | scanHistoryMaximumItems |
+| **Data type** | String |
+| **Possible values** | 10000 (default). Allowed values are from 5000 items to 15000 items. |
+| **Comments** | Available in Microsoft Defender ATP version 101.04.76 or higher. |
+
### Cloud-delivered protection preferences
The *cloudService* entry in the configuration profile is used to configure the cloud-driven protection feature of the product.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md
index 448b784c40..e5d120eb83 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Privacy for Microsoft Defender ATP for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
index 50067c7547..40ac81e1d0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Detect and block potentially unwanted applications with Microsoft Defender ATP for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
@@ -62,4 +65,4 @@ In your enterprise, you can configure PUA protection from a management console,
## Related articles
-- [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md)
\ No newline at end of file
+- [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
index addb17136c..e79f91ce6c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Resources
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
@@ -149,4 +152,4 @@ In the Microsoft Defender ATP portal, you'll see two categories of information:
```bash
sudo SUSEConnect --status-text
- ```
\ No newline at end of file
+ ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
index 04ec1f7937..d2df9ea151 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Configure Microsoft Defender ATP for Linux for static proxy discovery
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
index 86e2b4f38e..81de10526e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
@@ -91,4 +94,4 @@ If the problem persists, contact customer support.
## Resources
-- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender ATP for static proxy discovery](linux-static-proxy-configuration.md).
\ No newline at end of file
+- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender ATP for static proxy discovery](linux-static-proxy-configuration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
index 67c96c9bdf..5453c8c205 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Troubleshoot installation issues for Microsoft Defender ATP for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
index a4c54a9aa4..e0c27b4a46 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Troubleshoot performance issues for Microsoft Defender ATP for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md
index 50bbc417f9..adc018682b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Deploy updates for Microsoft Defender ATP for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
index a35d6e6d1a..302d9c6717 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
@@ -19,6 +19,13 @@ ms.topic: conceptual
# What's new in Microsoft Defender Advanced Threat Protection for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+## 101.04.76
+
+- Bug fixes
+
## 101.03.48
- Bug fixes
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
index 0d734e593a..68a0143833 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
@@ -19,6 +19,9 @@ ms.topic: article
# Live response command examples
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
index 56f59ba081..35a1c20298 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
@@ -19,6 +19,9 @@ ms.topic: article
# Investigate entities on devices using live response
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
index 4e97dc6960..2399987032 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Configure and validate exclusions for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md
new file mode 100644
index 0000000000..49c40a09a3
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md
@@ -0,0 +1,44 @@
+---
+title: Log in to Jamf Pro
+description: Log in to Jamf Pro
+keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Log in to Jamf Pro
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+1. Enter your credentials.
+
+ 
+
+2. Select **Computers**.
+
+ 
+
+3. You will see the settings that are available.
+
+ 
+
+
+## Next step
+[Setup the device groups in Jamf Pro](mac-jamfpro-device-groups.md)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
index 448468935d..daea53aa5e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Manual deployment for Microsoft Defender ATP for macOS
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for macOS](microsoft-defender-atp-mac.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
index 2dd67831b1..17f2c90546 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Intune-based deployment for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
> [!NOTE]
> This documentation explains the legacy method for deploying and configuring Microsoft Defender ATP on macOS devices. The native experience is now available in the MEM console. The release of the native UI in the MEM console provide admins with a much simpler way to configure and deploy the application and send it down to macOS devices.
>The blog post [MEM simplifies deployment of Microsoft Defender ATP for macOS](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-endpoint-manager-simplifies-deployment-of-microsoft/ba-p/1322995) explains the new features. To configure the app, go to [Settings for Microsoft Defender ATP for Mac in Microsoft InTune](https://docs.microsoft.com/mem/intune/protect/antivirus-microsoft-defender-settings-macos). To deploy the app, go to [Add Microsoft Defender ATP to macOS devices using Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
index efdb013295..f0d4ab8a8a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
@@ -1,7 +1,7 @@
---
-title: JAMF-based deployment for Microsoft Defender ATP for Mac
-description: Learn about all the steps needed to deploy Microsoft Defender Advanced Threat Protection for Mac through JAMF.
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
+title: Deploying Microsoft Defender ATP for macOS with Jamf Pro
+description: Deploying Microsoft Defender ATP for macOS with Jamf Pro
+keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -15,361 +15,27 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/10/2020
---
-# JAMF-based deployment for Microsoft Defender ATP for Mac
+# Deploying Microsoft Defender ATP for macOS with Jamf Pro
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
-This article describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps:
+Learn how to deploy Microsoft Defender ATP for macOS with Jamf Pro.
-1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
-1. [Create JAMF policies](#create-jamf-policies)
-1. [Client device setup](#client-device-setup)
-1. [Deployment](#deployment)
-1. [Check onboarding status](#check-onboarding-status)
+This is a multi step process. You'll need to complete all of the following steps:
-## Prerequisites and system requirements
+- [Login to the Jamf Portal](mac-install-jamfpro-login.md)
+- [Setup the Microsoft Defender ATP for macOS device groups in Jamf Pro](mac-jamfpro-device-groups.md)
+- [Setup the Microsoft Defender ATP for macOS policies in Jamf Pro](mac-jamfpro-policies.md)
+- [Enroll the Microsoft Defender ATP for macOS devices into Jamf Pro](mac-jamfpro-enroll-devices.md)
-Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
-In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow.
-## Overview
-The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender ATP for Macs, via JAMF. More detailed steps are available below.
-| Step | Sample file names | BundleIdentifier |
-|-|-|-|
-| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
-| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#property-list-for-jamf-configuration-profile-1)
**Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.plist | com.microsoft.wdav |
-| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#notification-settings) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.wdav.tray |
-| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#jamf) | MDATP_Microsoft_AutoUpdate.mobileconfig | com.microsoft.autoupdate2 |
-| [Grant Full Disk Access to Microsoft Defender ATP](#privacy-preferences-policy-control) | Note: If there was one, MDATP_tcc_Catalina_or_newer.plist | com.microsoft.wdav.tcc |
-| [Approve Kernel Extension for Microsoft Defender ATP](#approved-kernel-extension) | Note: If there was one, MDATP_KExt.plist | N/A |
-
-## Download installation and onboarding packages
-
-Download the installation and onboarding packages from Microsoft Defender Security Center:
-
-1. In Microsoft Defender Security Center, go to **Settings > Device management > Onboarding**.
-2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**.
- 
-
- > [!NOTE]
- > Jamf falls under **Mobile Device Management**.
-
-3. Select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
-4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
-5. From the command prompt, verify that you have the two files.
-
- ```bash
- ls -l
- ```
- ```Output
- total 721160
- -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
- -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
- ```
-6. Extract the contents of the .zip files like so:
-
- ```bash
- unzip WindowsDefenderATPOnboardingPackage.zip
- ```
- ```Output
- Archive: WindowsDefenderATPOnboardingPackage.zip
- warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
- inflating: intune/kext.xml
- inflating: intune/WindowsDefenderATPOnboarding.xml
- inflating: jamf/WindowsDefenderATPOnboarding.plist
- ```
-
-## Create JAMF policies
-
-You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client devices.
-
-### Configuration Profile
-
-The configuration profile contains a custom settings payload that includes the following:
-
-- Microsoft Defender ATP for Mac onboarding information
-- Approved Kernel Extensions payload to enable running the Microsoft kernel driver
-
-To set the onboarding information, add a property list file that is named **jamf/WindowsDefenderATPOnboarding.plist** as a custom setting. To do this, select **Computers** > **Configuration Profiles** > **New**, and then select **Application & Custom Settings** > **Configure**. From there, you can upload the property list.
-
-
- >[!IMPORTANT]
- > You have to set the **Preference Domain** to **com.microsoft.wdav.atp**. There are some changes to the Custom Payloads and also to the Jamf Pro user interface in version 10.18 and later versions. For more information about the changes, see [Configuration Profile Payload Settings Specific to Jamf Pro](https://www.jamf.com/jamf-nation/articles/217/configuration-profile-payload-settings-specific-to-jamf-pro).
-
-
-
-### Approved Kernel Extension
-
-To approve the kernel extension:
-
-1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**.
-2. Use **UBF8T346G9** for Team Id.
-
- 
-
-### Privacy Preferences Policy Control
-
-> [!CAUTION]
-> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
->
-> If you previously configured Microsoft Defender ATP through JAMF, we recommend applying the following configuration.
-
-Add the following JAMF policy to grant Full Disk Access to Microsoft Defender ATP.
-
-1. Select **Options > Privacy Preferences Policy Control**.
-2. Use any identifier and identifier type = Bundle.
-3. Set Code Requirement to `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`.
-4. Set app or service to SystemPolicyAllFiles and access to Allow.
-
- 
-
-#### Configuration Profile's Scope
-
-Configure the appropriate scope to specify the devices that will receive the configuration profile.
-
-Open **Computers** > **Configuration Profiles**, and select **Scope > Targets**. From there, select the devices you want to target.
-
-
-
-Save the **Configuration Profile**.
-
-Use the **Logs** tab to monitor deployment status for each enrolled device.
-
-### Notification settings
-
-Starting in macOS 10.15 (Catalina) a user must manually allow to display notifications in UI. To auto-enable notifications from Defender and Auto Update, you can import the .mobileconfig below into a separate configuration profile and assign it to all devices with Defender:
-
- ```xml
-
-
-
- PayloadContent
-
-
- NotificationSettings
-
-
- AlertType
- 2
- BadgesEnabled
-
- BundleIdentifier
- com.microsoft.autoupdate2
- CriticalAlertEnabled
- GroupingType
- 0
- NotificationsEnabled
-
- ShowInLockScreen
-
- ShowInNotificationCenter
-
- SoundsEnabled
-
-
-
- AlertType
- 2BadgesEnabled
- BundleIdentifier
- com.microsoft.wdav.tray
- CriticalAlertEnabled
- GroupingType
- 0
- NotificationsEnabled
- ShowInLockScreen
- ShowInNotificationCenter
- SoundsEnabled
-
-
-
- PayloadDescription
- PayloadDisplayName
- notifications
- PayloadEnabled
- PayloadIdentifier
- BB977315-E4CB-4915-90C7-8334C75A7C64
- PayloadOrganization
- Microsoft
- PayloadType
- com.apple.notificationsettings
- PayloadUUID
- BB977315-E4CB-4915-90C7-8334C75A7C64
- PayloadVersion
- 1
-
-
- PayloadDescription
- PayloadDisplayName
- mdatp - allow notifications
- PayloadEnabled
- PayloadIdentifier
- 85F6805B-0106-4D23-9101-7F1DFD5EA6D6
- PayloadOrganization
- Microsoft
- PayloadRemovalDisallowed
- PayloadScope
- System
- PayloadType
- Configuration
- PayloadUUID
- 85F6805B-0106-4D23-9101-7F1DFD5EA6D6
- PayloadVersion
- 1
-
-
- ```
-
-### Package
-
-1. Create a package in **Settings > Computer Management > Packages**.
-
- 
-
-2. Upload the package to the Distribution Point.
-3. In the **filename** field, enter the name of the package. For example, _wdav.pkg_.
-
-### Policy
-
-Your policy should contain a single package for Microsoft Defender.
-
-
-
-Configure the appropriate scope to specify the computers that will receive this policy.
-
-After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled device.
-
-## Client device setup
-
-You'll need no special provisioning for a macOS computer, beyond the standard JAMF Enrollment.
-
-> [!NOTE]
-> After a computer is enrolled, it will show up in the Computers inventory (All Computers).
-
- - Open **Device Profiles**, from the **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's currently set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile.
-
- 
- 
-
- After a moment, the device's User Approved MDM status will change to **Yes**.
-
- 
-
- You may now enroll additional devices. You may also enroll them later, after you have finished provisioning system configuration and application packages.
-
-## Deployment
-
-Enrolled client devices periodically poll the JAMF Server, and install new configuration profiles and policies as soon as they are detected.
-
-### Status on the server
-
-You can monitor deployment status in the **Logs** tab:
-
-- **Pending** means that the deployment is scheduled but has not yet happened
-- **Completed** means that the deployment succeeded and is no longer scheduled
-
-
-
-### Status on client device
-
-After the Configuration Profile is deployed, you'll see the profile for the device in **System Preferences** > **Profiles >**.
-
-
-
-Once the policy is applied, you'll see the Microsoft Defender ATP icon in the macOS status bar in the top-right corner.
-
-
-
-You can monitor policy installation on a device by following the JAMF log file:
-
-```bash
- tail -f /var/log/jamf.log
-```
-
-```Output
- Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found.
- Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"...
- Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV
- Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender...
- Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender.
- Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches...
- Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found.
-```
-
-You can also check the onboarding status:
-
-```bash
-mdatp --health
-```
-
-```Output
-...
-licensed : true
-orgId : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45"
-...
-```
-
-- **licensed**: This confirms that the device has an ATP license.
-
-- **orgid**: Your Microsoft Defender ATP org id; it will be the same for your organization.
-
-## Check onboarding status
-
-You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status:
-
-```bash
-mdatp --health healthy
-```
-
-The above command prints "1" if the product is onboarded and functioning as expected.
-
-If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
-
-- 0 if the device is not yet onboarded
-- 3 if the connection to the daemon cannot be established—for example, if the daemon is not running
-
-## Logging installation issues
-
-See [Logging installation issues](mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
-
-## Uninstallation
-
-This method is based on the script described in [Uninstalling](mac-resources.md#uninstalling).
-
-### Script
-
-Create a script in **Settings > Computer Management > Scripts**.
-
-This script removes Microsoft Defender ATP from the /Applications directory:
-
-```bash
- #!/bin/bash
-
- echo "Is WDAV installed?"
- ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
-
- echo "Uninstalling WDAV..."
- rm -rf '/Applications/Microsoft Defender ATP.app'
-
- echo "Is WDAV still installed?"
- ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
-
- echo "Done!"
-```
-
-
-
-### Policy
-
-Your policy should contain a single script:
-
-
-
-Configure the appropriate scope in the **Scope** tab to specify the devices that will receive this policy.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
index 29dbf4fa14..39ec2b13b7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
@@ -53,17 +56,17 @@ Most MDM solutions use the same model for managing macOS devices, with similar t
### Package
-Configure deployment of a [required application package](mac-install-with-jamf.md#package),
-with the installation package (wdav.pkg) downloaded from [Microsoft Defender Security Center](mac-install-with-jamf.md#download-installation-and-onboarding-packages).
+Configure deployment of a [required application package](mac-install-with-jamf.md),
+with the installation package (wdav.pkg) downloaded from [Microsoft Defender Security Center](mac-install-with-jamf.md).
In order to deploy the package to your enterprise, use the instructions associated with your MDM solution.
### License settings
-Set up [a system configuration profile](mac-install-with-jamf.md#configuration-profile).
+Set up [a system configuration profile](mac-install-with-jamf.md).
Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender ATP for Mac is not part of macOS.
-Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding package downloaded from [Microsoft Defender Security Center](mac-install-with-jamf.md#download-installation-and-onboarding-packages).
+Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding package downloaded from [Microsoft Defender Security Center](mac-install-with-jamf.md).
Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case.
Alternatively, it may require you to convert the property list to a different format first.
@@ -76,4 +79,4 @@ Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to
## Check installation status
-Run [mdatp](mac-install-with-jamf.md#check-onboarding-status) on a client device to check the onboarding status.
+Run [mdatp](mac-install-with-jamf.md) on a client device to check the onboarding status.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md
new file mode 100644
index 0000000000..0c869e76e4
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md
@@ -0,0 +1,46 @@
+---
+title: Set up device groups in Jamf Pro
+description: Learn how to set up device groups in Jamf Pro for Microsoft Defender ATP for macOS
+keywords: device, group, microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Set up Microsoft Defender ATP for macOS device groups in Jamf Pro
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+Set up the device groups similar to Group policy organizational unite (OUs), Microsoft Endpoint Configuration Manager's device collection, and Intune's device groups.
+
+1. Navigate to **Static Computer Groups**.
+
+2. Select **New**.
+
+ 
+
+3. Provide a display name and select **Save**.
+
+ 
+
+4. Now you will see the **Contoso's Machine Group** under **Static Computer Groups**.
+
+ 
+
+## Next step
+- [Set up Microsoft Defender ATP for macOS policies in Jamf Pro](mac-jamfpro-policies.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md
new file mode 100644
index 0000000000..fd353eceb3
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md
@@ -0,0 +1,103 @@
+---
+title: Enroll Microsoft Defender ATP for macOS devices into Jamf Pro
+description: Enroll Microsoft Defender ATP for macOS devices into Jamf Pro
+keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Enroll Microsoft Defender ATP for macOS devices into Jamf Pro
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+## Enroll macOS devices
+
+There are multiple methods of getting enrolled to JamF.
+
+This article will guide you on two methods:
+
+- [Method 1: Enrollment Invitations](#enrollment-method-1-enrollment-invitations)
+- [Method 2: Prestage Enrollments](#enrollment-method-2-prestage-enrollments)
+
+For a complete list, see [About Computer Enrollment](https://docs.jamf.com/9.9/casper-suite/administrator-guide/About_Computer_Enrollment.html).
+
+
+## Enrollment Method 1: Enrollment Invitations
+
+1. In the Jamf Pro dashboard, navigate to **Enrollment invitations**.
+
+ 
+
+2. Select **+ New**.
+
+ 
+
+3. In **Specify Recipients for the Invitation** > under **Email Addresses** enter the e-mail address(es) of the recipients.
+
+ 
+
+ 
+
+ For example: janedoe@contoso.com
+
+ 
+
+4. Configure the message for the invitation.
+
+ 
+
+ 
+
+ 
+
+ 
+
+## Enrollment Method 2: Prestage Enrollments
+
+1. In the Jamf Pro dashboard, navigate to **Prestage enrollments**.
+
+ 
+
+2. Follow the instructions in [Computer PreStage Enrollments](https://docs.jamf.com/9.9/casper-suite/administrator-guide/Computer_PreStage_Enrollments.html).
+
+## Enroll macOS device
+
+1. Select **Continue** and install the CA certificate from a **System Preferences** window.
+
+ 
+
+2. Once CA certificate is installed, return to the browser window and select **Continue** and install the MDM profile.
+
+ 
+
+3. Select **Allow** to downloads from JAMF.
+
+ 
+
+4. Select **Continue** to proceed with the MDM Profile installation.
+
+ 
+
+5. Select **Continue** to install the MDM Profile.
+
+ 
+
+6. Select **Continue** to complete the configuration.
+
+ 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
new file mode 100644
index 0000000000..19be21f34f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
@@ -0,0 +1,794 @@
+---
+title: Set up the Microsoft Defender ATP for macOS policies in Jamf Pro
+description: Learn how to set up the Microsoft Defender ATP for macOS policies in Jamf Pro
+keywords: policies, microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Set up the Microsoft Defender ATP for macOS policies in Jamf Pro
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+This page will guide you through the steps you need to take to set up macOS policies in Jamf Pro.
+
+You'll need to take the following steps:
+
+1. [Get the Microsoft Defender ATP onboarding package](#step-1-get-the-microsoft-defender-atp-onboarding-package)
+
+2. [Create a configuration profile in Jamf Pro using the onboarding package](#step-2-create-a-configuration-profile-in-jamf-pro-using-the-onboarding-package)
+
+3. [Configure Microsoft Defender ATP settings](#step-3-configure-microsoft-defender-atp-settings)
+
+4. [Configure Microsoft Defender ATP notification settings](#step-4-configure-notifications-settings)
+
+5. [Configure Microsoft AutoUpdate (MAU)](#step-5-configure-microsoft-autoupdate-mau)
+
+6. [Grant full disk access to Microsoft Defender ATP](#step-6-grant-full-disk-access-to-microsoft-defender-atp)
+
+7. [Approve Kernel extension for Microsoft Defender ATP](#step-7-approve-kernel-extension-for-microsoft-defender-atp)
+
+8. [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)
+
+9. [Deploy Microsoft Defender ATP for macOS](#step-9-deploy-microsoft-defender-atp-for-macos)
+
+
+## Step 1: Get the Microsoft Defender ATP onboarding package
+
+1. In [Microsoft Defender Security Center](https://securitycenter.microsoft.com ), navigate to **Settings > Onboarding**.
+
+2. Select macOS as the operating system and Mobile Device Management / Microsoft Intune as the deployment method.
+
+ 
+
+3. Select **Download onboarding package** (WindowsDefenderATPOnboardingPackage.zip).
+
+4. Extract `WindowsDefenderATPOnboardingPackage.zip`.
+
+5. Copy the file to your preferred location. For example, `C:\Users\JaneDoe_or_JohnDoe.contoso\Downloads\WindowsDefenderATPOnboardingPackage_macOS_MDM_contoso\jamf\WindowsDefenderATPOnboarding.plist`.
+
+
+## Step 2: Create a configuration profile in Jamf Pro using the onboarding package
+
+1. Locate the file `WindowsDefenderATPOnboarding.plist` from the previous section.
+
+ 
+
+
+2. In the Jamf Pro dashboard, select **New**.
+
+ 
+
+3. Enter the following details:
+
+ **General**
+ - Name: MDATP onboarding for macOS
+ - Description: MDATP EDR onboarding for macOS
+ - Category: None
+ - Distribution Method: Install Automatically
+ - Level: Computer Level
+
+4. In **Application & Custom Settings** select **Configure**.
+
+ 
+
+5. Select **Upload File (PLIST file)** then in **Preference Domain** enter: `com.microsoft.wdav.atp`.
+
+ 
+
+ 
+
+7. Select **Open** and select the onboarding file.
+
+ 
+
+8. Select **Upload**.
+
+ 
+
+
+9. Select the **Scope** tab.
+
+ 
+
+10. Select the target computers.
+
+ 
+
+ 
+
+11. Select **Save**.
+
+ 
+
+ 
+
+12. Select **Done**.
+
+ 
+
+ 
+
+## Step 3: Configure Microsoft Defender ATP settings
+
+1. Use the following Microsoft Defender ATP configuration settings:
+
+ - enableRealTimeProtection
+ - passiveMode
+
+ >[!NOTE]
+ >Not turned on by default, if you are planning to run a third-party AV for macOS, set it to `true`.
+
+ - exclusions
+ - excludedPath
+ - excludedFileExtension
+ - excludedFileName
+ - exclusionsMergePolicy
+ - allowedThreats
+
+ >[!NOTE]
+ >EICAR is on the sample, if you are going through a proof-of-concept, remove it especially if you are testing EICAR.
+
+ - disallowedThreatActions
+ - potentially_unwanted_application
+ - archive_bomb
+ - cloudService
+ - automaticSampleSubmission
+ - tags
+ - hideStatusMenuIcon
+
+ For information, see [Property list for Jamf configuration profile](mac-preferences.md#property-list-for-jamf-configuration-profile).
+
+```XML
+
+
+
+
+ antivirusEngine
+
+ enableRealTimeProtection
+
+ passiveMode
+
+ exclusions
+
+
+ $type
+ excludedPath
+ isDirectory
+
+ path
+ /var/log/system.log
+
+
+ $type
+ excludedPath
+ isDirectory
+
+ path
+ /home
+
+
+ $type
+ excludedFileExtension
+ extension
+ pdf
+
+
+ $type
+ excludedFileName
+ name
+ cat
+
+
+ exclusionsMergePolicy
+ merge
+ allowedThreats
+
+ EICAR-Test-File (not a virus)
+
+ disallowedThreatActions
+
+ allow
+ restore
+
+ threatTypeSettings
+
+
+ key
+ potentially_unwanted_application
+ value
+ block
+
+
+ key
+ archive_bomb
+ value
+ audit
+
+
+ threatTypeSettingsMergePolicy
+ merge
+
+ cloudService
+
+ enabled
+
+ diagnosticLevel
+ optional
+ automaticSampleSubmission
+
+
+ edr
+
+ tags
+
+
+ key
+ GROUP
+ value
+ ExampleTag
+
+
+
+ userInterface
+
+ hideStatusMenuIcon
+
+
+
+
+```
+
+2. Save the file as `MDATP_MDAV_configuration_settings.plist`.
+
+
+3. In the Jamf Pro dashboard, select **General**.
+
+ 
+
+4. Enter the following details:
+
+ **General**
+ - Name: MDATP MDAV configuration settings
+ - Description:\
+ - Category: None (default)
+ - Distribution Method: Install Automatically(default)
+ - Level: Computer Level(default)
+
+ 
+
+5. In **Application & Custom Settings** select **Configure**.
+
+ 
+
+6. Select **Upload File (PLIST file)**.
+
+ 
+
+7. In **Preferences Domain**, enter `com.microsoft.wdav`, then select **Upload PLIST File**.
+
+ 
+
+8. Select **Choose File**.
+
+ 
+
+9. Select the **MDATP_MDAV_configuration_settings.plist**, then select **Open**.
+
+ 
+
+10. Select **Upload**.
+
+ 
+
+ 
+
+ >[!NOTE]
+ >If you happen to upload the Intune file, you'll get the following error:
+ >
+
+
+11. Select **Save**.
+
+ 
+
+12. The file is uploaded.
+
+ 
+
+ 
+
+13. Select the **Scope** tab.
+
+ 
+
+14. Select **Contoso's Machine Group**.
+
+15. Select **Add**, then select **Save**.
+
+ 
+
+ 
+
+16. Select **Done**. You'll see the new **Configuration profile**.
+
+ 
+
+
+## Step 4: Configure notifications settings
+
+These steps are applicable of macOS 10.15 (Catalina) or newer.
+
+1. Use the following Microsoft Defender ATP notification configuration settings:
+
+```xml
+
+
+
+ PayloadContent
+
+
+ NotificationSettings
+
+
+ AlertType
+ 2
+ BadgesEnabled
+
+ BundleIdentifier
+ com.microsoft.autoupdate2
+ CriticalAlertEnabled
+ GroupingType
+ 0
+ NotificationsEnabled
+
+ ShowInLockScreen
+
+ ShowInNotificationCenter
+
+ SoundsEnabled
+
+
+
+ AlertType
+ 2BadgesEnabled
+ BundleIdentifier
+ com.microsoft.wdav.tray
+ CriticalAlertEnabled
+ GroupingType
+ 0
+ NotificationsEnabled
+ ShowInLockScreen
+ ShowInNotificationCenter
+ SoundsEnabled
+
+
+
+ PayloadDescription
+ PayloadDisplayName
+ notifications
+ PayloadEnabled
+ PayloadIdentifier
+ BB977315-E4CB-4915-90C7-8334C75A7C64
+ PayloadOrganization
+ Microsoft
+ PayloadType
+ com.apple.notificationsettings
+ PayloadUUID
+ BB977315-E4CB-4915-90C7-8334C75A7C64
+ PayloadVersion
+ 1
+
+
+ PayloadDescription
+ PayloadDisplayName
+ mdatp - allow notifications
+ PayloadEnabled
+ PayloadIdentifier
+ 85F6805B-0106-4D23-9101-7F1DFD5EA6D6
+ PayloadOrganization
+ Microsoft
+ PayloadRemovalDisallowed
+ PayloadScope
+ System
+ PayloadType
+ Configuration
+ PayloadUUID
+ 85F6805B-0106-4D23-9101-7F1DFD5EA6D6
+ PayloadVersion
+ 1
+
+
+ ```
+
+2. Save it as `MDATP_MDAV_notification_settings.plist`.
+
+3. In the Jamf Pro dashboard, select **General**.
+
+4. Enter the following details:
+
+ **General**
+ - Name: MDATP MDAV Notification settings
+ - Description: macOS 10.15 (Catalina) or newer
+ - Category: None (default)
+ - Distribution Method: Install Automatically(default)
+ - Level: Computer Level(default)
+
+ 
+
+
+5. Select **Upload File (PLIST file)**.
+
+ 
+
+
+6. Select **Choose File** > **MDATP_MDAV_Notification_Settings.plist**.
+
+
+ 
+
+
+ 
+
+7. Select **Open** > **Upload**.
+
+ 
+
+
+ 
+
+8. Select the **Scope** tab, then select **Add**.
+
+ 
+
+
+9. Select **Contoso's Machine Group**.
+
+10. Select **Add**, then select **Save**.
+
+ 
+
+
+ 
+
+11. Select **Done**. You'll see the new **Configuration profile**.
+ 
+
+## Step 5: Configure Microsoft AutoUpdate (MAU)
+
+1. Use the following Microsoft Defender ATP configuration settings:
+
+```XML
+
+
+
+
+ ChannelName
+ Production
+ HowToCheck
+ AutomaticDownload
+ EnableCheckForUpdatesButton
+
+ DisableInsiderCheckbox
+
+ SendAllTelemetryEnabled
+
+
+
+```
+
+2. Save it as `MDATP_MDAV_MAU_settings.plist`.
+
+3. In the Jamf Pro dashboard, select **General**.
+
+ 
+
+4. Enter the following details:
+
+ **General**
+ - Name: MDATP MDAV MAU settings
+ - Description: Microsoft AutoUpdate settings for MDATP for macOS
+ - Category: None (default)
+ - Distribution Method: Install Automatically(default)
+ - Level: Computer Level(default)
+
+5. In **Application & Custom Settings** select **Configure**.
+
+ 
+
+6. Select **Upload File (PLIST file)**.
+
+ 
+
+7. In **Preference Domain** enter: `com.microsoft.autoupdate2`, then select **Upload PLIST File**.
+
+ 
+
+8. Select **Choose File**.
+
+ 
+
+9. Select **MDATP_MDAV_MAU_settings.plist**.
+
+ 
+
+10. Select **Upload**.
+ 
+
+ 
+
+11. Select **Save**.
+
+ 
+
+12. Select the **Scope** tab.
+
+ 
+
+13. Select **Add**.
+
+ 
+
+ 
+
+ 
+
+14. Select **Done**.
+
+ 
+
+## Step 6: Grant full disk access to Microsoft Defender ATP
+
+1. In the Jamf Pro dashboard, select **Configuration Profiles**.
+
+ 
+
+2. Select **+ New**.
+
+3. Enter the following details:
+
+ **General**
+ - Name: MDATP MDAV - grant Full Disk Access to EDR and AV
+ - Description: On macOS Catalina or newer, the new Privacy Preferences Policy Control
+ - Category: None
+ - Distribution method: Install Automatically
+ - Level: Computer level
+
+
+ 
+
+4. In **Configure Privacy Preferences Policy Control** select **Configure**.
+
+ 
+
+5. In **Privacy Preferences Policy Control**, enter the following details:
+
+ - Identifier: `com.microsoft.wdav`
+ - Identifier Type: Bundle ID
+ - Code Requirement: identifier `com.microsoft.wdav` and anchor apple generic and
+certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate
+leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate
+leaf[subject.OU] = UBF8T346G9
+
+
+ 
+
+6. Select **+ Add**.
+
+ 
+
+
+ - Under App or service: Set to **SystemPolicyAllFiles**
+
+ - Under "access": Set to **Allow**
+
+7. Select **Save** (not the one at the bottom right).
+
+ 
+
+8. Select the **Scope** tab.
+
+ 
+
+ 9. Select **+ Add**.
+
+ 
+
+10. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**.
+
+ 
+
+11. Select **Add**.
+
+12. Select **Save**.
+
+13. Select **Done**.
+
+ 
+
+ 
+
+
+## Step 7: Approve Kernel extension for Microsoft Defender ATP
+
+1. In the **Configuration Profiles**, select **+ New**.
+
+ 
+
+2. Enter the following details:
+
+ **General**
+ - Name: MDATP MDAV Kernel Extension
+ - Description: MDATP kernel extension (kext)
+ - Category: None
+ - Distribution Method: Install Automatically
+ - Level: Computer Level
+
+ 
+
+3. In **Configure Approved Kernel Extensions** select **Configure**.
+
+ 
+
+
+
+4. In **Approved Kernel Extensions** Enter the following details:
+
+ - Display Name: Microsoft Corp.
+ - Team ID: UBF8T346G9
+
+ 
+
+5. Select the **Scope** tab.
+
+ 
+
+6. Select **+ Add**.
+
+7. Select **Computer Groups** > under **Group Name** > select **Contoso's Machine Group**.
+
+8. Select **+ Add**.
+
+ 
+
+9. Select **Save**.
+
+ 
+
+10. Select **Done**.
+
+ 
+
+
+## Step 8: Schedule scans with Microsoft Defender ATP for Mac
+Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp).
+
+## Step 9: Deploy Microsoft Defender ATP for macOS
+
+1. Navigate to where you saved `wdav.pkg`.
+
+ 
+
+2. Rename it to `wdav_MDM_Contoso_200329.pkg`.
+
+ 
+
+3. Open the Jamf Pro dashboard.
+
+ 
+
+4. Navigate to **Advanced Computer Searches**.
+
+ 
+
+5. Select **Computer Management**.
+
+ 
+
+6. In **Packages**, select **+ New**.
+ 
+
+7. In **New Package** Enter the following details:
+
+ **General tab**
+ - Display Name: Leave it blank for now. Because it will be reset when you choose your pkg.
+ - Category: None (default)
+ - Filename: Choose File
+
+ 
+
+ Open the file and point it to `wdav.pkg` or `wdav_MDM_Contoso_200329.pkg`.
+
+ 
+
+8. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
+
+ - Manifest File: Select **Upload Manifest File**.
+
+ **Options tab**
Keep default values.
+
+ **Limitations tab**
Keep default values.
+
+ 
+
+9. Select **Save**. The package is uploaded to Jamf Pro.
+ 
+
+ It can take a few minutes for the package to be available for deployment.
+ 
+
+10. Navigate to the **Policies** page.
+
+ 
+
+11. Select **+ New** to create a new policy.
+
+ 
+
+
+12. In **General** Enter the following details:
+
+ - Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later
+
+ 
+
+13. Select **Recurring Check-in**.
+
+ 
+
+
+14. Select **Save**.
+
+15. Select **Packages > Configure**.
+
+ 
+
+16. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
+
+ 
+
+17. Select **Save**.
+ 
+
+18. Select the **Scope** tab.
+ 
+
+19. Select the target computers.
+
+ 
+
+ **Scope**
+ Select **Add**.
+ 
+
+ 
+
+ **Self-Service**
+ 
+
+20. Select **Done**.
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
index e2f79e5846..a85c712b92 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Set preferences for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
@@ -28,7 +31,7 @@ ms.topic: conceptual
## Summary
-In enterprise organizations, Microsoft Defender ATP for Mac can be managed through a configuration profile that is deployed by using one of several management tools. Preferences that are managed by your security operations team take precedence over preferences that are set locally on the device. Users in your organization are not able to change preferences that are set through the configuration profile.
+In enterprise organizations, Microsoft Defender ATP for Mac can be managed through a configuration profile that is deployed by using one of several management tools. Preferences that are managed by your security operations team take precedence over preferences that are set locally on the device. Changing the preferences that are set through the configuration profile requires escalated privileges and is not available for users without administrative permissions.
This article describes the structure of the configuration profile, includes a recommended profile that you can use to get started, and provides instructions on how to deploy the profile.
@@ -233,6 +236,30 @@ Specify the merge policy for threat type settings. This can be a combination of
| **Possible values** | merge (default)
admin_only |
| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
+#### Antivirus scan history retention (in days)
+
+Specify the number of days that results are retained in the scan history on the device. Old scan results are removed from the history. Old quarantined files that are also removed from the disk.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | scanResultsRetentionDays |
+| **Data type** | String |
+| **Possible values** | 90 (default). Allowed values are from 1 day to 180 days. |
+| **Comments** | Available in Microsoft Defender ATP version 101.07.23 or higher. |
+
+#### Maximum number of items in the antivirus scan history
+
+Specify the maximum number of entries to keep in the scan history. Entries include all on-demand scans performed in the past and all antivirus detections.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | scanHistoryMaximumItems |
+| **Data type** | String |
+| **Possible values** | 10000 (default). Allowed values are from 5000 items to 15000 items. |
+| **Comments** | Available in Microsoft Defender ATP version 101.07.23 or higher. |
+
### Cloud-delivered protection preferences
Configure the cloud-driven protection features of Microsoft Defender ATP for Mac.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md
index 4cb8256cd5..5bb254d10c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Privacy for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
index 5fbcec859f..e13d95555f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Detect and block potentially unwanted applications with Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
@@ -62,4 +65,4 @@ In your enterprise, you can configure PUA protection from a management console,
## Related topics
-- [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md)
\ No newline at end of file
+- [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
index c82f6bfdb6..2aafa7220d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Resources for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
index b06971e544..5fde32aab8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Schedule scans with Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
While you can start a threat scan at any time with Microsoft Defender ATP, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week.
## Schedule a scan with *launchd*
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
index 7c4e538f90..feb636fd2d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Troubleshoot installation issues for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
index e8edd981e3..f773e91875 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Troubleshoot kernel extension issues in Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
@@ -49,7 +52,7 @@ The following sections provide guidance on how to address this issue, depending
See the instructions corresponding to the management tool that you used to deploy the product:
-- [JAMF-based deployment](mac-install-with-jamf.md#configuration-profile)
+- [JAMF-based deployment](mac-install-with-jamf.md)
- [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles)
## Manual deployment
@@ -95,4 +98,4 @@ In this case, you need to perform the following steps to trigger the approval fl
realTimeProtectionAvailable : true
realTimeProtectionEnabled : true
...
- ```
\ No newline at end of file
+ ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md
index 77c330a95d..72cfd50ff0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Troubleshoot license issues for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
index 4bdc6a325d..04cfb43c25 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Troubleshoot performance issues for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
index 3cd6ef23e7..24c22d7bd0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
@@ -20,6 +20,9 @@ ROBOTS: noindex,nofollow
# New configuration profiles for macOS Catalina and newer versions of macOS
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. This update will only be applicable to macOS Catalina (10.15.4) and newer versions of macOS.
If you have deployed Microsoft Defender ATP for Mac in a managed environment (through JAMF, Intune, or another MDM solution), you must deploy new configuration profiles. Failure to do these steps will result in users getting approval prompts to run these new components.
@@ -279,3 +282,5 @@ To deploy this custom configuration profile:
+5. In the `Assignments` tab, assign this profile to **All Users & All devices**.
+6. Review and create this configuration profile.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
index d480a11fb7..27ec242709 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
@@ -20,6 +20,9 @@ ROBOTS: noindex,nofollow
# Microsoft Defender ATP for Mac - System Extensions (Public Preview)
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. This update will only be applicable to macOS Catalina (10.15.4) and newer versions of macOS.
This functionality is currently in public preview. This article contains instructions for enabling this functionality on your device. You can choose to try out this feature locally on your own device or configure it remotely through a management tool.
@@ -144,4 +147,4 @@ curl -o "MDATP MacOS DIY.zip" https://aka.ms/mdatpmacosdiy
- Q: When is macOS 11 Big Sur going to be supported?
- A: We are actively working on adding support for macOS 11. We will post more information to the [What's new](mac-whatsnew.md).
\ No newline at end of file
+ A: We are actively working on adding support for macOS 11. We will post more information to the [What's new](mac-whatsnew.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
index 16b648b1c4..a356d8d895 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Deploy updates for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
@@ -221,4 +224,4 @@ To configure MAU, you can deploy this configuration profile from the management
## Resources
-- [msupdate reference](https://docs.microsoft.com/deployoffice/mac/update-office-for-mac-using-msupdate)
\ No newline at end of file
+- [msupdate reference](https://docs.microsoft.com/deployoffice/mac/update-office-for-mac-using-msupdate)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index ce8693466d..7748721340 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# What's new in Microsoft Defender Advanced Threat Protection for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
> [!IMPORTANT]
> In preparation for macOS 11 Big Sur, we are getting ready to release an update to Microsoft Defender ATP for Mac that will leverage new system extensions instead of kernel extensions. Apple will stop supporting kernel extensions starting macOS 11 Big Sur version. Therefore an update to the Microsoft Defender ATP for Mac agent is required on all eligible macOS devices prior to moving these devices to macOS 11.
>
@@ -38,6 +41,23 @@ ms.topic: conceptual
> 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md).
> 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update.
+## 101.09.49
+
+- User interface improvements to differentiate exclusions that are managed by the IT administrator versus exclusions defined by the local user
+- Improved CPU utilization during on-demand scans
+- Performance improvements & bug fixes
+
+## 101.07.23
+
+- Added new fields to the output of `mdatp --health` for checking the status of passive mode and the EDR group ID
+
+ > [!NOTE]
+ > `mdatp --health` will be replaced with `mdatp health` in a future product update.
+
+- Fixed a bug where automatic sample submission was not marked as managed in the user interface
+- Added new settings for controlling the retention of items in the antivirus scan history. You can now [specify the number of days to retain items in the scan history](mac-preferences.md#antivirus-scan-history-retention-in-days) and [specify the maximum number of items in the scan history](mac-preferences.md#maximum-number-of-items-in-the-antivirus-scan-history)
+- Bug fixes
+
## 101.06.63
- Addressed a performance regression introduced in version `101.05.17`. The regression was introduced with the fix to eliminate the kernel panics some customers have observed when accessing SMB shares. We have reverted this code change and are investigating alternative ways to eliminate the kernel panics.
@@ -146,6 +166,6 @@ ms.topic: conceptual
> The mechanism for granting this consent depends on how you deployed Microsoft Defender ATP:
>
> - For manual deployments, see the updated instructions in the [Manual deployment](mac-install-manually.md#how-to-allow-full-disk-access) topic.
- > - For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md#privacy-preferences-policy-control) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
+ > - For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
- Performance improvements & bug fixes
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md
index 55b903fa52..678340162e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md
@@ -19,6 +19,9 @@ ms.topic: article
# Create and manage device groups
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Azure Active Directory
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
index 6ff6a3213c..3349058516 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
@@ -19,6 +19,9 @@ ms.topic: article
# Device health and compliance report in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -86,4 +89,4 @@ For example, to show data about Windows 10 devices with Active sensor health sta
## Related topic
-- [Threat protection report](threat-protection-reports.md)
\ No newline at end of file
+- [Threat protection report](threat-protection-reports.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
index 0ee6e199c0..73940895f1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
@@ -19,6 +19,9 @@ ms.topic: article
# Create and manage device tags
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
Add tags on devices to create a logical group affiliation. Device tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. Tags can be used as a filter in **Devices list** view, or to group devices. For more information on device grouping, see [Create and manage device groups](machine-groups.md).
You can add tags on devices using the following ways:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index e0c0e5b9b1..074b8fc31f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -18,6 +18,9 @@ ms.topic: article
# Machine resource type
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
index be98dcc681..683d807480 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
@@ -18,6 +18,9 @@ ms.topic: article
# MachineAction resource type
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -73,4 +76,4 @@ ms.topic: article
"lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
"relatedFileInfo": null
}
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
index 2b4a77dcc3..ff9c54a53f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
@@ -19,6 +19,9 @@ ms.topic: article
# View and organize the Microsoft Defender ATP Devices list
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
index 3359a3bbc8..c4d934024e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
@@ -19,6 +19,9 @@ ms.topic: article
# Manage Microsoft Defender Advanced Threat Protection alerts
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md
index 022658e40b..6d04ee080e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md
@@ -1,10 +1,11 @@
---
-title: Manage Microsoft Defender ATP using Configuration Manager
-description: Learn how to manage Microsoft Defender ATP with Configuration Manager
+title: Manage Microsoft Defender for Endpoint using Configuration Manager
+description: Learn how to manage Microsoft Defender for Endpoint with Configuration Manager
keywords: post-migration, manage, operations, maintenance, utilization, Configuration Manager, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,24 +16,29 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.date: 09/22/2020
+ms.reviewer: chventou
---
-# Manage Microsoft Defender Advanced Threat Protection with Configuration Manager
+# Manage Microsoft Defender for Endpoint with Configuration Manager
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
We recommend using We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem), which includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) (Intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction) (Configuration Manager) to manage your organization's threat protection features for devices (also referred to as endpoints).
- [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview)
-- [Co-manage Microsoft Defender ATP on Windows 10 devices with Configuration Manager and Intune](manage-atp-post-migration-intune.md)
+- [Co-manage Microsoft Defender for Endpoint on Windows 10 devices with Configuration Manager and Intune](manage-atp-post-migration-intune.md)
-## Configure Microsoft Defender ATP with Configuration Manager
+## Configure Microsoft Defender for Endpoint with Configuration Manager
|Task |Resources to learn more |
|---------|---------|
|**Install the Configuration Manager console** if you don't already have it
*If you don't already have the Configuration Manger console, use these resources to get the bits and install it.* |[Get the installation media](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/install/get-install-media)
[Install the Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/install/install-consoles) |
-|**Use Configuration Manager to onboard devices** to Microsoft Defender ATP
*If you have devices (or endpoints) not already onboarded to Microsoft Defender ATP, you can do that with Configuration Manager.* |[Onboard to Microsoft Defender ATP with Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection#about-onboarding-to-atp-with-configuration-manager) |
-|**Manage antimalware policies and Windows Firewall security** for client computers (endpoints)
*Configure endpoint protection features, including Microsoft Defender ATP, exploit protection, application control, antimalware, firewall settings, and more.* |[Configuration Manager: Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection) |
+|**Use Configuration Manager to onboard devices** to Microsoft Defender for Endpoint
*If you have devices (or endpoints) not already onboarded to Microsoft Defender for Endpoint, you can do that with Configuration Manager.* |[Onboard to Microsoft Defender for Endpoint with Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection#about-onboarding-to-atp-with-configuration-manager) |
+|**Manage antimalware policies and Windows Firewall security** for client computers (endpoints)
*Configure endpoint protection features, including Microsoft Defender for Endpoint, exploit protection, application control, antimalware, firewall settings, and more.* |[Configuration Manager: Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection) |
|**Choose methods for updating antimalware updates** on your organization's devices
*With Endpoint Protection in Configuration Manager, you can choose from several methods to keep antimalware definitions up to date on your organization's devices.* |[Configure definition updates for Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definition-updates)
[Use Configuration Manager to deliver definition updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-configmgr) |
|**Enable Network Protection** to help prevent employees from using apps that malicious content on the Internet
*We recommend using [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection) at first for network protection in a test environment to see which apps would be blocked before rolling out.* |[Turn on network protection with Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection#microsoft-endpoint-configuration-manager) |
|**Configure controlled folder access** to protect against ransomware
*Controlled folder access is also referred to as antiransomware protection.* |[Endpoint protection: Controlled folder access](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access)
[Enable controlled folder access in Microsoft Endpoint Configuration Manage](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#microsoft-endpoint-configuration-manager) |
@@ -53,4 +59,4 @@ You can also configure whether and what features end users can see in the Micros
- [Visit the Microsoft Defender Security Center security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
-- [Manage Microsoft Defender ATP with Intune](manage-atp-post-migration-intune.md)
+- [Manage Microsoft Defender for Endpoint with Intune](manage-atp-post-migration-intune.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md
index 1e7317f3e8..016d29c822 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md
@@ -1,10 +1,11 @@
---
-title: Manage Microsoft Defender ATP using Group Policy Objects
-description: Learn how to manage Microsoft Defender ATP with Group Policy Objects
+title: Manage Microsoft Defender for Endpoint using Group Policy Objects
+description: Learn how to manage Microsoft Defender for Endpoint with Group Policy Objects
keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,21 +16,26 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.date: 09/22/2020
+ms.reviewer: chventou
---
-# Manage Microsoft Defender Advanced Threat Protection with Group Policy Objects
+# Manage Microsoft Defender for Endpoint with Group Policy Objects
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> [!NOTE]
> We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem) to manage your organization's threat protection features for devices (also referred to as endpoints). Endpoint Manager includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction). **[Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview)**.
-You can use Group Policy Objects in Azure Active Directory Domain Services to manage some settings in Microsoft Defender ATP.
+You can use Group Policy Objects in Azure Active Directory Domain Services to manage some settings in Microsoft Defender for Endpoint.
-## Configure Microsoft Defender ATP with Group Policy Objects
+## Configure Microsoft Defender for Endpoint with Group Policy Objects
-The following table lists various tasks you can perform to configure Microsoft Defender ATP with Group Policy Objects.
+The following table lists various tasks you can perform to configure Microsoft Defender for Endpoint with Group Policy Objects.
|Task |Resources to learn more |
|---------|---------|
@@ -59,4 +65,4 @@ You can also configure whether and what features end users can see in the Micros
- [Visit the Microsoft Defender Security Center security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
-- [Manage Microsoft Defender ATP with Intune](manage-atp-post-migration-intune.md)
+- [Manage Microsoft Defender for Endpoint with Intune](manage-atp-post-migration-intune.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
index 6801853a3f..eeefc94bfd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
@@ -1,10 +1,11 @@
---
-title: Manage Microsoft Defender ATP using Intune
-description: Learn how to manage Microsoft Defender ATP with Intune
+title: Manage Microsoft Defender for Endpoint using Intune
+description: Learn how to manage Microsoft Defender for Endpoint with Intune
keywords: post-migration, manage, operations, maintenance, utilization, intune, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,18 +16,23 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.date: 09/22/2020
+ms.reviewer: chventou
---
-# Manage Microsoft Defender Advanced Threat Protection with Intune
+# Manage Microsoft Defender for Endpoint with Intune
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem), which includes Microsoft Intune (Intune) to manage your organization's threat protection features for devices (also referred to as endpoints). [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview).
-This article describes how to find your Microsoft Defender ATP settings in Intune, and lists various tasks you can perform.
+This article describes how to find your Microsoft Defender for Endpoint settings in Intune, and lists various tasks you can perform.
-## Find your Microsoft Defender ATP settings in Intune
+## Find your Microsoft Defender for Endpoint settings in Intune
> [!IMPORTANT]
> You must be a global administrator or service administrator in Intune to configure the settings described in this article. To learn more, see **[Types of administrators (Intune)](https://docs.microsoft.com/mem/intune/fundamentals/users-add#types-of-administrators)**.
@@ -40,20 +46,20 @@ This article describes how to find your Microsoft Defender ATP settings in Intun
4. Select an existing profile, or create a new one.
> [!TIP]
-> Need help? See **[Using Microsoft Defender ATP with Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#example-of-using-microsoft-defender-atp-with-intune)**.
+> Need help? See **[Using Microsoft Defender for Endpoint with Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#example-of-using-microsoft-defender-atp-with-intune)**.
-## Configure Microsoft Defender ATP with Intune
+## Configure Microsoft Defender for Endpoint with Intune
-The following table lists various tasks you can perform to configure Microsoft Defender ATP with Intune. You don't have to configure everything all at once; choose a task, read the corresponding resources, and then proceed.
+The following table lists various tasks you can perform to configure Microsoft Defender for Endpoint with Intune. You don't have to configure everything all at once; choose a task, read the corresponding resources, and then proceed.
|Task |Resources to learn more |
|---------|---------|
|**Manage your organization's devices using Intune** to protect those devices and data stored on them |[Protect devices with Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect) |
-|**Integrate Microsoft Defender ATP with Intune** as a Mobile Threat Defense solution
*(for Android devices and devices running Windows 10 or later)* |[Enforce compliance for Microsoft Defender ATP with Conditional Access in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection) |
-|**Use Conditional Access** to control the devices and apps that can connect to your email and company resources |[Configure Conditional Access in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access) |
-|**Configure Microsoft Defender Antivirus settings** using the Policy configuration service provider ([Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)) |[Device restrictions: Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus)
[Policy CSP - Microsoft Defender ATP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) |
+|**Integrate Microsoft Defender for Endpoint with Intune** as a Mobile Threat Defense solution
*(for Android devices and devices running Windows 10 or later)* |[Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection) |
+|**Use Conditional Access** to control the devices and apps that can connect to your email and company resources |[Configure Conditional Access in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access) |
+|**Configure Microsoft Defender Antivirus settings** using the Policy configuration service provider ([Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)) |[Device restrictions: Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus)
[Policy CSP - Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) |
|**If necessary, specify exclusions for Microsoft Defender Antivirus**
*Generally, you shouldn't need to apply exclusions. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios.* |[Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows](https://support.microsoft.com/help/822158/virus-scanning-recommendations-for-enterprise-computers)
[Device restrictions: Microsoft Defender Antivirus Exclusions for Windows 10 devices](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions)
[Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus)|
-|**Configure your attack surface reduction rules** to target software behaviors that are often abused by attackers
*Configure your attack surface reduction rules in [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender) at first (for at least one week and up to two months). You can monitor status using Power BI ([get our template](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Attack%20Surface%20Reduction%20rules)), and then set those rules to active mode when you're ready.* |[Audit mode in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender)
[Endpoint protection: Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json#attack-surface-reduction)
[Learn more about attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
[Tech Community blog post: Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) |
+|**Configure your attack surface reduction rules** to target software behaviors that are often abused by attackers
*Configure your attack surface reduction rules in [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender) at first (for at least one week and up to two months). You can monitor status using Power BI ([get our template](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Attack%20Surface%20Reduction%20rules)), and then set those rules to active mode when you're ready.* |[Audit mode in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender)
[Endpoint protection: Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json#attack-surface-reduction)
[Learn more about attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
[Tech Community blog post: Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) |
|**Configure your network filtering** to block outbound connections from any app to IP addresses or domains with low reputations
*Network filtering is also referred to as [network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection).*
*Make sure that Windows 10 devices have the latest [antimalware platform updates](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform) installed.*|[Endpoint protection: Network filtering](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#network-filtering)
[Review network protection events in Windows Event Viewer](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection#review-network-protection-events-in-windows-event-viewer) |
|**Configure controlled folder access** to protect against ransomware
*[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders) is also referred to as antiransomware protection.* |[Endpoint protection: Controlled folder access](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access)
[Enable controlled folder access in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#intune) |
|**Configure exploit protection** to protect your organization's devices from malware that uses exploits to spread and infect other devices
*[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection) is also referred to as Exploit Guard.* |[Endpoint protection: Microsoft Defender Exploit Guard](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-exploit-guard)
[Enable exploit protection in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection#intune) |
@@ -62,7 +68,7 @@ The following table lists various tasks you can perform to configure Microsoft D
|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows |[Endpoint protection: Windows Encryption](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#windows-encryption)
[BitLocker for Windows 10 devices](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) |
|**Configure Microsoft Defender Credential Guard** to protect against credential theft attacks |For Windows 10, Windows Server 2016, and Windows Server 2019, see [Endpoint protection: Microsoft Defender Credential Guard](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-credential-guard)
For Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, and Windows Server 2012 R2, see [Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Versions 1 and 2](https://www.microsoft.com/download/details.aspx?id=36036) |
|**Configure Microsoft Defender Application Control** to choose whether to audit or trust apps on your organization's devices
*Microsoft Defender Application Control is also referred to as [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).*|[Deploy Microsoft Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune)
[Endpoint protection: Microsoft Defender Application Control](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-application-control)
[AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp)|
-|**Configure device control and USB peripherals access** to help prevent threats in unauthorized peripherals from compromising your devices |[Control USB devices and other removable media using Microsoft Defender ATP and Intune](https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune) |
+|**Configure device control and USB peripherals access** to help prevent threats in unauthorized peripherals from compromising your devices |[Control USB devices and other removable media using Microsoft Defender for Endpoint and Intune](https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune) |
## Configure your Microsoft Defender Security Center
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md
index 245b969459..4eb3a79282 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md
@@ -1,10 +1,11 @@
---
-title: Manage Microsoft Defender ATP using PowerShell, WMI, and MPCmdRun.exe
-description: Learn how to manage Microsoft Defender ATP with PowerShell, WMI, and MPCmdRun.exe
+title: Manage Microsoft Defender for Endpoint using PowerShell, WMI, and MPCmdRun.exe
+description: Learn how to manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe
keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, WMI, MPCmdRun.exe, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,25 +16,30 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.date: 09/22/2020
+ms.reviewer: chventou
---
-# Manage Microsoft Defender Advanced Threat Protection with PowerShell, WMI, and MPCmdRun.exe
+# Manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> [!NOTE]
> We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem) to manage your organization's threat protection features for devices (also referred to as endpoints). Endpoint Manager includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction).
> - [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview)
-> - [Co-manage Microsoft Defender ATP on Windows 10 devices with Configuration Manager and Intune](manage-atp-post-migration-intune.md)
-> - [Manage Microsoft Defender ATP with Intune](manage-atp-post-migration-intune.md)
+> - [Co-manage Microsoft Defender for Endpoint on Windows 10 devices with Configuration Manager and Intune](manage-atp-post-migration-intune.md)
+> - [Manage Microsoft Defender for Endpoint with Intune](manage-atp-post-migration-intune.md)
-You can manage some Microsoft Defender Antivirus settings on devices with [PowerShell](#configure-microsoft-defender-atp-with-powershell), [Windows Management Instrumentation](#configure-microsoft-defender-atp-with-windows-management-instrumentation-wmi) (WMI), and the [Microsoft Malware Protection Command Line Utility](#configure-microsoft-defender-atp-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe) (MPCmdRun.exe). For example, you can manage some Microsoft Defender Antivirus settings. And, in some cases, you can customize your attack surface reduction rules and exploit protection settings.
+You can manage some Microsoft Defender Antivirus settings on devices with [PowerShell](#configure-microsoft-defender-for-endpoint-with-powershell), [Windows Management Instrumentation](#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi) (WMI), and the [Microsoft Malware Protection Command Line Utility](#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe) (MPCmdRun.exe). For example, you can manage some Microsoft Defender Antivirus settings. And, in some cases, you can customize your attack surface reduction rules and exploit protection settings.
> [!IMPORTANT]
> Threat protection features that you configure by using PowerShell, WMI, or MCPmdRun.exe can be overwritten by configuration settings that are deployed with Intune or Configuration Manager.
-## Configure Microsoft Defender ATP with PowerShell
+## Configure Microsoft Defender for Endpoint with PowerShell
You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules.
@@ -45,9 +51,9 @@ You can use PowerShell to manage Microsoft Defender Antivirus, exploit protectio
|**Enable Network Protection** with PowerShell
*You can use PowerShell to enable Network Protection.* |[Turn on Network Protection with PowerShell](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection#powershell) |
|**Configure controlled folder access** to protect against ransomware
*[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders) is also referred to as antiransomware protection.* |[Enable controlled folder access with PowerShell](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#powershell) |
|**Configure Microsoft Defender Firewall** to block unauthorized network traffic flowing into or out of your organization's devices |[Microsoft Defender Firewall with Advanced Security Administration using Windows PowerShell](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell) |
-|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows |[BitLocker PowerShell reference guide](https://docs.microsoft.com/powershell/module/bitlocker/?view=win10-ps) |
+|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows |[BitLocker PowerShell reference guide](https://docs.microsoft.com/powershell/module/bitlocker/?view=win10-ps&preserve-view=true) |
-## Configure Microsoft Defender ATP with Windows Management Instrumentation (WMI)
+## Configure Microsoft Defender for Endpoint with Windows Management Instrumentation (WMI)
WMI is a scripting interface that allows you to retrieve, modify, and update settings. To learn more, see [Using WMI](https://docs.microsoft.com/windows/win32/wmisdk/using-wmi).
@@ -57,7 +63,7 @@ WMI is a scripting interface that allows you to retrieve, modify, and update set
|**Retrieve, modify, and update settings** for Microsoft Defender Antivirus | [Use WMI to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus)
[Review the list of available WMI classes and example scripts](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
Also see the archived [Windows Defender WMIv2 Provider reference information](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal?redirectedfrom=MSDN) |
-## Configure Microsoft Defender ATP with Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe)
+## Configure Microsoft Defender for Endpoint with Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe)
On an individual device, you can run a scan, start diagnostic tracing, check for security intelligence updates, and more using the mpcmdrun.exe command-line tool. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. Run it from a command prompt.
@@ -82,4 +88,4 @@ You can also configure whether and what features end users can see in the Micros
- [Visit the Microsoft Defender Security Center security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
-- [Manage Microsoft Defender ATP with Intune](manage-atp-post-migration-intune.md)
+- [Manage Microsoft Defender for Endpoint with Intune](manage-atp-post-migration-intune.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
index f716c99579..417f5267d3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
@@ -1,10 +1,11 @@
---
-title: Manage Microsoft Defender ATP post migration
-description: Now that you've made the switch to Microsoft Defender ATP, your next step is to manage your threat protection features
+title: Manage Microsoft Defender for Endpoint post migration
+description: Now that you've made the switch to Microsoft Defender for Endpoint, your next step is to manage your threat protection features
keywords: post-migration, manage, operations, maintenance, utilization, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -14,15 +15,20 @@ ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
-ms.topic: article
+ms.topic: conceptual
+ms.date: 09/22/2020
+ms.reviewer: chventou
---
-# Manage Microsoft Defender Advanced Threat Protection, post migration
+# Manage Microsoft Defender for Endpoint, post migration
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-After you have moved from your previous endpoint protection and antivirus solution to Microsoft Defender ATP, your next step is to manage your features and capabilities. We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), which includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction), to manage your organization's devices and security settings. However, you can use other tools/methods, such as [Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy).
+After you have moved from your previous endpoint protection and antivirus solution to Microsoft Defender for Endpoint, your next step is to manage your features and capabilities. We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), which includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction), to manage your organization's devices and security settings. However, you can use other tools/methods, such as [Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy).
The following table lists various tools/methods you can use, with links to learn more.
@@ -30,8 +36,8 @@ The following table lists various tools/methods you can use, with links to learn
|Tool/Method |Description |
|---------|---------|
|**[Threat and vulnerability management dashboard insights](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights)** in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) |The threat & vulnerability management dashboard provides actionable information that your security operations team can use to reduce exposure and improve your organization's security posture.
See [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) and [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use). |
-|**[Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune)** (recommended) |Microsoft Intune (Intune), a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), focuses on mobile device management (MDM) and mobile application management (MAM). With Intune, you control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications.
See [Manage Microsoft Defender ATP using Intune](manage-atp-post-migration-intune.md). |
-|**[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction)** |Microsoft Endpoint Configuration Manager (Configuration Manager), formerly known as System Center Configuration Manager, is a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). Configuration Manager is a powerful tool to manage your users, devices, and software.
See [Manage Microsoft Defender ATP with Configuration Manager](manage-atp-post-migration-configuration-manager.md). |
-|**[Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy)** |[Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs).
See [Manage Microsoft Defender ATP with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md). |
-|**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)** |*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.*
You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender ATP with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-atp-with-powershell).
You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender ATP with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-atp-with-windows-management-instrumentation-wmi).
You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender ATP with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-atp-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe). |
+|**[Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune)** (recommended) |Microsoft Intune (Intune), a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), focuses on mobile device management (MDM) and mobile application management (MAM). With Intune, you control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications.
See [Manage Microsoft Defender for Endpoint using Intune](manage-atp-post-migration-intune.md). |
+|**[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction)** |Microsoft Endpoint Configuration Manager (Configuration Manager), formerly known as System Center Configuration Manager, is a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). Configuration Manager is a powerful tool to manage your users, devices, and software.
See [Manage Microsoft Defender for Endpoint with Configuration Manager](manage-atp-post-migration-configuration-manager.md). |
+|**[Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy)** |[Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs).
See [Manage Microsoft Defender for Endpoint with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md). |
+|**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)** |*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.*
You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender for Endpoint with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-powershell).
You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender for Endpoint with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi).
You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender for Endpoint with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe). |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
index 913a4d215c..116cc0e459 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
@@ -1,5 +1,5 @@
---
-title: Review and approve actions following automated investigations in the Microsoft Defender Security Center
+title: Review and approve remediation actions following automated investigations in the Microsoft Defender Security Center
description: Review and approve (or reject) remediation actions following an automated investigation.
keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, devices, duration, filter export
search.product: eADQiWindows 10XVcnh
@@ -15,47 +15,82 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
+ms.date: 09/15/2020
---
-# Review and approve actions following an automated investigation
+# Review and approve remediation actions following an automated investigation
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
## Remediation actions
-When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed.
+When an [automated investigation](automated-investigations.md) runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*.
-When a verdict of *Malicious* is reached for a piece of evidence, Microsoft Defender Advanced Threat Protection takes one of the following remediation actions automatically:
+Depending on
+
+- the type of threat,
+- the resulting verdict, and
+- how your organization's [device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) are configured,
+
+remediation actions can occur automatically or only upon approval by your organization’s security operations team.
+
+Here are a few examples:
+
+- Example 1: Fabrikam's device groups are set to **Full - remediate threats automatically** (this is the recommended setting). In this case, remediation actions are taken automatically for artifacts that are considered to be malicious following an automated investigation. (See [Review completed actions](#review-completed-actions).)
+
+- Example 2: Contoso's devices are included in a device group that is set for **Semi - require approval for any remediation**. In this case, Contoso's security operations team must review and approve all remediation actions following an automated investigation. (See [Review pending actions](#review-pending-actions).)
+
+- Example 3: Tailspin Toys has their device groups set to **No automated response** (this is not recommended). In this case, automated investigations do not occur. As a result, no remediation actions are taken or pending, and no actions are logged in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) for their devices. (See [Manage device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups#manage-device-groups))
+
+Whether taken automatically or upon approval, remediation actions following an automated investigation include the following:
- Quarantine a file
-- Remove a registry key
-- Kill a process
-- Stop a service
-- Remove a registry key
-- Disable a driver
+- Remove a registry key
+- Kill a process
+- Stop a service
+- Remove a registry key
+- Disable a driver
- Remove a scheduled task
-Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to [approve (or reject) pending actions](#review-pending-actions) as soon as possible so that you automated investigations complete in a timely manner.
+### Automated investigation results and remediation actions
-No actions are taken when a verdict of *No threats found* is reached for a piece of evidence.
+The following table summarizes remediation actions following an automated investigation, how device group settings affect whether actions are taken automatically or upon approval, and what to do in each case.
+
+|Device group setting | Automated investigation results | What to do |
+|:---|:---|:---|
+|**Full - remediate threats automatically** (this is the recommended setting) |A verdict of *Malicious* is reached for a piece of evidence.
Appropriate remediation actions are taken automatically. |[Review completed actions](#review-completed-actions) |
+|**Full - remediate threats automatically** |A verdict of *Suspicious* is reached for a piece of evidence.
Remediation actions are pending approval to proceed. | [Approve (or reject) pending actions](#review-pending-actions) |
+|**Semi - require approval for any remediation** |A verdict of either *Malicious* or *Suspicious* is reached for a piece of evidence.
Remediation actions are pending approval to proceed. |[Approve (or reject) pending actions](#review-pending-actions) |
+|**Semi - require approval for core folders remediation** |A verdict of *Malicious* is reached for a piece of evidence.
If the artifact is a file or executable and is in an operating system directory, such as the Windows folder or the Program files folder, then remediation actions are pending approval.
If the artifact is *not* in an operating system directory, remediation actions are taken automatically. |1. [Approve (or reject) pending actions](#review-pending-actions)
2. [Review completed actions](#review-completed-actions) |
+|**Semi - require approval for core folders remediation** |A verdict of *Suspicious* is reached for a piece of evidence.
Remediation actions are pending approval. |[Approve (or reject) pending actions](#review-pending-actions).|
+|**Semi - require approval for non-temp folders remediation** |A verdict of *Malicious* is reached for a piece of evidence.
If the artifact is a file or executable that is not in a temporary folder, such as the user's downloads folder or temp folder, remediation actions are pending approval.
If the artifact is a file or executable that *is* in a temporary folder, remediation actions are taken automatically. |1. [Approve (or reject) pending actions](#review-pending-actions)
2. [Review completed actions](#review-completed-actions) |
+|**Semi - require approval for non-temp folders remediation** |A verdict of *Suspicious* is reached for a piece of evidence.
Remediation actions are pending approval. |[Approve (or reject) pending actions](#review-pending-actions) |
+|Any of the **Full** or **Semi** automation levels |A verdict of *No threats found* is reached for a piece of evidence.
No remediation actions are taken, and no actions are pending approval. |[View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center) |
+|**No automated response** (this is not recommended)|No automated investigations run, so no verdicts are reached, and no remediation actions are taken or awaiting approval. |[Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) |
In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions).
+> [!TIP]
+> To learn more about remediation actions following an automated investigation, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
+
+
## Review pending actions
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the Security dashboard.
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the [Security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard).
-2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
+2. On the Security operations dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
3. Review any items on the **Pending** tab.
- Select an investigation from any of the categories to open a panel where you can approve or reject remediation actions. Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details.
-
- You can also select multiple investigations to approve or reject actions on multiple investigations.
+4. Select an investigation from any of the categories to open a panel where you can approve or reject remediation actions.
+ Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details. You can also select multiple investigations to approve or reject actions on multiple investigations.
## Review completed actions
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the Security dashboard.
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the [Security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard).
-2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
+2. On the Security operations dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
3. Select the **History** tab. (If need be, expand the time period to display more data.)
@@ -67,10 +102,3 @@ In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and
- [View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center)
-- [Get an overview of live response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/live-response)
-
-## Related articles
-
-- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
-
-- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md
index 8a8857b964..5dfefb6a2a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md
@@ -19,6 +19,9 @@ ms.topic: article
# Manage automation file uploads
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
index 3512070e46..056f3d9d05 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
@@ -19,6 +19,9 @@ ms.topic: article
# Manage automation folder exclusions
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
index 2fb891a0ed..1755204179 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Manage endpoint detection and response capabilities
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
Manage the alerts queue, investigate devices in the devices list, take response actions, and hunt for possible threats in your organization using advanced hunting.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
index 9665f24c1f..05f77e6b94 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
@@ -20,6 +20,9 @@ ms.date: 10/08/2018
# Manage Microsoft Defender ATP incidents
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
index 081eb65201..b8a672c6a3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@@ -20,6 +20,9 @@ ms.topic: article
# Create indicators
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -51,7 +54,7 @@ The current supported actions are:
You can create an indicator for:
- [Files](indicator-file.md)
- [IP addresses, URLs/domains](indicator-ip-domain.md)
-- [Certificates (preview)](indicator-certificates.md)
+- [Certificates](indicator-certificates.md)
>[!NOTE]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
index 6b4210212e..2db2ff913f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
@@ -19,6 +19,9 @@ ms.topic: article
# Manage suppression rules
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -43,4 +46,4 @@ You can view a list of all the suppression rules and manage them in one place. Y
## Related topics
-- [Manage alerts](manage-alerts.md)
\ No newline at end of file
+- [Manage alerts](manage-alerts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
index 24695b7456..45de6c024c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Overview of management and APIs
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md
new file mode 100644
index 0000000000..e9fa0412b0
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md
@@ -0,0 +1,63 @@
+---
+title: Migrate from McAfee to Microsoft Defender for Endpoint
+description: Make the switch from McAfee to Microsoft Defender for Endpoint. Read this article for an overview.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.technology: windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-mcafeemigrate
+- m365solution-overview
+ms.topic: conceptual
+ms.custom: migrationguides
+ms.date: 09/22/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Migrate from McAfee to Microsoft Defender Advanced Threat Protection
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide to plan your migration.
+
+## The migration process
+
+When you switch from McAfee to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
+
+|Phase |Description |
+|--|--|
+|[](mcafee-to-microsoft-defender-prepare.md)
[Prepare for your migration](mcafee-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](mcafee-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
+|[](mcafee-to-microsoft-defender-setup.md)
[Set up Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-setup.md) |During [the **Setup** phase](mcafee-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and McAfee. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
+|[](mcafee-to-microsoft-defender-onboard.md)
[Onboard to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](mcafee-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall McAfee and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. |
+
+## What's included in Microsoft Defender for Endpoint?
+
+In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint includes much more than antivirus and endpoint protection. Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender for Endpoint.
+
+| Feature/Capability | Description |
+|---|---|
+| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
+| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
+| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
+| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
+| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. |
+| [Behavioral blocking and containment](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. |
+| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
+| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
+
+**Want to learn more? See [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection).**
+
+## Next step
+
+- Proceed to [Prepare for your migration](mcafee-to-microsoft-defender-prepare.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md
new file mode 100644
index 0000000000..3422d29ce9
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md
@@ -0,0 +1,96 @@
+---
+title: McAfee to Microsoft Defender for Endpoint - Onboard
+description: This is phase 3, Onboard, for migrating from McAfee to Microsoft Defender for Endpoint.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.technology: windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-McAfeemigrate
+ms.custom: migrationguides
+ms.topic: article
+ms.date: 09/24/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Migrate from McAfee - Phase 3: Onboard to Microsoft Defender for Endpoint
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+|[](mcafee-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |[](mcafee-to-microsoft-defender-setup.md)
[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |
Phase 3: Onboard |
+|--|--|--|
+|| |*You are here!* |
+
+
+**Welcome to Phase 3 of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps:
+
+1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).
+2. [Run a detection test](#run-a-detection-test).
+3. [Uninstall McAfee](#uninstall-mcafee).
+4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode).
+
+## Onboard devices to Microsoft Defender for Endpoint
+
+1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
+
+2. Choose **Settings** > **Device management** > **Onboarding**.
+
+3. In the **Select operating system to start onboarding process** list, select an operating system.
+
+4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article).
+
+### Onboarding methods
+
+Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding.
+
+|Operating system |Method |
+|---------|---------|
+|Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)
- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+|- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)
**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). |
+|- Windows Server 2019 and later
- Windows Server 2019 core edition
- Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+|- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
+|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra)
iOS
Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) |
+
+## Run a detection test
+
+To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test.
+
+
+|Operating system |Guidance |
+|---------|---------|
+|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
+|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).
For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). |
+|Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.
2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.
3. Run the following command to list any detected threats:
`mdatp threat list`.
For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). |
+
+## Uninstall McAfee
+
+Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall McAfee.
+
+To get help with this step, go to your McAfee ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com)).
+
+## Make sure Microsoft Defender for Endpoint is in active mode
+
+Now that you have uninstalled McAfee, your next step is to make sure that Microsoft Defender Antivirus and endpoint detection and response are enabled and in active mode.
+
+To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
+- Cloud-delivered protection
+- Potentially Unwanted Applications (PUA)
+- Network Protection (NP)
+
+## Next steps
+
+**Congratulations**! You have completed your [migration from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
+
+- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
+- [Manage Microsoft Defender Advanced Threat Protection, post migration](manage-atp-post-migration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md
new file mode 100644
index 0000000000..a22a3a83d5
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md
@@ -0,0 +1,123 @@
+---
+title: McAfee to Microsoft Defender for Endpoint - Prepare
+description: This is phase 1, Prepare, for migrating from McAfee to Microsoft Defender ATP.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.technology: windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-mcafeemigrate
+ms.topic: article
+ms.custom: migrationguides
+ms.date: 09/22/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Migrate from McAfee - Phase 1: Prepare for your migration
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+|
Phase 1: Prepare |[](mcafee-to-microsoft-defender-setup.md)
[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |[](mcafee-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
+|--|--|--|
+|*You are here!*| | |
+
+
+**Welcome to the Prepare phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)**.
+
+This migration phase includes the following steps:
+1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices)
+2. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint).
+3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
+4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings).
+
+## Get and deploy updates across your organization's devices
+
+As a best practice, keep your organization's devices and endpoints up to date. Make sure your McAfee Endpoint Security (McAfee) solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Microsoft Defender ATP and Microsoft Defender Antivirus.
+
+### Make sure your McAfee solution is up to date
+
+Keep McAfee up to date, and make sure that your organization's devices have the latest security updates. Need help? Here are some McAfee resources:
+
+- [McAfee Enterprise Product Documentation: How Endpoint Security Works](https://docs.mcafee.com/bundle/endpoint-security-10.7.x-common-product-guide-windows/page/GUID-1207FF39-D1D2-481F-BBD9-E4079112A8DD.html)
+
+- [McAfee Knowledge Center Technical Article: Windows Security Center intermittently incorrectly reports that Endpoint Security is disabled when running on Windows 10](https://kc.mcafee.com/corporate/index?page=content&id=KB91830)
+
+- [McAfee Knowledge Center Technical Article: Windows Security Center reports Endpoint Security is disabled when Endpoint Security is running](https://kc.mcafee.com/corporate/index?page=content&id=KB91428)
+
+- Your McAfee support ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com))
+
+### Make sure your organization's devices are up to date
+
+Need help updating your organization's devices? See the following resources:
+
+|OS | Resource |
+|:--|:--|
+|Windows |[Microsoft Update](https://www.update.microsoft.com) |
+|macOS | [How to update the software on your Mac](https://support.apple.com/HT201541)|
+|iOS |[Update your iPhone, iPad, or iPod touch](https://support.apple.com/HT204204)|
+|Android |[Check & update your Android version](https://support.google.com/android/answer/7680439) |
+|Linux | [Linux 101: Updating Your System](https://www.linux.com/training-tutorials/linux-101-updating-your-system) |
+
+## Get Microsoft Defender for Endpoint
+
+Now that you've updated your organization's devices, the next step is to get Microsoft Defender ATP, assign licenses, and make sure the service is provisioned.
+
+1. Buy or try Microsoft Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp).
+
+2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state).
+
+3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender ATP setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
+
+4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender ATP setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
+
+At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
+
+> [!NOTE]
+> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender ATP portal.
+
+## Grant access to the Microsoft Defender Security Center
+
+The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender ATP. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use).
+
+Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
+
+1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control).
+
+2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control).
+
+ If your organization requires a method other than Intune, choose one of the following options:
+ - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)
+ - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm)
+ - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview)
+
+3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)).
+
+## Configure device proxy and internet connectivity settings
+
+To enable communication between your devices and Microsoft Defender ATP, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
+
+|Capabilities | Operating System | Resources |
+|--|--|--|
+|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
+|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
+|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
+|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
|
+|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
+|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections)
+
+## Next step
+
+**Congratulations**! You have completed the **Prepare** phase of [migrating from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
+
+- [Proceed to set up Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-setup.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
new file mode 100644
index 0000000000..7e0da8d519
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
@@ -0,0 +1,257 @@
+---
+title: McAfee to Microsoft Defender for Endpoint - Setup
+description: This is phase 2, Setup, for migrating from McAfee to Microsoft Defender for Endpoint.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.technology: windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-mcafeemigrate
+ms.topic: article
+ms.custom: migrationguides
+ms.date: 09/22/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Migrate from McAfee - Phase 2: Set up Microsoft Defender for Endpoint
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+|[](mcafee-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |
Phase 2: Set up |[](mcafee-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
+|--|--|--|
+||*You are here!* | |
+
+
+**Welcome to the Setup phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps:
+1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).
+2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
+3. [Add Microsoft Defender ATP to the exclusion list for McAfee](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-mcafee).
+4. [Add McAfee to the exclusion list for Microsoft Defender Antivirus](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-antivirus).
+5. [Add McAfee to the exclusion list for Microsoft Defender for Endpoint](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-for-endpoint).
+6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
+7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
+
+## Enable Microsoft Defender Antivirus and confirm it's in passive mode
+
+On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as McAfee. (To learn more about this, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).)
+
+This step of the migration process includes the following tasks:
+- [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server)
+- [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server);
+- [Setting Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server)
+- [Enabling Microsoft Defender Antivirus on your Windows client devices](#enable-microsoft-defender-antivirus-on-your-windows-client-devices); and
+- [Confirming that Microsoft Defender Antivirus is set to passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode).
+
+### Set DisableAntiSpyware to false on Windows Server
+
+The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
+
+1. On your Windows Server device, open Registry Editor.
+
+2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
+
+3. In that folder, look for a DWORD entry called **DisableAntiSpyware**.
+
+ - If you do not see that entry, you're all set.
+
+ - If you do see **DisableAntiSpyware**, proceed to step 4.
+
+4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.
+
+5. Set the value to `0`. (This sets the registry key's value to *false*.)
+
+> [!TIP]
+> To learn more about this registry key, see [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware).
+
+### Reinstall Microsoft Defender Antivirus on Windows Server
+
+> [!NOTE]
+> The following procedure applies only to endpoints or devices that are running the following versions of Windows:
+> - Windows Server 2019
+> - Windows Server, version 1803 (core-only mode)
+> - Windows Server 2016
+
+1. As a local administrator on the endpoint or device, open Windows PowerShell.
+
+2. Run the following PowerShell cmdlets:
+
+ `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
+
+ `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
+
+3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
+
+ `Get-Service -Name windefend`
+
+> [!TIP]
+> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
+
+### Set Microsoft Defender Antivirus to passive mode on Windows Server
+
+Because your organization is still using McAfee, you must set Microsoft Defender Antivirus to passive mode. That way, McAfee and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender ATP.
+
+1. Open Registry Editor, and then navigate to
+ `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
+
+2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
+
+ - Set the DWORD's value to **1**.
+
+ - Under **Base**, select **Hexadecimal**.
+
+> [!NOTE]
+> You can use other methods to set the registry key, such as the following:
+>- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
+>- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
+>- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs)
+
+### Enable Microsoft Defender Antivirus on your Windows client devices
+
+Because your organization has been using McAfee as your primary antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus.
+
+To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table:
+
+|Method |What to do |
+|---------|---------|
+|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure.
If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select **Properties**, and then select **Configuration settings: Edit**.
4. Expand **Microsoft Defender Antivirus**.
5. Enable **Cloud-delivered protection**.
6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
8. Select **Review + save**, and then choose **Save**.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
+|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
or
[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+
+### Confirm that Microsoft Defender Antivirus is in passive mode
+
+Microsoft Defender Antivirus can run alongside McAfee if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
+
+|Method |What to do |
+|---------|---------|
+|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
+
+> [!NOTE]
+> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
+
+## Get updates for Microsoft Defender Antivirus
+
+Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+
+There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
+- Security intelligence updates
+- Product updates
+
+To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
+
+## Add Microsoft Defender for Endpoint to the exclusion list for McAfee
+
+This step of the setup process involves adding Microsoft Defender for Endpoint to the exclusion list for McAfee and any other security products your organization is using.
+
+> [!TIP]
+> To get help configuring exclusions, refer to McAfee documentation, such as the following article: [McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows: Configuring exclusions](https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orchestrator-windows/page/GUID-71C5FB4B-A143-43E6-8BF0-8B2C16ABE6DA.html).
+
+The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
+
+|OS |Exclusions |
+|--|--|
+|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
|
+|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
+
+## Add McAfee to the exclusion list for Microsoft Defender Antivirus
+
+During this step of the setup process, you add McAfee and your other security solutions to the Microsoft Defender Antivirus exclusion list.
+
+When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
+- Path exclusions exclude specific files and whatever those files access.
+- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
+- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
+- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)
+
+You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
+
+|Method | What to do|
+|--|--|
+|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
3. Under **Manage**, select **Properties**.
4. Select **Configuration settings: Edit**.
5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
7. Choose **Review + save**, and then choose **Save**. |
+|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
+|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**. |
+|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. |
+|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
+
+## Add McAfee to the exclusion list for Microsoft Defender for Endpoint
+
+To add exclusions to Microsoft Defender ATP, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
+
+1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
+
+2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
+
+3. On the **File hashes** tab, choose **Add indicator**.
+
+3. On the **Indicator** tab, specify the following settings:
+ - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
+ - Under **Expires on (UTC)**, choose **Never**.
+
+4. On the **Action** tab, specify the following settings:
+ - **Response Action**: **Allow**
+ - Title and description
+
+5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
+
+6. On the **Summary** tab, review the settings, and then click **Save**.
+
+### Find a file hash using CMPivot
+
+CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview).
+
+To use CMPivot to get your file hash, follow these steps:
+
+1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
+
+2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
+
+3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`).
+
+4. Select the **Query** tab.
+
+5. In the **Device Collection** list, and choose **All Systems (default)**.
+
+6. In the query box, type the following query:
+
+```kusto
+File(c:\\windows\\notepad.exe)
+| project Hash
+```
+> [!NOTE]
+> In the query above, replace *notepad.exe* with the your third-party security product process name.
+
+## Set up your device groups, device collections, and organizational units
+
+| Collection type | What to do |
+|--|--|
+|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
3. Choose **+ Add device group**.
4. Specify a name and description for the device group.
5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
8. Choose **Done**. |
+|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
+|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
+
+## Configure antimalware policies and real-time protection
+
+Using Configuration Manager and your device collection(s), configure your antimalware policies.
+
+- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).
+
+- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
+
+> [!TIP]
+> You can deploy the policies before your organization's devices on onboarded.
+
+## Next step
+
+**Congratulations**! You have completed the Setup phase of [migrating from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
+
+- [Proceed to Phase 3: Onboard to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
index 7132b8b8a3..2049e0d9bd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
@@ -20,6 +20,9 @@ ms.topic: article
# Configure Microsoft Cloud App Security in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
index 3871f3dc64..a6f03c17c5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
@@ -20,6 +20,9 @@ ms.date: 10/18/2018
---
# Microsoft Cloud App Security in Microsoft Defender ATP overview
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
index d4d253fe83..d45c5c585e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Microsoft Defender Advanced Threat Protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink)
>
> For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
index 9e20ced652..a382a8463d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
@@ -20,20 +20,15 @@ ms.topic: conceptual
# Microsoft Defender Advanced Threat Protection for Android
-> [!IMPORTANT]
-> **PUBLIC PREVIEW EDITION**
->
-> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
->
-> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
->
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
This topic describes how to install, configure, update, and use Microsoft Defender ATP for Android.
> [!CAUTION]
> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Android is likely to cause performance problems and unpredictable system errors.
-
## How to install Microsoft Defender ATP for Android
### Prerequisites
@@ -84,8 +79,7 @@ For more information, see [Deploy Microsoft Defender ATP for Android with Micros
> [!NOTE]
-> **Microsoft Defender ATP for Android is available on Google Play now.**
-> You can connect to Google Play from Intune to deploy Microsoft Defender ATP app, across Device Administrator and Android Enterprise entrollment modes.
+> **Microsoft Defender ATP for Android is available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx) now.**
You can connect to Google Play from Intune to deploy Microsoft Defender ATP app, across Device Administrator and Android Enterprise entrollment modes.
## How to Configure Microsoft Defender ATP for Android
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
new file mode 100644
index 0000000000..ed5256954e
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
@@ -0,0 +1,76 @@
+---
+title: Microsoft Defender ATP for iOS overview
+ms.reviewer:
+description: Describes how to install and use Microsoft Defender ATP for iOS
+keywords: microsoft, defender, atp, ios, overview, installation, deploy, uninstallation, intune
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Microsoft Defender Advanced Threat Protection for iOS
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+> [!IMPORTANT]
+> **PUBLIC PREVIEW EDITION**
+>
+> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
+>
+> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
+
+
+The public preview of Microsoft Defender ATP for iOS will offer protection
+against phishing and unsafe network connections from websites, emails, and apps.
+All alerts will be available through a single pane of glass in the Microsoft
+Defender Security Center. The portal gives security teams a centralized view of threats on
+iOS devices along with other platforms.
+
+## Pre-requisites
+
+
+**For End Users**
+
+- Microsoft Defender ATP license assigned to the end user(s) of the app. Refer
+ [Assign licenses to
+ users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
+ for instructions on how to assign licenses.
+
+**For Administrators**
+
+- Access to the Microsoft Defender Security Center portal
+
+- Access to [Microsoft Endpoint Manager admin
+ center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app
+ to enrolled user groups in your organization
+
+**System Requirements**
+
+- iOS devices running iOS 11.0 and above
+
+- Device is enrolled with Intune Company Portal
+ [app](https://apps.apple.com/us/app/intune-company-portal/id719171358)
+
+## Resources
+
+- Stay informed about upcoming releases by visiting our [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/iOS)
+
+- Provide feedback through in-app feedback system or through [SecOps
+ portal](https://securitycenter.microsoft.com)
+
+
+## Next steps
+
+- [Deploy Microsoft Defender ATP for iOS](ios-install.md)
+- [Configure Microsoft Defender ATP for iOS features](ios-configure-features.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
index b2b4bdcfae..1e0b400707 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Microsoft Defender ATP for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
This topic describes how to install, configure, update, and use Microsoft Defender ATP for Linux.
> [!CAUTION]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
index bfad87ca3d..90fef9d116 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Microsoft Defender Advanced Threat Protection for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
This topic describes how to install, configure, update, and use Microsoft Defender ATP for Mac.
> [!CAUTION]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md
index e6acac214c..ee826bd394 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Microsoft Defender Security Center
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
Microsoft Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.
## In this section
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
index 5e28935812..9831cb1cf8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
---
# Microsoft Threat Experts
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -32,9 +35,12 @@ Watch this video for a quick overview of Microsoft Threat Experts.
## Before you begin
+> [!NOTE]
+> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service.
+
Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
-If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription. See [Configure Microsoft Threat Experts capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#before-you-begin) for details.
+If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on-Demand subscription. See [Configure Microsoft Threat Experts capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#before-you-begin) for details.
## Targeted attack notification
Microsoft Threat Experts provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. The managed hunting service includes:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md b/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md
new file mode 100644
index 0000000000..193a2a1360
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md
@@ -0,0 +1,47 @@
+---
+title: Migration guides to make the switch to Microsoft Defender for Endpoint
+description: Learn how to make the switch from a non-Microsoft threat protection solution to Microsoft Defender for Endpoint
+search.appverid: MET150
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp
+audience: ITPro
+ms.topic: conceptual
+ms.prod: w10
+ms.localizationpriority: medium
+ms.collection:
+- M365-security-compliance
+ms.custom: migrationguides
+ms.reviewer: chriggs, depicker, yongrhee
+f1.keywords: NOCSH
+ms.date: 09/24/2020
+---
+
+# Make the switch to Microsoft Defender for Endpoint and Microsoft Defender Antivirus
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+## Migration guides
+
+If you're considering switching from a non-Microsoft threat protection solution to Microsoft Defender for Endpoint with Microsoft Defender Antivirus, check out our migration guidance. Select the scenario that best represents where you are in your deployment process, and see the guidance.
+
+|Scenario |Guidance |
+|:--|:--|
+|You do not have an endpoint protection solution yet, and you want to know more about how Microsoft Defender for Endpoint & Microsoft Defender Antivirus work. |[Microsoft Defender ATP evaluation lab](evaluation-lab.md) |
+|You have Microsoft Defender for Endpoint & Microsoft Defender Antivirus and need some help getting everything set up and configured. |[Microsoft Defender Advanced Threat Protection deployment guide](deployment-phases.md) |
+|You're planning to migrate from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Switch from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md) |
+|You're planning to migrate from Symantec Endpoint Protection (Symantec) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Switch from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md) |
+|You're planning to migrate from a non-Microsoft endpoint protection solution (other than McAfee or Symantec) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Make the switch to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md) |
+|You've migrated to Microsoft Defender for Endpoint & Microsoft Defender Antivirus, and you need help with next steps, such as configuring additional features or fine-tuning your security settings. | [Manage Microsoft Defender for Endpoint, post-migration](manage-atp-post-migration.md) |
+
+
+## Got feedback?
+
+Let us know what you think! Submit your feedback at the bottom of the page. We'll take your feedback into account as we continue to improve and add to our migration guidance.
+
+## See also
+
+- [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection)
+- [Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp)
+- [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection?)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index b3d3eb3ef8..d934a67ccf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Minimum requirements for Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -104,13 +107,12 @@ The hardware requirements for Microsoft Defender ATP on devices are the same for
### Other supported operating systems
- Android
-- Linux (currently, Microsoft Defender ATP is only available in the Public Preview Edition for Linux)
+- Linux
- macOS
> [!NOTE]
> You'll need to know the exact Linux distributions and versions of Android and macOS that are compatible with Microsoft Defender ATP for the integration to work.
->
-> Also note that Microsoft Defender ATP is currently only available in the Public Preview Edition for Linux.
+
### Network and data storage and configuration requirements
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md
new file mode 100644
index 0000000000..e04b5fd740
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md
@@ -0,0 +1,44 @@
+---
+title: Supported managed security service providers
+description: See the list of MSSPs that Microsoft Defender ATP integrates with
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Supported managed security service providers
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Logo |Partner name | Description
+:---|:---|:---
+| [BDO Digital](https://go.microsoft.com/fwlink/?linkid=2090394) | BDO Digital's Managed Defense leverages best practice tools, AI, and in-house security experts for 24/7/365 identity protection
+| [BlueVoyant](https://go.microsoft.com/fwlink/?linkid=2121401) | MDR for Microsoft Defender ATP provides support in monitoring, investigating, and mitigating advanced attacks on endpoints
+| [Cloud Security Center](https://go.microsoft.com/fwlink/?linkid=2099315) | InSpark's Cloud Security Center is a 24x7 managed service that delivers protect, detect & respond capabilities
+| [Cloud SOC](https://go.microsoft.com/fwlink/?linkid=2104265) | Cloud SOC provides 24/7 security monitoring services based on Microsoft cloud and helps you to continuously improve your security posture
+| [CSIS Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2091005) | 24/7 monitoring and analysis of security alerts giving companies actionable insights into what, when and how security incidents have taken place
+| [Dell Technologies Advanced Threat Protection](https://go.microsoft.com/fwlink/?linkid=2091004) | Professional monitoring service for malicious behavior and anomalies with 24/7 capability
+| [DXC-Managed Endpoint Threat Detection and Response](https://go.microsoft.com/fwlink/?linkid=2090395) | Identify endpoint threats that evade traditional security defenses and contain them in hours or minutes, not days
+| [NTT Security](https://go.microsoft.com/fwlink/?linkid=2095320) | NTT's EDR Service provides 24/7 security monitoring & response across your endpoint and network
+| [Red Canary](https://go.microsoft.com/fwlink/?linkid=2103852) | Red Canary is a security operations partner for modern teams, MDR deployed in minutes
+| [SecureWorks Managed Detection and Response Powered by Red Cloak](https://go.microsoft.com/fwlink/?linkid=2133634) | Secureworks combines threat intelligence and 20+ years of experience into SaaS and managed security solutions
+| [sepagoSOC](https://go.microsoft.com/fwlink/?linkid=2090491) | Ensure holistic security through sophisticated automated workflows in your zero trust environment
+| [Trustwave Threat Detection & Response Services](https://go.microsoft.com/fwlink/?linkid=2127542) | Threat Detection and Response services for Azure leveraging integrations with Sentinel and Microsoft Defender ATP
+| [Wortell's cloud SOC](https://go.microsoft.com/fwlink/?linkid=2108415) | 24x7 managed Microsoft Defender ATP service for monitoring & response
+| [Zero Trust Analytics Platform (ZTAP)](https://go.microsoft.com/fwlink/?linkid=2090971) | Reduce your alerts by 99% and access a full range of security capabilities from mobile devices
+
+## Related topics
+- [Configure managed service security provider integration](configure-mssp-support.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
index dc86cb4ea9..6f1d18b0e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Managed security service provider partnership opportunities
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
index 9453feda1e..ea52e95529 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@@ -20,6 +20,9 @@ ms.custom: asr
# Protect your network
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index c07a143d91..a0f4515971 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Threat and vulnerability management
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -83,11 +86,7 @@ Watch this video for a comprehensive walk-through of threat and vulnerability ma
Ensure that your devices:
- Are onboarded to Microsoft Defender Advanced Threat Protection
-- Run with Windows 10 1709 (Fall Creators Update) or later
-
->[!NOTE]
->Threat and vulnerability management can also scan devices that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
-
+- Run [supported operating systems and platforms](tvm-supported-os.md)
- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates:
> Release | Security update KB number and link
diff --git a/windows/security/threat-protection/microsoft-defender-atp/non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/non-windows.md
new file mode 100644
index 0000000000..36cab9ff28
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/non-windows.md
@@ -0,0 +1,110 @@
+---
+title: Microsoft Defender ATP for non-Windows platforms
+description: Learn about Microsoft Defender ATP capabilities for non-Windows platforms
+keywords: non windows, mac, macos, linux, android
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-evalutatemtp
+ms.topic: article
+---
+
+# Microsoft Defender ATP for non-Windows platforms
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+
+Microsoft has been on a journey to extend its industry leading endpoint security
+capabilities beyond Windows and Windows Server to macOS, Linux, Android, and
+soon iOS.
+
+Organizations face threats across a variety of platforms and devices. Our teams
+have committed to building security solutions not just *for* Microsoft, but also
+*from* Microsoft to enable our customers to protect and secure their
+heterogenous environments. We're listening to customer feedback and partnering
+closely with our customers to build solutions that meet their needs.
+
+With Microsoft Defender ATP, customers benefit from a unified view of all
+threats and alerts in the Microsoft Defender Security Center, across Windows and
+non-Windows platforms, enabling them to get a full picture of what's happening
+in their environment, which empowers them to more quickly assess and respond to
+threats.
+
+## Microsoft Defender ATP for Mac
+
+Microsoft Defender ATP for Mac offers AV and EDR capabilities for the three
+latest released versions of macOS. Customers can deploy and manage the solution
+through Microsoft Endpoint Manager and Jamf. Just like with Microsoft Office
+applications on macOS, Microsoft Auto Update is used to manage Microsoft
+Defender ATP for Mac updates. For information about the key features and
+benefits, read our
+[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/macOS).
+
+For more details on how to get started, visit the Microsoft Defender ATP for Mac
+[documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac).
+
+## Microsoft Defender ATP for Linux
+
+Microsoft Defender ATP for Linux offers preventative (AV) capabilities for Linux
+servers. This includes a full command line experience to configure and manage
+the agent, initiate scans, and manage threats. We support recent versions of the
+six most common Linux Server distributions: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu
+16 LTS, or higher LTS, SLES 12+, Debian 9+, and Oracle Linux 7.2. Microsoft
+Defender ATP for Linux can be deployed and configured using Puppet, Ansible, or
+using your existing Linux configuration management tool. For information about
+the key features and benefits, read our
+[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Linux).
+
+For more details on how to get started, visit the Microsoft Defender ATP for
+Linux
+[documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux).
+
+## Microsoft Defender ATP for Android
+
+Microsoft Defender ATP for Android is our mobile threat defense solution for
+devices running Android 6.0 and higher. Both Android Enterprise (Work Profile)
+and Device Administrator modes are supported. On Android, we offer web
+protection, which includes anti-phishing, blocking of unsafe connections, and
+setting of custom indicators. The solution scans for malware and potentially
+unwanted applications (PUA) and offers additional breach prevention capabilities
+through integration with Microsoft Endpoint Manager and Conditional Access. For
+information about the key features and benefits, read our
+[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Android).
+
+For more details on how to get started, visit the Microsoft Defender ATP for
+Android
+[documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android).
+
+
+
+## Licensing requirements
+
+Eligible Licensed Users may use Microsoft Defender ATP on up to five concurrent
+devices. Microsoft Defender ATP is also available for purchase from a Cloud
+Solution Provider (CSP).
+
+Customers can obtain Microsoft Defender ATP for Mac through a standalone
+Microsoft Defender ATP license, as part of Microsoft 365 A5/E5, or Microsoft 365
+Security.
+
+Recently announced capabilities of Microsoft Defender ATP for Android and soon
+iOS are included in the above mentioned offers as part of the five qualified
+devices for eligible licensed users.
+
+Microsoft Defender ATP for Linux is available through the Microsoft Defender ATP
+for Server SKU that is available for both commercial and education customers.
+
+Please contact your account team or CSP for pricing and additional eligibility
+requirements.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
index d51165a30f..6046e47262 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
@@ -18,6 +18,9 @@ ms.topic: article
# Offboard machine API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
index 9a0498b504..fdfda0129e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Offboard devices from the Microsoft Defender ATP service
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- macOS
- Linux
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
index 23072e7fd3..3f37f66880 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Onboard devices to the Microsoft Defender ATP service
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
index 6d9c98fc37..86e8968854 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
@@ -19,6 +19,9 @@ ms.topic: article
# Onboard previous versions of Windows
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Windows 7 SP1 Enterprise
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
index 22a6d8de5e..cb3d0ee177 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
@@ -20,6 +20,9 @@ ms.topic: article
# Onboard devices without Internet access to Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
index 64b2b3236f..ca17dbdcd7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
---
# Configure and manage Microsoft Defender ATP capabilities
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md
new file mode 100644
index 0000000000..d839dabec7
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md
@@ -0,0 +1,358 @@
+---
+title: Onboarding using Microsoft Endpoint Configuration Manager
+description: Learn how to onboard to Microsoft Defender ATP using Microsoft Endpoint Configuration Manager
+keywords: onboarding, configuration, deploy, deployment, endpoint configuration manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-endpointprotect
+ms.topic: article
+---
+
+# Onboarding using Microsoft Endpoint Configuration Manager
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+## Collection creation
+To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the
+deployment can target either and existing collection or a new collection can be
+created for testing. The onboarding like group policy or manual method does
+not install any agent on the system. Within the Configuration Manager console
+the onboarding process will be configured as part of the compliance settings
+within the console. Any system that receives this required configuration will
+maintain that configuration for as long as the Configuration Manager client
+continues to receive this policy from the management point. Follow the steps
+below to onboard systems with Configuration Manager.
+
+1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
+
+ 
+
+2. Right Click **Device Collection** and select **Create Device Collection**.
+
+ 
+
+3. Provide a **Name** and **Limiting Collection**, then select **Next**.
+
+ 
+
+4. Select **Add Rule** and choose **Query Rule**.
+
+ 
+
+5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
+
+ 
+
+6. Select **Criteria** and then choose the star icon.
+
+ 
+
+7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**.
+
+ 
+
+8. Select **Next** and **Close**.
+
+ 
+
+9. Select **Next**.
+
+ 
+
+After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
+
+## Endpoint detection and response
+### Windows 10
+From within the Microsoft Defender Security Center it is possible to download
+the '.onboarding' policy that can be used to create the policy in System Center Configuration
+Manager and deploy that policy to Windows 10 devices.
+
+1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
+
+
+
+2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**.
+
+ 
+
+3. Select **Download package**.
+
+ 
+
+4. Save the package to an accessible location.
+5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
+
+6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
+
+ 
+
+7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
+
+ 
+
+8. Click **Browse**.
+
+9. Navigate to the location of the downloaded file from step 4 above.
+
+10. Click **Next**.
+11. Configure the Agent with the appropriate samples (**None** or **All file types**).
+
+ 
+
+12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
+
+ 
+
+14. Verify the configuration, then click **Next**.
+
+ 
+
+15. Click **Close** when the Wizard completes.
+
+16. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
+
+ 
+
+17. On the right panel, select the previously created collection and click **OK**.
+
+ 
+
+
+### Previous versions of Windows Client (Windows 7 and Windows 8.1)
+Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
+
+1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**.
+
+2. Under operating system choose **Windows 7 SP1 and 8.1**.
+
+3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
+
+ 
+
+4. Install the Microsoft Monitoring Agent (MMA).
+ MMA is currently (as of January 2019) supported on the following Windows Operating
+ Systems:
+
+ - Server SKUs: Windows Server 2008 SP1 or Newer
+
+ - Client SKUs: Windows 7 SP1 and later
+
+ The MMA agent will need to be installed on Windows devices. To install the
+ agent, some systems will need to download the [Update for customer experience
+ and diagnostic
+ telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
+ in order to collect the data with MMA. These system versions include but may not
+ be limited to:
+
+ - Windows 8.1
+
+ - Windows 7
+
+ - Windows Server 2016
+
+ - Windows Server 2012 R2
+
+ - Windows Server 2008 R2
+
+ Specifically, for Windows 7 SP1, the following patches must be installed:
+
+ - Install
+ [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
+
+ - Install either [.NET Framework
+ 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or
+ later) **or**
+ [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
+ Do not install both on the same system.
+
+5. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
+
+Once completed, you should see onboarded endpoints in the portal within an hour.
+
+## Next generation protection
+Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
+
+1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
+
+ 
+
+2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**.
+
+ 
+
+ In certain industries or some select enterprise customers might have specific
+needs on how Antivirus is configured.
+
+
+ [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
+
+ For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
+
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+3. Right-click on the newly created antimalware policy and select **Deploy**.
+
+ 
+
+4. Target the new antimalware policy to your Windows 10 collection and click **OK**.
+
+ 
+
+After completing this task, you now have successfully configured Windows
+Defender Antivirus.
+
+## Attack surface reduction
+The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit
+Protection.
+
+All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode.
+
+To set ASR rules in Audit mode:
+
+1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+ 
+
+
+2. Select **Attack Surface Reduction**.
+
+
+3. Set rules to **Audit** and click **Next**.
+
+ 
+
+4. Confirm the new Exploit Guard policy by clicking on **Next**.
+
+ 
+
+
+5. Once the policy is created click **Close**.
+
+ 
+
+
+
+6. Right-click on the newly created policy and choose **Deploy**.
+
+ 
+
+7. Target the policy to the newly created Windows 10 collection and click **OK**.
+
+ 
+
+After completing this task, you now have successfully configured ASR rules in audit mode.
+
+Below are additional steps to verify whether ASR rules are correctly applied to
+endpoints. (This may take few minutes)
+
+
+1. From a web browser, navigate to .
+
+2. Select **Configuration management** from left side menu.
+
+3. Click **Go to attack surface management** in the Attack surface management panel.
+
+ 
+
+4. Click **Configuration** tab in Attack surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.
+
+ 
+
+5. Click each device shows configuration details of ASR rules.
+
+ 
+
+See [Optimize ASR rule deployment and
+detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr) for more details.
+
+
+### To set Network Protection rules in Audit mode:
+1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+ 
+
+2. Select **Network protection**.
+
+3. Set the setting to **Audit** and click **Next**.
+
+ 
+
+4. Confirm the new Exploit Guard Policy by clicking **Next**.
+
+ 
+
+5. Once the policy is created click on **Close**.
+
+ 
+
+6. Right-click on the newly created policy and choose **Deploy**.
+
+ 
+
+7. Select the policy to the newly created Windows 10 collection and choose **OK**.
+
+ 
+
+After completing this task, you now have successfully configured Network
+Protection in audit mode.
+
+### To set Controlled Folder Access rules in Audit mode:
+
+1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+ 
+
+2. Select **Controlled folder access**.
+
+3. Set the configuration to **Audit** and click **Next**.
+
+ 
+
+4. Confirm the new Exploit Guard Policy by clicking on **Next**.
+
+ 
+
+5. Once the policy is created click on **Close**.
+
+ 
+
+6. Right-click on the newly created policy and choose **Deploy**.
+
+ 
+
+7. Target the policy to the newly created Windows 10 collection and click **OK**.
+
+ 
+
+You have now successfully configured Controlled folder access in audit mode.
+
+## Related topic
+- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md
new file mode 100644
index 0000000000..31593b47cc
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md
@@ -0,0 +1,367 @@
+---
+title: Onboarding using Microsoft Endpoint Manager
+description: Learn how to onboard to Microsoft Defender ATP using Microsoft Endpoint Manager
+keywords: onboarding, configuration, deploy, deployment, endpoint manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-endpointprotect
+ms.topic: article
+---
+
+# Onboarding using Microsoft Endpoint Manager
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+
+In this section, we will be using Microsoft Endpoint Manager (MEM) to deploy
+Microsoft Defender ATP to your endpoints.
+
+For more information about MEM, check out these resources:
+- [Microsoft Endpoint Manager page](https://docs.microsoft.com/mem/)
+- [Blog post on convergence of Intune and ConfigMgr](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/)
+- [Introduction video on MEM](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace)
+
+
+This process is a multi-step process, you'll need to:
+
+- Identify target devices or users
+
+ - Create an Azure Active Directory group (User or Device)
+
+- Create a Configuration Profile
+
+ - In MEM, we'll guide you in creating a separate policy for each feature
+
+## Resources
+
+
+Here are the links you'll need for the rest of the process:
+
+- [MEM portal](https://aka.ms/memac)
+
+- [Security Center](https://securitycenter.windows.com/)
+
+- [Intune Security baselines](https://docs.microsoft.com/mem/intune/protect/security-baseline-settings-defender-atp#microsoft-defender)
+
+## Identify target devices or users
+In this section, we will create a test group to assign your configurations on.
+
+>[!NOTE]
+>Intune uses Azure Active Directory (Azure AD) groups to manage devices and
+users. As an Intune admin, you can set up groups to suit your organizational
+needs.
+> For more information, see [Add groups to organize users and devices](https://docs.microsoft.com/mem/intune/fundamentals/groups-add).
+
+### Create a group
+
+1. Open the MEM portal.
+
+2. Open **Groups > New Group**.
+
+ 
+
+3. Enter details and create a new group.
+
+ 
+
+4. Add your test user or device.
+
+5. From the **Groups > All groups** pane, open your new group.
+
+6. Select **Members > Add members**.
+
+7. Find your test user or device and select it.
+
+ 
+
+8. Your testing group now has a member to test.
+
+## Create configuration policies
+In the following section, you'll create a number of configuration policies.
+First is a configuration policy to select which groups of users or devices will
+be onboarded to Microsoft Defender ATP. Then you will continue by creating several
+different types of Endpoint security policies.
+
+### Endpoint detection and response
+
+1. Open the MEM portal.
+
+2. Navigate to **Endpoint security > Endpoint detection and response**. Click
+ on **Create Profile**.
+
+ 
+
+3. Under **Platform, select Windows 10 and Later, Profile - Endpoint detection
+ and response > Create**.
+
+4. Enter a name and description, then select **Next**.
+
+ 
+
+5. Select settings as required, then select **Next**.
+
+ 
+
+ >[!NOTE]
+ >In this instance, this has been auto populated as Microsoft Defender ATP has already been integrated with Intune. For more information on the integration, see [Enable Microsoft Defender ATP in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-configure#to-enable-microsoft-defender-atp).
+
+
+ 
+
+6. Add scope tags if necessary, then select **Next**.
+
+ 
+
+7. Add test group by clicking on **Select groups to include** and choose your group, then select **Next**.
+
+ 
+
+8. Review and accept, then select **Create**.
+
+ 
+
+9. You can view your completed policy.
+
+ 
+
+### Next-generation protection
+
+1. Open the MEM portal.
+
+2. Navigate to **Endpoint security > Antivirus > Create Policy**.
+
+ 
+
+3. Select **Platform - Windows 10 and Later - Windows and Profile – Microsoft
+ Defender Antivirus > Create**.
+
+4. Enter name and description, then select **Next**.
+
+ 
+
+5. In the **Configuration settings page**: Set the configurations you require for
+ Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real-Time
+ Protection, and Remediation).
+
+ 
+
+6. Add scope tags if necessary, then select **Next**.
+
+ 
+
+7. Select groups to include, assign to your test group, then select **Next**.
+
+ 
+
+8. Review and create, then select **Create**.
+
+ 
+
+9. You'll see the configuration policy you created.
+
+ 
+
+### Attack Surface Reduction – Attack surface reduction rules
+
+1. Open the MEM portal.
+
+2. Navigate to **Endpoint security > Attack surface reduction**.
+
+3. Select **Create Policy**.
+
+4. Select **Platform - Windows 10 and Later – Profile - Attack surface reduction
+ rules > Create**.
+
+ 
+
+5. Enter a name and description, then select **Next**.
+
+ 
+
+6. In the **Configuration settings page**: Set the configurations you require for
+ Attack surface reduction rules, then select **Next**.
+
+ >[!NOTE]
+ >We will be configuring all of the Attack surface reduction rules to Audit.
+
+ For more information, see [Attack surface reduction rules](attack-surface-reduction.md).
+
+ 
+
+7. Add Scope Tags as required, then select **Next**.
+
+ 
+
+8. Select groups to include and assign to test group, then select **Next**.
+
+ 
+
+9. Review the details, then select **Create**.
+
+ 
+
+10. View the policy.
+
+ 
+
+### Attack Surface Reduction – Web Protection
+
+1. Open the MEM portal.
+
+2. Navigate to **Endpoint security > Attack surface reduction**.
+
+3. Select **Create Policy**.
+
+4. Select **Windows 10 and Later – Web protection > Create**.
+
+ 
+
+5. Enter a name and description, then select **Next**.
+
+ 
+
+6. In the **Configuration settings page**: Set the configurations you require for
+ Web Protection, then select **Next**.
+
+ >[!NOTE]
+ >We are configuring Web Protection to Block.
+
+ For more information, see [Web Protection](web-protection-overview.md).
+
+ 
+
+7. Add **Scope Tags as required > Next**.
+
+ 
+
+8. Select **Assign to test group > Next**.
+
+ 
+
+9. Select **Review and Create > Create**.
+
+ 
+
+10. View the policy.
+
+ 
+
+## Validate configuration settings
+
+
+### Confirm Policies have been applied
+
+
+Once the Configuration policy has been assigned, it will take some time to apply.
+
+For information on timing, see [Intune configuration information](https://docs.microsoft.com/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
+
+To confirm that the configuration policy has been applied to your test device, follow the following process for each configuration policy.
+
+1. Open the MEM portal and navigate to the relevant policy as shown in the
+ steps above. The following example shows the next generation protection settings.
+
+ 
+
+2. Select the **Configuration Policy** to view the policy status.
+
+ 
+
+3. Select **Device Status** to see the status.
+
+ 
+
+4. Select **User Status** to see the status.
+
+ 
+
+5. Select **Per-setting status** to see the status.
+
+ >[!TIP]
+ >This view is very useful to identify any settings that conflict with another policy.
+
+ 
+
+### Endpoint detection and response
+
+
+1. Before applying the configuration, the Microsoft Defender ATP
+ Protection service should not be started.
+
+ 
+
+2. After the configuration has been applied, the Microsoft Defender ATP
+ Protection Service should be started.
+
+ 
+
+3. After the services are running on the device, the device appears in Microsoft
+ Defender Security Center.
+
+ 
+
+### Next-generation protection
+
+1. Before applying the policy on a test device, you should be able to manually
+ manage the settings as shown below.
+
+ 
+
+2. After the policy has been applied, you should not be able to manually manage
+ the settings.
+
+ >[!NOTE]
+ > In the following image **Turn on cloud-delivered protection** and
+ **Turn on real-time protection** are being shown as managed.
+
+ 
+
+### Attack Surface Reduction – Attack surface reduction rules
+
+
+1. Before applying the policy on a test device, pen a PowerShell Window and type `Get-MpPreference`.
+
+2. This should respond with the following lines with no content:
+
+ AttackSurfaceReductionOnlyExclusions:
+
+ AttackSurfaceReductionRules_Actions:
+
+ AttackSurfaceReductionRules_Ids:
+
+ 
+
+3. After applying the policy on a test device, open a PowerShell Windows and type `Get-MpPreference`.
+
+4. This should respond with the following lines with content as shown below:
+
+ 
+
+### Attack Surface Reduction – Web Protection
+
+1. On the test device, open a PowerShell Windows and type
+ `(Get-MpPreference).EnableNetworkProtection`.
+
+2. This should respond with a 0 as shown below.
+
+ 
+
+3. After applying the policy, open a PowerShell Windows and type
+ `(Get-MpPreference).EnableNetworkProtection`.
+
+4. This should respond with a 1 as shown below.
+
+ 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
index 3c3850da7f..7052df6942 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
@@ -19,6 +19,9 @@ ms.topic: article
# Create a notification rule when a local onboarding or offboarding script is used
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
index 79394ceaf0..feeca610db 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
@@ -19,6 +19,9 @@ ms.topic: article
---
# Onboard to the Microsoft Defender ATP service
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -51,343 +54,21 @@ You are currently in the onboarding phase.
-To deploy Microsoft Defender ATP, you'll need to onboard devices to the service. Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements.
+To deploy Microsoft Defender ATP, you'll need to onboard devices to the service.
-The deployment guide uses Microsoft Endpoint Configuration Manager as the management tool to demonstrate an end-to-end deployment.
+Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements.
-This article will guide you on:
-- Setting up Microsoft Endpoint Configuration Manager
+After onboarding the devices, you'll then configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction.
+
+
+This article provides resources to guide you on:
+- Using various management tools to onboard devices
+ - [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md)
+ - [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
- Endpoint detection and response configuration
- Next-generation protection configuration
- Attack surface reduction configuration
-## Onboarding using Microsoft Endpoint Configuration Manager
-### Collection creation
-To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the
-deployment can target either and existing collection or a new collection can be
-created for testing. The onboarding like group policy or manual method does
-not install any agent on the system. Within the Configuration Manager console
-the onboarding process will be configured as part of the compliance settings
-within the console. Any system that receives this required configuration will
-maintain that configuration for as long as the Configuration Manager client
-continues to receive this policy from the management point. Follow the steps
-below to onboard systems with Configuration Manager.
-
-1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
-
- 
-
-2. Right Click **Device Collection** and select **Create Device Collection**.
-
- 
-
-3. Provide a **Name** and **Limiting Collection**, then select **Next**.
-
- 
-
-4. Select **Add Rule** and choose **Query Rule**.
-
- 
-
-5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
-
- 
-
-6. Select **Criteria** and then choose the star icon.
-
- 
-
-7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**.
-
- 
-
-8. Select **Next** and **Close**.
-
- 
-
-9. Select **Next**.
-
- 
-
-After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
-
-## Endpoint detection and response
-### Windows 10
-From within the Microsoft Defender Security Center it is possible to download
-the '.onboarding' policy that can be used to create the policy in System Center Configuration
-Manager and deploy that policy to Windows 10 devices.
-
-1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
-
-
-
-2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**.
-
- 
-
-3. Select **Download package**.
-
- 
-
-4. Save the package to an accessible location.
-5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
-
-6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
-
- 
-
-7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
-
- 
-
-8. Click **Browse**.
-
-9. Navigate to the location of the downloaded file from step 4 above.
-
-10. Click **Next**.
-11. Configure the Agent with the appropriate samples (**None** or **All file types**).
-
- 
-
-12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
-
- 
-
-14. Verify the configuration, then click **Next**.
-
- 
-
-15. Click **Close** when the Wizard completes.
-
-16. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
-
- 
-
-17. On the right panel, select the previously created collection and click **OK**.
-
- 
-
-
-### Previous versions of Windows Client (Windows 7 and Windows 8.1)
-Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
-
-1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**.
-
-2. Under operating system choose **Windows 7 SP1 and 8.1**.
-
-3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
-
- 
-
-4. Install the Microsoft Monitoring Agent (MMA).
- MMA is currently (as of January 2019) supported on the following Windows Operating
- Systems:
-
- - Server SKUs: Windows Server 2008 SP1 or Newer
-
- - Client SKUs: Windows 7 SP1 and later
-
- The MMA agent will need to be installed on Windows devices. To install the
- agent, some systems will need to download the [Update for customer experience
- and diagnostic
- telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
- in order to collect the data with MMA. These system versions include but may not
- be limited to:
-
- - Windows 8.1
-
- - Windows 7
-
- - Windows Server 2016
-
- - Windows Server 2012 R2
-
- - Windows Server 2008 R2
-
- Specifically, for Windows 7 SP1, the following patches must be installed:
-
- - Install
- [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
-
- - Install either [.NET Framework
- 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or
- later) **or**
- [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
- Do not install both on the same system.
-
-5. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
-
-Once completed, you should see onboarded endpoints in the portal within an hour.
-
-## next-generation protection
-Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers.
-
-1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
-
- 
-
-2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**.
-
- 
-
- In certain industries or some select enterprise customers might have specific
-needs on how Antivirus is configured.
-
-
- [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
-
- For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
-
-
- 
-
- 
-
- 
-
- 
-
- 
-
- 
-
- 
-
- 
-
-3. Right-click on the newly created antimalware policy and select **Deploy**.
-
- 
-
-4. Target the new antimalware policy to your Windows 10 collection and click **OK**.
-
- 
-
-After completing this task, you now have successfully configured Windows
-Defender Antivirus.
-
-## Attack surface reduction
-The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit
-Protection.
-
-All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode.
-
-To set ASR rules in Audit mode:
-
-1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
-
- 
-
-
-2. Select **Attack Surface Reduction**.
-
-
-3. Set rules to **Audit** and click **Next**.
-
- 
-
-4. Confirm the new Exploit Guard policy by clicking on **Next**.
-
- 
-
-
-5. Once the policy is created click **Close**.
-
- 
-
-
-
-6. Right-click on the newly created policy and choose **Deploy**.
-
- 
-
-7. Target the policy to the newly created Windows 10 collection and click **OK**.
-
- 
-
-After completing this task, you now have successfully configured ASR rules in audit mode.
-
-Below are additional steps to verify whether ASR rules are correctly applied to
-endpoints. (This may take few minutes)
-
-
-1. From a web browser, navigate to .
-
-2. Select **Configuration management** from left side menu.
-
-3. Click **Go to attack surface management** in the Attack surface management panel.
-
- 
-
-4. Click **Configuration** tab in Attack surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.
-
- 
-
-5. Click each device shows configuration details of ASR rules.
-
- 
-
-See [Optimize ASR rule deployment and
-detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr) for more details.
-
-
-### To set Network Protection rules in Audit mode:
-1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
-
- 
-
-2. Select **Network protection**.
-
-3. Set the setting to **Audit** and click **Next**.
-
- 
-
-4. Confirm the new Exploit Guard Policy by clicking **Next**.
-
- 
-
-5. Once the policy is created click on **Close**.
-
- 
-
-6. Right-click on the newly created policy and choose **Deploy**.
-
- 
-
-7. Select the policy to the newly created Windows 10 collection and choose **OK**.
-
- 
-
-After completing this task, you now have successfully configured Network
-Protection in audit mode.
-
-### To set Controlled Folder Access rules in Audit mode:
-
-1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
-
- 
-
-2. Select **Controlled folder access**.
-
-3. Set the configuration to **Audit** and click **Next**.
-
- 
-
-4. Confirm the new Exploit Guard Policy by clicking on **Next**.
-
- 
-
-5. Once the policy is created click on **Close**.
-
- 
-
-6. Right-click on the newly created policy and choose **Deploy**.
-
- 
-
-7. Target the policy to the newly created Windows 10 collection and click **OK**.
-
- 
-
-You have now successfully configured Controlled folder access in audit mode.
-
+## Related topics
+- [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md)
+- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
index 820cf2766f..3996f745b3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
@@ -21,6 +21,9 @@ ms.topic: conceptual
# Overview of attack surface reduction
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
index fd8438a07e..a6bc0dc2a2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
---
# Custom detections overview
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -33,4 +36,4 @@ Custom detections provide:
## Related topics
- [Create detection rules](custom-detection-rules.md)
- [View and manage detection rules](custom-detections-manage.md)
-- [Advanced hunting overview](advanced-hunting-overview.md)
\ No newline at end of file
+- [Advanced hunting overview](advanced-hunting-overview.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
index ed39a6eb0e..4c1e39e0e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Overview of endpoint detection and response
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
index 7b7ae31f81..cf352dd917 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
@@ -19,6 +19,9 @@ ms.date: 09/07/2018
# Hardware-based isolation in Windows 10
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Microsoft Defender ATP.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
index ee58dab8f6..40d005db5a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
---
# Partner applications in Microsoft Defender ATP
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -29,10 +32,83 @@ Microsoft Defender ATP supports third-party applications to help enhance the det
The support for third-party solutions help to further streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender ATP; enabling security teams to effectively respond better to modern threats.
-Microsoft Defender ATP seamlessly integrates with existing security solutions - providing out of the box integration with SIEM, ticketing and IT service management solutions, managed security service providers (MSSP), IoC indicators ingestions and matching, automated device investigation and remediation based on external alerts, and integration with Security orchestration and automation response (SOAR) systems.
+Microsoft Defender ATP seamlessly integrates with existing security solutions — providing out of the box integration with SIEM, ticketing and IT service management solutions, managed security service providers (MSSP), IoC indicators ingestions and matching, automated device investigation and remediation based on external alerts, and integration with Security orchestration and automation response (SOAR) systems.
+
+## Supported applications
+
+
+### Security information and analytics
+
+Logo |Partner name | Description
+:---|:---|:---
+| [AttackIQ Platform](https://go.microsoft.com/fwlink/?linkid=2103502) | AttackIQ Platform validates Microsoft Defender ATP is configured properly by launching continuous attacks safely on production assets
+| [AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705) | Stream alerts from Microsoft Defender Advanced Threat Protection into Azure Sentinel
+ | [Cymulate](https://go.microsoft.com/fwlink/?linkid=2135574)| Correlate Microsoft Defender ATP findings with simulated attacks to validate accurate detection and effective response actions
+ | [Elastic Security](https://go.microsoft.com/fwlink/?linkid=2139303) | Elastic Security is a free and open solution for preventing, detecting, and responding to threats
+ | [IBM QRadar](https://go.microsoft.com/fwlink/?linkid=2113903) | Configure IBM QRadar to collect detections from Microsoft Defender ATP
+ | [Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548) | Use Micro Focus ArcSight to pull Microsoft Defender ATP detections
+ | [RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566) | Stream Microsoft Defender ATP Alerts to RSA NetWitness leveraging Microsoft Graph Security API
+ | [SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)| Gain visibility into Microsoft Defender ATP security events that are automatically correlated with SafeBreach simulations
+ | [Skybox Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2127467) | Skybox Vulnerability Control cuts through the noise of vulnerability management, correlating business, network and threat context to uncover your riskiest vulnerabilities
+ | [Splunk](https://go.microsoft.com/fwlink/?linkid=2129805) | The Microsoft Defender ATP Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk
+ | [XM Cyber](https://go.microsoft.com/fwlink/?linkid=2136700) | Prioritize your response to an alert based on risk factors and high value assets
+
+### Orchestration and automation
+
+
+Logo |Partner name | Description
+:---|:---|:---
+ | [CyberSponse CyOps](https://go.microsoft.com/fwlink/?linkid=2115943) | CyOps integrates with Microsoft Defender ATP to automate customers' high-speed incident response playbooks
+ | [Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468) | Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Microsoft Defender ATP with its cloud-native SOAR platform, ActiveEye.
+ | [Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414) | Demisto integrates with Microsoft Defender ATP to enable security teams to orchestrate and automate endpoint security monitoring, enrichment and response
+ | [Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300) | Use the Microsoft Defender ATP connectors for Azure Logic Apps & Microsoft Flow to automating security procedures
+ | [Rapid7 InsightConnect](https://go.microsoft.com/fwlink/?linkid=2116040) | InsightConnect integrates with Microsoft Defender ATP to accelerate, streamline, and integrate your time-intensive security processes
+ | [ServiceNow](https://go.microsoft.com/fwlink/?linkid=2135621) | Ingest alerts into ServiceNow Security Operations solution based on Microsoft Graph API integration
+ | [Swimlane](https://go.microsoft.com/fwlink/?linkid=2113902) | Maximize incident response capabilities utilizing Swimlane and Microsoft Defender ATP together
+
+
+### Threat intelligence
+
+Logo |Partner name | Description
+:---|:---|:---
+ | [MISP (Malware Information Sharing Platform)](https://go.microsoft.com/fwlink/?linkid=2127543) | Integrate threat indicators from the Open Source Threat Intelligence Sharing Platform into your Microsoft Defender ATP environment
+ | [Palo Alto Networks](https://go.microsoft.com/fwlink/?linkid=2099582) | Enrich your endpoint protection by extending Autofocus and other threat feeds to Microsoft Defender ATP using MineMeld
+ | [ThreatConnect](https://go.microsoft.com/fwlink/?linkid=2114115) | Alert and/or block on custom threat intelligence from ThreatConnect Playbooks using Microsoft Defender ATP indicators
+
+
+
+### Network security
+Logo |Partner name | Description
+:---|:---|:---
+ | [Aruba ClearPass Policy Manager](https://go.microsoft.com/fwlink/?linkid=2127544) | Ensure Microsoft Defender ATP is installed and updated on each endpoint before allowing access to the network
+ | [Blue Hexagon for Network](https://go.microsoft.com/fwlink/?linkid=2104613) | Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection
+ | [CyberMDX](https://go.microsoft.com/fwlink/?linkid=2135620) | Cyber MDX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Microsoft Defender ATP environment
+ |[Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=866934)| Vectra applies AI & security research to detect and respond to cyber-attacks in real time
+
+
+### Cross platform
+Logo |Partner name | Description
+:---|:---|:---
+| [Bitdefender](https://go.microsoft.com/fwlink/?linkid=860032)| Bitdefender GravityZone is a layered next generation endpoint protection platform offering comprehensive protection against the full spectrum of sophisticated cyber threats
+ | [Better Mobile](https://go.microsoft.com/fwlink/?linkid=2086214)| AI based MTD solution to stop mobile threats & phishing. Private internet browsing to protect user privacy
+| [Corrata](https://go.microsoft.com/fwlink/?linkid=2081148) | Mobile solution — Protect your mobile devices with granular visibility and control from Corrata
+| [Lookout](https://go.microsoft.com/fwlink/?linkid=866935)| Get Lookout Mobile Threat Protection telemetry for Android and iOS mobile devices
+ | [Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)| SEP Mobile helps businesses predict, detect and prevent security threats and vulnerabilities on mobile devices
+| [Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Microsoft Defender ATP to iOS and Android with Machine Learning-based Mobile Threat Defense
+
+
+## Additional integrations
+Logo |Partner name | Description
+:---|:---|:---
+| [Cyren Web Filter](https://go.microsoft.com/fwlink/?linkid=2108221)| Enhance your Microsoft Defender ATP with advanced Web Filtering
+| [Morphisec](https://go.microsoft.com/fwlink/?linkid=2086215)| Provides Moving Target Defense-powered advanced threat prevention and integrates forensics data directly into WD Security Center dashboards to help prioritize alerts, determine device at-risk score and visualize full attack timeline including internal memory information
+| [THOR Cloud](https://go.microsoft.com/fwlink/?linkid=862988)| Provides on-demand live forensics scans using a signature base with focus on persistent threats
+
+
+
## SIEM integration
-Microsoft Defender ATP supports SIEM integration through a variety of methods - specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration.md).
+Microsoft Defender ATP supports SIEM integration through a variety of methods — specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration.md).
## Ticketing and IT service management
Ticketing solution integration helps to implement manual and automatic response processes. Microsoft Defender ATP can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API.
@@ -45,7 +121,7 @@ Microsoft Defender ATP offers unique automated investigation and remediation cap
Integrating the automated investigation and response capability with other solutions such as IDS and firewalls help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices.
-External alerts can be pushed into Microsoft Defender ATP and is presented side-by-side with additional device-based alerts from Microsoft Defender ATP. This view provides a full context of the alert - with the real process and the full story of attack.
+External alerts can be pushed into Microsoft Defender ATP and is presented side-by-side with additional device-based alerts from Microsoft Defender ATP. This view provides a full context of the alert — with the real process and the full story of attack.
## Indicators matching
You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise (IOCs).
@@ -55,4 +131,4 @@ Microsoft Defender ATP allows you to integrate with such solutions and act on Io
Microsoft Defender ATP currently supports IOC matching and remediation for file and network indicators. Blocking is supported for file indicators.
## Support for non-Windows platforms
-Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data giving you a unified experience.
+Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms, including mobile devices. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
index 188a26d5b7..7c6e64db5c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Microsoft Defender ATP partner opportunities and scenarios
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -52,4 +55,4 @@ The above scenarios serve as examples of the extensibility of the platform. You
Follow the steps in [Become a Microsoft Defender ATP partner](get-started-partner-integration.md) to integrate your solution in Microsoft Defender ATP.
## Related topic
-- [Overview of management and APIs](management-apis.md)
\ No newline at end of file
+- [Overview of management and APIs](management-apis.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
index 2b28898f2c..f8d7446a76 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Microsoft Defender Security Center portal overview
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
index 63ca10ace1..7525f68b6e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
@@ -18,6 +18,9 @@ ms.topic: article
# Submit or Update Indicator API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
deleted file mode 100644
index dd83d08373..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
+++ /dev/null
@@ -1,213 +0,0 @@
----
-title: Create and build Power BI reports using Microsoft Defender ATP data connectors
-description: Get security insights by creating and building Power BI dashboards using data from Microsoft Defender ATP and other data sources.
-keywords: settings, power bi, power bi service, power bi desktop, reports, dashboards, connectors, security insights, mashup
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-ms.author: macapara
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-
-# Create and build Power BI reports using Microsoft Defender ATP data connectors (Deprecated)
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
->[!WARNING]
->This connector is being deprecated, learn how to [Create Power-BI reports using Microsoft Defender ATP APIs](api-power-bi.md).
-
-
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-powerbireports-abovefoldlink)
-
-Understand the security status of your organization, including the status of devices, alerts, and investigations using the Microsoft Defender ATP reporting feature that integrates with Power BI.
-
-Microsoft Defender ATP supports the use of Power BI data connectors to enable you to connect and access Microsoft Defender ATP data using Microsoft Graph.
-
-Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine data to build reports and dashboards that meet the needs of your organization.
-
-You can easily get started by:
-- Creating a dashboard on the Power BI service
-- Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting requirements of your organization
-
-You can access these options from Microsoft Defender Security Center. Both the Power BI service and Power BI Desktop are supported.
-
-## Create a Microsoft Defender ATP dashboard on Power BI service
-Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
-
-1. In the navigation pane, select **Settings** > **General** > **Power BI reports**.
-
-2. Click **Create dashboard**.
-
- 
-
- You'll see a notification that things are being loaded.
-
- 
-
- >[!NOTE]
- >Loading your data in the Power BI service can take a few minutes.
-
-3. Specify the following details:
- - **extensionDataSourceKind**: WDATPConnector
- - **extensionDataSourcePath**: WDATPConnector
- - **Authentication method**: OAuth2
-
- 
-
-4. Click **Sign in**. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
-
- 
-
-5. Click **Accept**. Power BI service will start downloading your Microsoft Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:
-
- 
-
- >[!NOTE]
- >Depending on the number of onboarded devices, loading your data in the Power BI service can take several minutes. A larger number of devices might take longer to load.
-
- When importing data is completed and the dataset is ready, you’ll the following notification:
-
- 
-
-6. Click **View dataset** to explore your data.
-
-
-For more information, see [Create a Power BI dashboard from a report](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-create-a-dashboard/).
-
-## Create a Power BI dashboard from the Power BI portal
-
-1. Login to [Power BI](https://powerbi.microsoft.com/).
-
-2. Click **Get Data**.
-
-3. Select **Microsoft AppSource** > **My Organization** > **Get**.
-
- 
-
-4. In the AppSource window, select **Apps** and search for Microsoft Defender Advanced Threat Protection.
-
- 
-
-5. Click **Get it now**.
-
-6. Specify the following details:
- - **extensionDataSourceKind**: WDATPConnector
- - **extensionDataSourcePath**: WDATPConnector
- - **Authentication method**: OAuth2
-
- 
-
-7. Click **Sign in**. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
-
- 
-
-8. Click **Accept**. Power BI service will start downloading your Microsoft Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:
-
- 
-
- >[!NOTE]
- >Depending on the number of onboarded devices, loading your data in the Power BI service can take several minutes. A larger number of devices might take longer to load.
-
- When importing data is completed and the dataset is ready, you’ll the following notification:
-
- 
-
-9. Click **View dataset** to explore your data.
-
-
-## Build a custom Microsoft Defender ATP dashboard in Power BI Desktop
-You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views that your organization requires.
-
-### Before you begin
-1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/).
-
-2. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Power BI reports**.
-
- 
-
-3. Click **Download connector** to download the WDATPPowerBI.zip file and extract it.
-
- 
-
-4. Create a new directory `[Documents]\Power BI Desktop\Custom Connectors`.
-
-5. Copy WDATPDataConnector.mez from the zip to the directory you just created.
-
-6. Open Power BI Desktop.
-
-7. Click **File** > **Options and settings** > **Custom data connectors**.
-
-8. Select **New table and matrix visuals** and **Custom data connectors** and click **OK**.
-
- > [!NOTE]
- > If you plan on using Custom Connectors or connectors that you or a third party has developed, you must select *(Not Recommended) Allow any extension to load without warning* under **Power BI Desktop** > **File** > **Options and settings** > **Options** > **Security** > **Data Extensions**".
-
- >[!NOTE]
- >If you are using Power BI Desktop July 2017 version (or later), you won't need to select **New table and matrix visuals**. You'll only need to select **Custom data connectors**.
-
- 
-
-9. Restart Power BI Desktop.
-
-## Customize the Microsoft Defender ATP Power BI dashboard
-After completing the steps in the Before you begin section, you can proceed with building your custom dashboard.
-
-1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
-
-2. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
-
- 
-
-3. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
-
-
-
-## Mashup Microsoft Defender ATP data with other data sources
-You can use Power BI Desktop to analyze data from Microsoft Defender ATP and mash that data up with other data sources to gain better security perspective in your organization.
-
-1. In Power BI Desktop, in the Home ribbon, click **Get data** and search for **Microsoft Defender Advanced Threat Protection**.
-
-2. Click **Connect**.
-
-3. On the Preview Connector windows, click **Continue**.
-
-4. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
-
- 
-
-5. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
-
-6. In the Navigator dialog box, select the Microsoft Defender ATP feeds you'd like to download and use in your reports and click Load. Data will start to be downloaded from the Microsoft Graph.
-
-7. Load other data sources by clicking **Get data item** in the Home ribbon, and select another data source.
-
-8. Add visuals and select fields from the available data sources.
-
-## Using the Power BI reports
-There are a couple of tabs on the report that's generated:
-
-- Device and alerts
-- Investigation results and action center
-- Secure Score
-
-In general, if you know of a specific threat name, CVE, or KB, you can identify devices with unpatched vulnerabilities that might be leveraged by threats. This report also helps you determine whether device-level mitigations are configured correctly on the devices and prioritize those that might need attention.
-
-
-## Related topic
-- [Create custom Power BI reports](api-power-bi.md)
-
-
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
index 586639ebc5..f5f432ad15 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
@@ -19,6 +19,9 @@ ms.topic: article
# Configure Microsoft Defender Security Center settings
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
index 56d83bd553..1217b7de99 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
@@ -21,6 +21,9 @@ ms.topic: article
# Prepare Microsoft Defender ATP deployment
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
index 5aef332edd..f031b9edd9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
@@ -18,6 +18,9 @@ ms.topic: article
---
# Turn on the preview experience in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -37,5 +40,4 @@ Turn on the preview experience setting to be among the first to try upcoming fea
- [Turn on advanced features in Microsoft Defender ATP](advanced-features.md)
- [Configure email notifications in Microsoft Defender ATP](configure-email-notifications.md)
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti.md)
-- [Create and build Power BI reports](powerbi-reports.md)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index 2586120da8..f8627a6658 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Microsoft Defender ATP preview features
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -47,6 +50,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea
## Preview features
The following features are included in the preview release:
+- [Microsoft Defender ATP for iOS](microsoft-defender-atp-ios.md)
Microsoft Defender ATP now adds support for iOS. Learn how to install, configure, and use Microsoft Defender ATP for iOS.
+
- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
Microsoft Defender ATP now adds support for Android. Learn how to install, configure, and use Microsoft Defender ATP for Android.
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os)
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019.
@@ -70,8 +75,6 @@ Information protection is an integral part of Microsoft 365 Enterprise suite, pr
- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019)
Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices.
-- [Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
-Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
> [!TIP]
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
index dd1f0dfe6b..6e8ce89f59 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@@ -21,6 +21,9 @@ ms.topic: article
# Set up Microsoft Defender ATP deployment
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
index 4c7de91e8a..38400901cd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
@@ -19,6 +19,9 @@ ms.topic: article
# Pull Microsoft Defender ATP detections using SIEM REST API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
index 82d8d9e9f6..8dfa3de26f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
@@ -19,6 +19,9 @@ ms.topic: article
# Configure Microsoft Defender ATP to stream Advanced Hunting events to your Azure Event Hubs
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
index 7ce30e67ff..136bd67acd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
@@ -19,6 +19,9 @@ ms.topic: article
# Configure Microsoft Defender ATP to stream Advanced Hunting events to your Storage account
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
index 1aabe438b0..70e5354db8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
@@ -19,6 +19,9 @@ ms.topic: article
# Raw Data Streaming API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/rbac.md b/windows/security/threat-protection/microsoft-defender-atp/rbac.md
index ed0050fd05..6b595daea4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/rbac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/rbac.md
@@ -18,6 +18,9 @@ ms.topic: article
---
# Manage portal access using role-based access control
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- Azure Active Directory
- Office 365
@@ -72,4 +75,4 @@ Someone with a Microsoft Defender ATP Global administrator role has unrestricted
## Related topic
-- [Create and manage device groups in Microsoft Defender ATP](machine-groups.md)
\ No newline at end of file
+- [Create and manage device groups in Microsoft Defender ATP](machine-groups.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
index 4435b74d94..c094ae5bec 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
@@ -18,6 +18,9 @@ ms.topic: article
# Recommendation resource type
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index 9f59dc9622..cad6f89bbe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -19,6 +19,9 @@ ms.topic: article
# Take response actions on a file
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
index 6d56a12fd2..62ea654ded 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
@@ -19,6 +19,9 @@ ms.topic: article
# Take response actions on a device
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -38,7 +41,7 @@ Response actions run along the top of a specific device page and include:
- Consult a threat expert
- Action center
-
+[  ](images/response-actions.png#lightbox)
You can find device pages from any of the following views:
@@ -65,11 +68,11 @@ For more information on automated investigations, see [Overview of Automated inv
## Initiate Live Response Session
-Live response is a capability that gives you instantaneous access to a device using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time.
+Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats — real time.
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
-For more information on live response, see [Investigate entities on devices using live response](live-response.md)
+For more information on live response, see [Investigate entities on devices using live response](live-response.md).
## Collect investigation package from devices
@@ -95,17 +98,17 @@ The package contains the following folders:
| Folder | Description |
|:---|:---------|
-|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the device. NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” |
+|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the device. NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.”
|
|Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the device. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). |
-|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections. - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack. - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. - FirewallExecutionLog.txt and pfirewall.log |
+|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections. - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that might have been used to run an internal attack. - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. - FirewallExecutionLog.txt and pfirewall.log |
| Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. - Prefetch folder – Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. |
-| Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the device. This can be useful when identifying a suspicious process and its state. |
-| Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen device to look for suspicious code which was set to run automatically. |
-| Security event log| Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. NOTE: Open the event log file using Event viewer. |
-| Services| Contains a .CSV file which lists services and their states. |
-| Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. Contains files for SMBInboundSessions and SMBOutboundSession. NOTE: If there are no sessions (inbound or outbound), you'll get a text file which tell you that there are no SMB sessions found. |
+| Processes| Contains a .CSV file listing the running processes, which provides the ability to identify current processes running on the device. This can be useful when identifying a suspicious process and its state. |
+| Scheduled tasks| Contains a .CSV file listing the scheduled tasks, which can be used to identify routines performed automatically on a chosen device to look for suspicious code which was set to run automatically. |
+| Security event log| Contains the security event log, which contains records of login or logout activity, or other security-related events specified by the system's audit policy. NOTE: Open the event log file using Event viewer.
|
+| Services| Contains a .CSV file that lists services and their states. |
+| Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. Contains files for SMBInboundSessions and SMBOutboundSession. NOTE: If there are no sessions (inbound or outbound), you'll get a text file which tell you that there are no SMB sessions found.
|
| System Information| Contains a SystemInformation.txt file which lists system information such as OS version and network cards. |
-| Temp Directories| Contains a set of text files that lists the files located in %Temp% for every user in the system. This can help to track suspicious files that an attacker may have dropped on the system. NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system. |
+| Temp Directories| Contains a set of text files that lists the files located in %Temp% for every user in the system. This can help to track suspicious files that an attacker may have dropped on the system. NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system.
|
| Users and Groups| Provides a list of files that each represent a group and its members. |
|WdSupportLogs| Provides the MpCmdRunLog.txt and MPSupportFiles.cab |
| CollectionSummaryReport.xls| This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. |
@@ -124,6 +127,11 @@ One you have selected **Run antivirus scan**, select the scan type that you'd li
The Action center will show the scan information and the device timeline will include a new event, reflecting that a scan action was submitted on the device. Microsoft Defender AV alerts will reflect any detections that surfaced during the scan.
+>[!NOTE]
+>When triggering a scan using Microsoft Defender ATP response action, Microsoft Defender antivirus 'ScanAvgCPULoadFactor' value still applies and limits the CPU impact of the scan.
+>If ScanAvgCPULoadFactor is not configured, the default value is a limit of 50% maximum CPU load during a scan.
+>For more information, see [configure-advanced-scan-types-microsoft-defender-antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus).
+
## Restrict app execution
In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
index c3c9a2b79a..f4b6552adb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
@@ -18,6 +18,9 @@ ms.topic: article
# Restrict app execution API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
index 4efc0b82c2..b956165700 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
@@ -18,6 +18,9 @@ ms.date: 5/1/2020
# Review alerts in Microsoft Defender Advanced Threat Protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -99,4 +102,4 @@ When making the move to the new alert page you will notice that we have centrali
- [View and organize the incidents queue](view-incidents-queue.md)
- [Investigate incidents](investigate-incidents.md)
-- [Manage incidents](manage-incidents.md)
\ No newline at end of file
+- [Manage incidents](manage-incidents.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
index 2625952949..a902dc094d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
@@ -19,6 +19,9 @@ ms.topic: article
# Advanced hunting API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -26,8 +29,9 @@ ms.topic: article
## Limitations
1. You can only run a query on data from the last 30 days.
2. The results will include a maximum of 100,000 rows.
-3. The number of executions is limited per tenant: up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day.
+3. The number of executions is limited per tenant: up to 10 calls per minute, 10 minutes of running time every hour and 4 hours of running time a day.
4. The maximal execution time of a single request is 10 minutes.
+5. 429 response will represent reaching quota limit either by number of requests or by CPU. The 429 response body will also indicate the time until the quota is renewed.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
index 87da20c0c1..00381d0550 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
@@ -18,6 +18,9 @@ ms.topic: article
---
# Advanced Hunting using PowerShell
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
index 9163a45a52..282cc94d06 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
@@ -19,6 +19,9 @@ ms.topic: article
# Advanced Hunting using Python
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -146,4 +149,4 @@ outputFile.close()
## Related topic
- [Microsoft Defender ATP APIs](apis-intro.md)
- [Advanced Hunting API](run-advanced-query-api.md)
-- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
\ No newline at end of file
+- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
index cc7fc6a3ce..1219b9aa21 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
@@ -18,6 +18,9 @@ ms.topic: article
# Run antivirus scan API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
index d87232b04b..257fb9494d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
@@ -19,6 +19,9 @@ ms.topic: article
# Run a detection test on a newly onboarded Microsoft Defender ATP device
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Supported Windows 10 versions
- Windows Server 2012 R2
diff --git a/windows/security/threat-protection/microsoft-defender-atp/score.md b/windows/security/threat-protection/microsoft-defender-atp/score.md
index 40615f1991..edeeea026b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/score.md
@@ -18,6 +18,9 @@ ms.topic: article
# Score resource type
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
index 1fdb856b5d..608a4bedcf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Microsoft Defender Security Center Security operations dashboard
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/service-status.md b/windows/security/threat-protection/microsoft-defender-atp/service-status.md
index 0caa79489b..b9325d8184 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/service-status.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/service-status.md
@@ -19,6 +19,9 @@ ms.topic: article
# Check the Microsoft Defender Advanced Threat Protection service health
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -26,7 +29,7 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-servicestatus-abovefoldlink)
-The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
+The **Service health** provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md
index bacc9d839f..514baa2899 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/software.md
@@ -18,6 +18,9 @@ ms.topic: article
# Software resource type
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
index 1a065cce0b..60c046ee70 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
@@ -18,6 +18,9 @@ ms.topic: article
# Stop and quarantine file API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
index 1858d780e2..2fa6615e6a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Supported Microsoft Defender ATP query APIs
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md
new file mode 100644
index 0000000000..c9b60c2b17
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md
@@ -0,0 +1,63 @@
+---
+title: Make the switch from a non-Microsoft endpoint solution to Microsoft Defender for Endpoint
+description: Make the switch to Microsoft Defender for Endpoint. Read this article for an overview.
+keywords: migration, windows defender advanced endpoint protection, for Endpoint, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-migratetomdatp
+- m365solution-overview
+ms.topic: conceptual
+ms.custom: migrationguides
+ms.date: 09/24/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Make the switch from a non-Microsoft endpoint solution to Microsoft Defender for Endpoint
+
+If you are planning to switch from a non-Microsoft endpoint protection solution to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection), and you're looking for help, you're in the right place. Use this article as a guide to plan your migration.
+
+> [!TIP]
+> - If you're currently using McAfee Endpoint Security (McAfee), see [Migrate from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md).
+> - If you're currently using Symantec Endpoint Protection (Symantec), see [Migrate from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md).
+
+## The migration process
+
+When you switch to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
+
+|Phase |Description |
+|--|--|
+|[](switch-to-microsoft-defender-prepare.md)
[Prepare for your migration](switch-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](switch-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
+|[](switch-to-microsoft-defender-setup.md)
[Set up Microsoft Defender for Endpoint](switch-to-microsoft-defender-setup.md) |During [the **Setup** phase](switch-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and your existing endpoint protection solution. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
+|[](switch-to-microsoft-defender-onboard.md)
[Onboard to Microsoft Defender for Endpoint](switch-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](switch-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall your existing endpoint protection solution and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. |
+
+## What's included in Microsoft Defender for Endpoint?
+
+In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint includes much more than antivirus and endpoint protection. Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender for Endpoint.
+
+| Feature/Capability | Description |
+|---|---|
+| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
+| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
+| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
+| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
+| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. |
+| [Behavioral blocking and containment](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. |
+| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
+| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
+
+**Want to learn more? See [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection).**
+
+## Next step
+
+- Proceed to [Prepare for your migration](switch-to-microsoft-defender-prepare.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md
new file mode 100644
index 0000000000..4852139083
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md
@@ -0,0 +1,93 @@
+---
+title: Switch to Microsoft Defender for Endpoint - Onboard
+description: This is phase 3, Onboard, for migrating from a non-Microsoft solution to Microsoft Defender for Endpoint.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.technology: windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-migratetomdatp
+ms.custom: migrationguides
+ms.topic: article
+ms.date: 09/24/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Switch to Microsoft Defender for Endpoint - Phase 3: Onboard
+
+|[](switch-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |[](switch-to-microsoft-defender-setup.md)
[Phase 2: Set up](switch-to-microsoft-defender-setup.md) |
Phase 3: Onboard |
+|--|--|--|
+|| |*You are here!* |
+
+
+**Welcome to Phase 3 of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps:
+
+1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).
+2. [Run a detection test](#run-a-detection-test).
+3. [Uninstall your non-Microsoft solution](#uninstall-your-non-microsoft-solution).
+4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode).
+
+## Onboard devices to Microsoft Defender for Endpoint
+
+1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
+
+2. Choose **Settings** > **Device management** > **Onboarding**.
+
+3. In the **Select operating system to start onboarding process** list, select an operating system.
+
+4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article).
+
+### Onboarding methods
+
+Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding.
+
+|Operating system |Method |
+|---------|---------|
+|Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)
- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+|- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)
**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). |
+|- Windows Server 2019 and later
- Windows Server 2019 core edition
- Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+|- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
+|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra)
iOS
Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) |
+
+## Run a detection test
+
+To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test.
+
+
+|Operating system |Guidance |
+|---------|---------|
+|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
+|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).
For more information, see [Microsoft Defender Advanced Threat Protection for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). |
+|Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.
2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.
3. Run the following command to list any detected threats:
`mdatp threat list`.
For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). |
+
+## Uninstall your non-Microsoft solution
+
+Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall your non-Microsoft endpoint protection solution.
+
+To get help with this step, reach out to your solution provider's technical support team.
+
+## Make sure Microsoft Defender for Endpoint is in active mode
+
+Now that you have uninstalled your non-Microsoft endpoint protection solution, your next step is to make sure that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are enabled and in active mode.
+
+To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
+- Cloud-delivered protection
+- Potentially Unwanted Applications (PUA)
+- Network Protection (NP)
+
+## Next steps
+
+**Congratulations**! You have completed your [migration to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
+
+- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
+- [Manage Microsoft Defender for Endpoint, post migration](manage-atp-post-migration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md
new file mode 100644
index 0000000000..5896bc9f4e
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md
@@ -0,0 +1,114 @@
+---
+title: Switch to Microsoft Defender for Endpoint - Prepare
+description: This is phase 1, Prepare, for migrating to Microsoft Defender for Endpoint.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.technology: windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-migratetomdatp
+ms.topic: article
+ms.custom: migrationguides
+ms.date: 09/22/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Switch to Microsoft Defender for Endpoint - Phase 1: Prepare
+
+|
Phase 1: Prepare |[](switch-to-microsoft-defender-setup.md)
[Phase 2: Set up](switch-to-microsoft-defender-setup.md) |[](switch-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
+|--|--|--|
+|*You are here!*| | |
+
+
+**Welcome to the Prepare phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**.
+
+This migration phase includes the following steps:
+1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices)
+2. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint).
+3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
+4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings).
+
+## Get and deploy updates across your organization's devices
+
+As a best practice, keep your organization's devices and endpoints up to date. Make sure your existing endpoint protection and antivirus solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Microsoft Defender for Endpoint and Microsoft Defender Antivirus.
+
+### Make sure your existing solution is up to date
+
+Keep your existing endpoint protection solution up to date, and make sure that your organization's devices have the latest security updates.
+
+Need help? See your solution provider's documentation.
+
+### Make sure your organization's devices are up to date
+
+Need help updating your organization's devices? See the following resources:
+
+|OS | Resource |
+|:--|:--|
+|Windows |[Microsoft Update](https://www.update.microsoft.com) |
+|macOS | [How to update the software on your Mac](https://support.apple.com/HT201541)|
+|iOS |[Update your iPhone, iPad, or iPod touch](https://support.apple.com/HT204204)|
+|Android |[Check & update your Android version](https://support.google.com/android/answer/7680439) |
+|Linux | [Linux 101: Updating Your System](https://www.linux.com/training-tutorials/linux-101-updating-your-system) |
+
+## Get Microsoft Defender for Endpoint
+
+Now that you've updated your organization's devices, the next step is to get Microsoft Defender for Endpoint, assign licenses, and make sure the service is provisioned.
+
+1. Buy or try Microsoft Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp).
+
+2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state).
+
+3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
+
+4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
+
+At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
+
+> [!NOTE]
+> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender for Endpoint portal, and can be accessed at [https://aka.ms/MDATPportal](https://aka.ms/MDATPportal).
+
+## Grant access to the Microsoft Defender Security Center
+
+The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use).
+
+Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
+
+1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control).
+
+2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control).
+
+ If your organization requires a method other than Intune, choose one of the following options:
+ - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)
+ - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm)
+ - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview)
+
+3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)).
+
+## Configure device proxy and internet connectivity settings
+
+To enable communication between your devices and Microsoft Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
+
+|Capabilities | Operating System | Resources |
+|--|--|--|
+|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
+|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
+|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
+|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
|
+|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
+|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) |
+
+## Next step
+
+**Congratulations**! You have completed the **Prepare** phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
+
+- [Proceed to set up Microsoft Defender for Endpoint](switch-to-microsoft-defender-setup.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
new file mode 100644
index 0000000000..b8c66898af
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
@@ -0,0 +1,254 @@
+---
+title: Switch to Microsoft Defender for Endpoint - Setup
+description: This is phase 2, Setup, for switching to Microsoft Defender for Endpoint.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.technology: windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-migratetomdatp
+ms.topic: article
+ms.custom: migrationguides
+ms.date: 09/22/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Switch to Microsoft Defender for Endpoint - Phase 2: Setup
+
+|[](switch-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |
Phase 2: Set up |[](switch-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
+|--|--|--|
+||*You are here!* | |
+
+
+**Welcome to the Setup phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps:
+1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).
+2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
+3. [Add Microsoft Defender for Endpoint to the exclusion list for your existing endpoint solution](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution).
+4. [Add your existing solution to the exclusion list for Microsoft Defender Antivirus](#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus).
+5. [Add your existing solution to the exclusion list for Microsoft Defender for Endpoint](#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-for-endpoint).
+6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
+7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
+
+## Enable Microsoft Defender Antivirus and confirm it's in passive mode
+
+On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as McAfee. (To learn more about this, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).)
+
+This step of the migration process includes the following tasks:
+- [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server)
+- [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server);
+- [Setting Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server)
+- [Enabling Microsoft Defender Antivirus on your Windows client devices](#enable-microsoft-defender-antivirus-on-your-windows-client-devices); and
+- [Confirming that Microsoft Defender Antivirus is set to passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode).
+
+### Set DisableAntiSpyware to false on Windows Server
+
+The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
+
+1. On your Windows Server device, open Registry Editor.
+
+2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
+
+3. In that folder, look for a DWORD entry called **DisableAntiSpyware**.
+
+ - If you do not see that entry, you're all set.
+
+ - If you do see **DisableAntiSpyware**, proceed to step 4.
+
+4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.
+
+5. Set the value to `0`. (This sets the registry key's value to *false*.)
+
+> [!TIP]
+> To learn more about this registry key, see [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware).
+
+### Reinstall Microsoft Defender Antivirus on Windows Server
+
+> [!NOTE]
+> The following procedure applies only to endpoints or devices that are running the following versions of Windows:
+> - Windows Server 2019
+> - Windows Server, version 1803 (core-only mode)
+> - Windows Server 2016
+
+1. As a local administrator on the endpoint or device, open Windows PowerShell.
+
+2. Run the following PowerShell cmdlets:
+
+ `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
+
+ `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
+
+3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
+
+ `Get-Service -Name windefend`
+
+> [!TIP]
+> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
+
+### Set Microsoft Defender Antivirus to passive mode on Windows Server
+
+Because your organization is still using your existing endpoint protection solution, you must set Microsoft Defender Antivirus to passive mode. That way, your existing solution and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint.
+
+1. Open Registry Editor, and then navigate to
+ `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
+
+2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
+
+ - Set the DWORD's value to **1**.
+
+ - Under **Base**, select **Hexadecimal**.
+
+> [!NOTE]
+> You can use other methods to set the registry key, such as the following:
+>- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
+>- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
+>- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs)
+
+### Enable Microsoft Defender Antivirus on your Windows client devices
+
+Because your organization has been using a non-Microsoft antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus.
+
+To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table:
+
+|Method |What to do |
+|---------|---------|
+|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure.
If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select **Properties**, and then select **Configuration settings: Edit**.
4. Expand **Microsoft Defender Antivirus**.
5. Enable **Cloud-delivered protection**.
6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
8. Select **Review + save**, and then choose **Save**.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
+|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
or
[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+
+### Confirm that Microsoft Defender Antivirus is in passive mode
+
+Microsoft Defender Antivirus can run alongside your existing endpoint protection solution if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
+
+|Method |What to do |
+|---------|---------|
+|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
+
+> [!NOTE]
+> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
+
+## Get updates for Microsoft Defender Antivirus
+
+Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+
+There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
+- Security intelligence updates
+- Product updates
+
+To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
+
+## Add Microsoft Defender for Endpoint to the exclusion list for your existing solution
+
+This step of the setup process involves adding Microsoft Defender for Endpoint to the exclusion list for your existing endpoint protection solution and any other security products your organization is using.
+
+> [!TIP]
+> To get help configuring exclusions, refer to your solution provider's documentation.
+
+The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
+
+|OS |Exclusions |
+|--|--|
+|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
|
+|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
+
+## Add your existing solution to the exclusion list for Microsoft Defender Antivirus
+
+During this step of the setup process, you add your existing solution to the Microsoft Defender Antivirus exclusion list.
+
+When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
+- Path exclusions exclude specific files and whatever those files access.
+- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
+- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
+- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)
+
+You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
+
+|Method | What to do|
+|--|--|
+|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
3. Under **Manage**, select **Properties**.
4. Select **Configuration settings: Edit**.
5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
7. Choose **Review + save**, and then choose **Save**. |
+|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
+|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**. |
+|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. |
+|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
+
+## Add your existing solution to the exclusion list for Microsoft Defender for Endpoint
+
+To add exclusions to Microsoft Defender for Endpoint, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
+
+1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
+
+2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
+
+3. On the **File hashes** tab, choose **Add indicator**.
+
+3. On the **Indicator** tab, specify the following settings:
+ - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
+ - Under **Expires on (UTC)**, choose **Never**.
+
+4. On the **Action** tab, specify the following settings:
+ - **Response Action**: **Allow**
+ - Title and description
+
+5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
+
+6. On the **Summary** tab, review the settings, and then click **Save**.
+
+### Find a file hash using CMPivot
+
+CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview).
+
+To use CMPivot to get your file hash, follow these steps:
+
+1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
+
+2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
+
+3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`).
+
+4. Select the **Query** tab.
+
+5. In the **Device Collection** list, and choose **All Systems (default)**.
+
+6. In the query box, type the following query:
+
+```kusto
+File(c:\\windows\\notepad.exe)
+| project Hash
+```
+> [!NOTE]
+> In the query above, replace *notepad.exe* with the your third-party security product process name.
+
+## Set up your device groups, device collections, and organizational units
+
+| Collection type | What to do |
+|--|--|
+|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
3. Choose **+ Add device group**.
4. Specify a name and description for the device group.
5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
8. Choose **Done**. |
+|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
+|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
+
+## Configure antimalware policies and real-time protection
+
+Using Configuration Manager and your device collection(s), configure your antimalware policies.
+
+- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).
+
+- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
+
+> [!TIP]
+> You can deploy the policies before your organization's devices on onboarded.
+
+## Next step
+
+**Congratulations**! You have completed the Setup phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
+
+- [Proceed to Phase 3: Onboard to Microsoft Defender for Endpoint](switch-to-microsoft-defender-onboard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
index 9e26a9fef5..371f380e63 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
@@ -1,10 +1,11 @@
---
-title: Migrate from Symantec to Microsoft Defender ATP
-description: Make the switch from Symantec to Microsoft Defender ATP
+title: Migrate from Symantec to Microsoft Defender for Endpoint
+description: Get an overview of how to make the switch from Symantec to Microsoft Defender for Endpoint
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -17,30 +18,36 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
- m365solution-overview
-ms.topic: article
+ms.topic: conceptual
+ms.date: 09/22/2020
+ms.custom: migrationguides
+ms.reviewer: depicker, yongrhee, chriggs
---
-# Migrate from Symantec to Microsoft Defender Advanced Threat Protection
+# Migrate from Symantec to Microsoft Defender for Endpoint
-If you are planning to switch from Symantec Endpoint Protection (Symantec) to [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP), you're in the right place. Use this article as a guide to plan your migration.
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+If you are planning to switch from Symantec Endpoint Protection (Symantec) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection), you're in the right place. Use this article as a guide to plan your migration.
## The migration process
-When you switch from Symantec to Microsoft Defender ATP, you follow a process that can be divided into three phases, as described in the following table:
+When you switch from Symantec to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
|Phase |Description |
|--|--|
-|[](symantec-to-microsoft-defender-atp-prepare.md)
[Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md) |During the **Prepare** phase, you get Microsoft Defender ATP, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender ATP. |
-|[](symantec-to-microsoft-defender-atp-setup.md)
[Set up Microsoft Defender ATP](symantec-to-microsoft-defender-atp-setup.md) |During the **Setup** phase, you configure settings and exclusions for Microsoft Defender Antivirus, Microsoft Defender ATP, and Symantec Endpoint Protection. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
-|[](symantec-to-microsoft-defender-atp-onboard.md)
[Onboard to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-onboard.md) |During the **Onboard** phase, you onboard your devices to Microsoft Defender ATP and verify that those devices are communicating with Microsoft Defender ATP. Last, you uninstall Symantec and make sure protection through Microsoft Defender ATP is in active mode. |
+|[](symantec-to-microsoft-defender-atp-prepare.md)
[Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md) |During the **Prepare** phase, you get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
+|[](symantec-to-microsoft-defender-atp-setup.md)
[Set up Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md) |During the **Setup** phase, you configure settings and exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and Symantec Endpoint Protection. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
+|[](symantec-to-microsoft-defender-atp-onboard.md)
[Onboard to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md) |During the **Onboard** phase, you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall Symantec and make sure protection through Microsoft Defender for Endpoint is in active mode. |
-## What's included in Microsoft Defender ATP?
+## What's included in Microsoft Defender for Endpoint?
-In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender ATP. However, Microsoft Defender ATP includes much more than antivirus and endpoint protection. Microsoft Defender ATP is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender ATP.
+In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint includes much more than antivirus and endpoint protection. Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender for Endpoint.
| Feature/Capability | Description |
|---|---|
-| [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & Vulnerability Management capabilities helps identify, assess, and remediate weaknesses across your endpoints (such as devices). |
+| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
@@ -49,7 +56,7 @@ In this migration guide, we focus on [next-generation protection](https://docs.m
| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
-**Want to learn more? See [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection).**
+**Want to learn more? See [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection).**
## Next step
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
index 6c7c329a2e..38143cfd5f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
@@ -1,10 +1,11 @@
---
-title: Phase 3 - Onboard to Microsoft Defender ATP
-description: Make the switch from Symantec to Microsoft Defender ATP
+title: Symantec to Microsoft Defender for Endpoint - Phase 3, Onboarding
+description: This is Phase 3, Onboarding, of migrating from Symantec to Microsoft Defender for Endpoint
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -17,23 +18,29 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
ms.topic: article
+ms.date: 09/24/2020
+ms.custom: migrationguides
+ms.reviewer: depicker, yongrhee, chriggs
---
-# Migrate from Symantec - Phase 3: Onboard to Microsoft Defender ATP
+# Migrate from Symantec - Phase 3: Onboard to Microsoft Defender for Endpoint
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
|[](symantec-to-microsoft-defender-atp-prepare.md)
[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |[](symantec-to-microsoft-defender-atp-setup.md)
[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |
Phase 3: Onboard |
|--|--|--|
|| |*You are here!* |
-**Welcome to Phase 3 of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This migration phase includes the following steps:
+**Welcome to Phase 3 of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This migration phase includes the following steps:
-1. [Onboard devices to Microsoft Defender ATP](#onboard-devices-to-microsoft-defender-atp).
+1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).
2. [Run a detection test](#run-a-detection-test).
3. [Uninstall Symantec](#uninstall-symantec).
-4. [Make sure Microsoft Defender ATP is in active mode](#make-sure-microsoft-defender-atp-is-in-active-mode).
+4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode).
-## Onboard devices to Microsoft Defender ATP
+## Onboard devices to Microsoft Defender for Endpoint
1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
@@ -41,7 +48,7 @@ ms.topic: article
3. In the **Select operating system to start onboarding process** list, select an operating system.
-4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods).
+4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article).
### Onboarding methods
@@ -57,7 +64,7 @@ Deployment methods vary, depending on which operating system is selected. Refer
## Run a detection test
-To verify that your onboarded devices are properly connected to Microsoft Defender ATP, you can run a detection test.
+To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test.
|Operating system |Guidance |
@@ -68,7 +75,7 @@ To verify that your onboarded devices are properly connected to Microsoft Defend
## Uninstall Symantec
-Now that you have onboarded your organization's devices to Microsoft Defender ATP, your next step is to uninstall Symantec.
+Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall Symantec.
1. [Disable Tamper Protection](https://knowledge.broadcom.com/external/article?legacyId=tech192023) in Symantec.
@@ -77,24 +84,25 @@ Now that you have onboarded your organization's devices to Microsoft Defender AT
2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC`.
3. Look for an entry named **SmcInstData**. Right-click the item, and then choose **Delete**.
-3. Remove Symantec from your devices. If you need help with this, see the following Broadcom resources:
+3. Remove Symantec from your devices. If you need help with this, see Broadcom's documentation. Here are a few Broadcom resources:
- [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html)
- Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040)
- macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387)
- Linux devices: [Frequently Asked Questions for Endpoint Protection for Linux](https://knowledge.broadcom.com/external/article?articleId=162054)
-## Make sure Microsoft Defender ATP is in active mode
+## Make sure Microsoft Defender for Endpoint is in active mode
-Now that you have uninstalled Symantec, your next step is to make sure that Microsoft Defender Antivirus and endpoint detection and response are enabled and in active mode.
+Now that you have uninstalled Symantec, your next step is to make sure that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are enabled and in active mode.
-To do this, visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
+To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
- Cloud-delivered protection
- Potentially Unwanted Applications (PUA)
- Network Protection (NP)
## Next steps
-**Congratulations**! You have completed your [migration from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
+**Congratulations**! You have completed your [migration from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-- [Manage Microsoft Defender Advanced Threat Protection, post migration](manage-atp-post-migration.md).
+
+- [Manage Microsoft Defender for Endpoint, post migration](manage-atp-post-migration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
index 2a678e94e4..cc678c90eb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
@@ -1,10 +1,11 @@
---
-title: Phase 1 - Prepare for your migration to Microsoft Defender ATP
-description: Phase 1 of "Make the switch from Symantec to Microsoft Defender ATP". Prepare for your migration.
+title: Symantec to Microsoft Defender for Endpoint - Phase 1, Preparing
+description: This is Phase 1, Prepare, of migrating from Symantec to Microsoft Defender for Endpoint.
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -17,42 +18,48 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
ms.topic: article
+ms.date: 09/22/2020
+ms.custom: migrationguides
+ms.reviewer: depicker, yongrhee, chriggs
---
# Migrate from Symantec - Phase 1: Prepare for your migration
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
|
Phase 1: Prepare |[](symantec-to-microsoft-defender-atp-setup.md)
[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |[](symantec-to-microsoft-defender-atp-onboard.md)
[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
|--|--|--|
|*You are here!*| | |
-**Welcome to the Prepare phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**.
+**Welcome to the Prepare phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**.
This migration phase includes the following steps:
-1. [Get Microsoft Defender ATP](#get-microsoft-defender-atp).
+1. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint).
2. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
3. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings).
-## Get Microsoft Defender ATP
+## Get Microsoft Defender for Endpoint
-To get started, you must have Microsoft Defender ATP, with licenses assigned and provisioned.
+To get started, you must have Microsoft Defender for Endpoint, with licenses assigned and provisioned.
-1. Buy or try Microsoft Defender ATP today. [Visit Microsoft Defender ATP to start a free trial or request a quote](https://aka.ms/mdatp).
+1. Buy or try Microsoft Defender for Endpoint today. [Visit Microsoft Defender for Endpoint to start a free trial or request a quote](https://aka.ms/mdatp).
2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state).
-3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender ATP. See [Microsoft Defender ATP setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
+3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
-4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender ATP setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
+4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
> [!NOTE]
-> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender ATP portal.
+> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender for Endpoint portal.
## Grant access to the Microsoft Defender Security Center
-The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender ATP. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use).
+The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use).
Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
@@ -69,19 +76,19 @@ Permissions to the Microsoft Defender Security Center can be granted by using ei
## Configure device proxy and internet connectivity settings
-To enable communication between your devices and Microsoft Defender ATP, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
+To enable communication between your devices and Microsoft Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
|Capabilities | Operating System | Resources |
-|--|--|--|
+|:----|:----|:---|
|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
|
|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
-|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections)
+|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) |
## Next step
-**Congratulations**! You have completed the **Prepare** phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
+**Congratulations**! You have completed the **Prepare** phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
-- [Proceed to set up Microsoft Defender ATP](symantec-to-microsoft-defender-atp-setup.md).
+- [Proceed to set up Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
index a3c0638d1e..f36e72d95c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
@@ -1,10 +1,11 @@
---
-title: Phase 2 - Set up Microsoft Defender ATP
-description: Phase 2 - Set up Microsoft Defender ATP
+title: Symantec to Microsoft Defender for Endpoint - Phase 2, Setting Up
+description: This is Phase 2, Setup, of migrating from Symantec to Microsoft Defender for Endpoint
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
+ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -17,23 +18,30 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
ms.topic: article
+ms.date: 09/24/2020
+ms.custom: migrationguides
+ms.reviewer: depicker, yongrhee, chriggs
---
-# Migrate from Symantec - Phase 2: Set up Microsoft Defender ATP
+# Migrate from Symantec - Phase 2: Set up Microsoft Defender for Endpoint
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
|[](symantec-to-microsoft-defender-atp-prepare.md)
[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |
Phase 2: Set up |[](symantec-to-microsoft-defender-atp-onboard.md)
[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
|--|--|--|
||*You are here!* | |
-**Welcome to the Setup phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This phase includes the following steps:
+**Welcome to the Setup phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This phase includes the following steps:
1. [Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows)](#enable-or-reinstall-microsoft-defender-antivirus-for-certain-versions-of-windows).
2. [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus).
-3. [Add Microsoft Defender ATP to the exclusion list for Symantec](#add-microsoft-defender-atp-to-the-exclusion-list-for-symantec).
-4. [Add Symantec to the exclusion list for Microsoft Defender Antivirus](#add-symantec-to-the-exclusion-list-for-microsoft-defender-antivirus).
-5. [Add Symantec to the exclusion list for Microsoft Defender ATP](#add-symantec-to-the-exclusion-list-for-microsoft-defender-atp).
-6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
-7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
+3. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
+4. [Add Microsoft Defender for Endpoint to the exclusion list for Symantec](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-symantec).
+5. [Add Symantec to the exclusion list for Microsoft Defender Antivirus](#add-symantec-to-the-exclusion-list-for-microsoft-defender-antivirus).
+6. [Add Symantec to the exclusion list for Microsoft Defender for Endpoint](#add-symantec-to-the-exclusion-list-for-microsoft-defender-for-endpoint).
+7. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
+8. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
## Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows)
@@ -42,7 +50,7 @@ ms.topic: article
On certain versions of Windows, Microsoft Defender Antivirus might have been uninstalled or disabled. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as Symantec. To learn more, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
-Now that you're moving from Symantec to Microsoft Defender ATP, you'll need to enable or reinstall Microsoft Defender Antivirus, and set it to passive mode.
+Now that you're moving from Symantec to Microsoft Defender for Endpoint, you'll need to enable or reinstall Microsoft Defender Antivirus, and set it to passive mode.
### Reinstall Microsoft Defender Antivirus on Windows Server
@@ -68,7 +76,7 @@ Now that you're moving from Symantec to Microsoft Defender ATP, you'll need to e
### Set Microsoft Defender Antivirus to passive mode on Windows Server
-Because your organization is still using Symantec, you must set Microsoft Defender Antivirus to passive mode. That way, Symantec and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender ATP.
+Because your organization is still using Symantec, you must set Microsoft Defender Antivirus to passive mode. That way, Symantec and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint.
1. Open Registry Editor, and then navigate to
`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
@@ -102,14 +110,24 @@ Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Def
|Method |What to do |
|---------|---------|
|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus?view=win10-ps) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
> [!NOTE]
> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
-## Add Microsoft Defender ATP to the exclusion list for Symantec
+## Get updates for Microsoft Defender Antivirus
-This step of the setup process involves adding Microsoft Defender ATP to the exclusion list for Symantec and any other security products your organization is using. The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
+Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+
+There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
+- Security intelligence updates
+- Product updates
+
+To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
+
+## Add Microsoft Defender for Endpoint to the exclusion list for Symantec
+
+This step of the setup process involves adding Microsoft Defender for Endpoint to the exclusion list for Symantec and any other security products your organization is using. The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
|OS |Exclusions |
|--|--|
@@ -139,9 +157,9 @@ You can choose from several methods to add your exclusions to Microsoft Defender
|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. |
|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
-## Add Symantec to the exclusion list for Microsoft Defender ATP
+## Add Symantec to the exclusion list for Microsoft Defender for Endpoint
-To add exclusions to Microsoft Defender ATP, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
+To add exclusions to Microsoft Defender for Endpoint, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
@@ -207,6 +225,6 @@ Using Configuration Manager and your device collection(s), configure your antima
## Next step
-**Congratulations**! You have completed the Setup phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
+**Congratulations**! You have completed the Setup phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
-- [Proceed to Phase 3: Onboard to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-onboard.md)
+- [Proceed to Phase 3: Onboard to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
index 7612d8d24a..caf55924e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
@@ -19,6 +19,9 @@ ms.topic: article
---
# Track and respond to emerging threats with threat analytics
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
index c470a3566b..3ad5cff1e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
@@ -18,6 +18,9 @@ ms.topic: conceptual
---
# Event timeline - threat and vulnerability management
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 87bf456ec8..9e981319a8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -19,6 +19,9 @@ ms.topic: article
# Scenarios - threat and vulnerability management
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
index 4f2f261f8a..a4691bc3cc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Understand threat intelligence concepts
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
index 7df606ba66..a8d1540ac2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Microsoft Defender ATP and other Microsoft solutions
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -63,4 +66,4 @@ The Skype for Business integration provides a way for analysts to communicate wi
- [Configure integration and other advanced features](advanced-features.md)
- [Microsoft Threat Protection overview](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
- [Turn on Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable)
-- [Protect users, data, and devices with Conditional Access](conditional-access.md)
\ No newline at end of file
+- [Protect users, data, and devices with Conditional Access](conditional-access.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md
index de32213341..3fff8e808b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md
@@ -19,6 +19,9 @@ ms.topic: article
# Threat protection report in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -85,4 +88,4 @@ For example, to show data about high-severity alerts only:
3. Select **Apply**.
## Related topic
-- [Device health and compliance report](machine-reports.md)
\ No newline at end of file
+- [Device health and compliance report](machine-reports.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
index 9c418be987..039703000c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
@@ -18,6 +18,9 @@ ms.topic: article
# Indicator resource type
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -75,4 +78,4 @@ rbacGroupNames | List of strings | RBAC device group names where the indicator i
"lastUpdatedBy": null,
"rbacGroupNames": ["team1"]
}
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
index 76487204a2..c2362f07ac 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
@@ -19,6 +19,9 @@ ms.topic: article
# Microsoft Defender Security Center time zone settings
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
index be0e27f27a..ba95b235f8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
@@ -19,6 +19,9 @@ ms.custom: asr
# Troubleshoot attack surface reduction rules
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md
new file mode 100644
index 0000000000..eecaf63643
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md
@@ -0,0 +1,75 @@
+---
+title: Collect support logs in Microsoft Defender ATP using live response
+description: Learn how to collect logs using live response to troubleshoot Microsoft Defender ATP issues
+keywords: support, log, collect, troubleshoot, live response, liveanalyzer, analyzer, live, response
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: troubleshooting
+---
+
+# Collect support logs in Microsoft Defender ATP using live response
+
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+When contacting support, you may be asked to provide the output package of the Microsoft Defender ATP Client Analyzer tool.
+
+This topic provides instructions on how to run the tool via Live Response.
+
+1. Download the appropriate script
+ * Microsoft Defender ATP client sensor logs only: [LiveAnalyzer.ps1 script](https://aka.ms/MDATPLiveAnalyzer).
+ - Result package approximate size: ~100Kb
+ * Microsoft Defender ATP client sensor and Antivirus logs: [LiveAnalyzer+MDAV.ps1 script](https://aka.ms/MDATPLiveAnalyzerAV).
+ - Result package approximate size: ~10Mb
+
+2. Initiate a [Live Response session](live-response.md#initiate-a-live-response-session-on-a-device) on the machine you need to investigate.
+
+3. Select **Upload file to library**.
+
+ 
+
+4. Select **Choose file**.
+
+ 
+
+5. Select the downloaded file named MDATPLiveAnalyzer.ps1 and then click on **Confirm**
+
+
+ 
+
+
+6. While still in the LiveResponse session, use the commands below to run the analyzer and collect the result file:
+
+ ```console
+ Run MDATPLiveAnalyzer.ps1
+ GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDATPClientAnalyzerResult.zip" -auto
+ ```
+
+ 
+
+
+>[!NOTE]
+> - The latest preview version of MDATPClientAnalyzer can be downloaded here: [https://aka.ms/Betamdatpanalyzer](https://aka.ms/Betamdatpanalyzer).
+>
+> - The LiveAnalyzer script downloads the troubleshooting package on the destination machine from: https://mdatpclientanalyzer.blob.core.windows.net.
+>
+> If you cannot allow the machine to reach the above URL, then upload MDATPClientAnalyzerPreview.zip file to the library before running the LiveAnalyzer script:
+>
+> ```console
+> PutFile MDATPClientAnalyzerPreview.zip -overwrite
+> Run MDATPLiveAnalyzer.ps1
+> GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDATPClientAnalyzerResult.zip" -auto
+> ```
+>
+> - For more information on gathering data locally on a machine in case the machine isn't communicating with Microsoft Defender ATP cloud services, or does not appear in MDATP portal as expected, see [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
index 05cd741da3..2773899fc2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
@@ -18,6 +18,9 @@ manager: dansimp
# Troubleshoot exploit protection mitigations
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
index b993541266..db3f3bee81 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
@@ -19,6 +19,9 @@ ms.topic: troubleshooting
# Troubleshoot Microsoft Defender Advanced Threat Protection live response issues
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
index 9c1e48b7e4..e044d0457b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
@@ -19,6 +19,9 @@ ms.topic: troubleshooting
# Troubleshoot service issues
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
This section addresses issues that might arise as you use the Microsoft Defender Advanced Threat service.
## Server error - Access is denied due to invalid credentials
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
index 1118d17529..f925f8ec6f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
@@ -18,6 +18,9 @@ manager: dansimp
# Troubleshoot network protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
index 11ac7f37c9..42a3ad5d0b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
@@ -19,6 +19,9 @@ ms.topic: troubleshooting
# Troubleshoot subscription and portal access issues
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
index 2e1d1f2adb..d55165aaae 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
@@ -19,6 +19,9 @@ ms.topic: troubleshooting
# Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
index cc0b92af10..0ac32a5707 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
@@ -19,6 +19,9 @@ ms.topic: troubleshooting
# Troubleshoot SIEM tool integration issues
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index 11aa392b29..00d85e1d60 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -18,6 +18,9 @@ ms.topic: conceptual
---
# Threat and vulnerability management dashboard insights
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -55,7 +58,7 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
**Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data.
-[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP.
+[**Security recommendations**](tvm-security-recommendation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP.
[**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions.
[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs (security updates).
[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed devices there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
index 2cfd0bfeb9..28da6b8c57 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -18,6 +18,9 @@ ms.topic: conceptual
---
# Exposure score - threat and vulnerability management
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
index 0823575cb9..ad687089f9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
@@ -18,6 +18,9 @@ ms.topic: conceptual
---
# Microsoft Secure Score for Devices
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index 6673d476df..3a45c885e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -18,6 +18,9 @@ ms.topic: conceptual
---
# Remediation activities and exceptions - threat and vulnerability management
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index 3b9cd84b1d..a64042be50 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -18,6 +18,9 @@ ms.topic: conceptual
---
# Security recommendations - threat and vulnerability management
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -217,4 +220,4 @@ Once you identify which software and software versions are vulnerable due to the
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
\ No newline at end of file
+- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index d157c8610f..215f2fc19c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -18,6 +18,9 @@ ms.topic: conceptual
---
# Software inventory - threat and vulnerability management
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
index d29f6dfc63..0b2eca42e4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
@@ -18,6 +18,9 @@ ms.topic: article
---
# Supported operating systems and platforms - threat and vulnerability management
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -39,7 +42,7 @@ Windows Server 2008 R2 | Operating System (OS) vulnerabilities
Software prod
Windows Server 2012 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
Windows Server 2016 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
Windows Server 2019 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-macOS | Not supported (planned)
+macOS 10.13 "High Sierra" and above | Operating System (OS) vulnerabilities
Software product vulnerabilities
Linux | Not supported (planned)
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index 37a974d932..4f2cc260b4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -18,17 +18,21 @@ ms.topic: conceptual
---
# Weaknesses found by threat and vulnerability management
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-[!include[Prerelease information](../../includes/prerelease.md)]
-
Threat and vulnerability management uses the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more.
+>[!NOTE]
+>If there is no official CVE-ID assigned to a vulnerability, the vulnerability name is assigned by threat and vulnerability management.
+
>[!IMPORTANT]
>To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network:
>- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
@@ -144,4 +148,4 @@ Report a false positive when you see any vague, inaccurate, or incomplete inform
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
\ No newline at end of file
+- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
index 70c1aed086..c518418a7f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
@@ -19,6 +19,9 @@ ms.topic: article
# Release device from isolation API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
index 3b560772a9..50319acfe5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
@@ -18,6 +18,9 @@ ms.topic: article
# Remove app restriction API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
index 6a1a315729..9c9268711b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
@@ -18,6 +18,9 @@ ms.topic: article
# Update alert
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md
index 3987410333..da8874d9ba 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/use.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/use.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Overview of Microsoft Defender Security Center
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
index 4514bd1e98..3e7673cab5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
@@ -19,6 +19,9 @@ ms.topic: article
# Create and manage roles for role-based access control
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -60,21 +63,22 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
- **Threat and vulnerability management - Exception handling** - Create new exceptions and manage active exceptions
- **Threat and vulnerability management - Remediation handling** - Submit new remediation requests, create tickets, and manage existing remediation activities
-- **Alerts investigation** - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags.
+- **Alerts investigation** - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files
-- **Manage portal system settings** - Configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and device groups.
+- **Manage portal system settings** - Configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and device groups
> [!NOTE]
> This setting is only available in the Microsoft Defender ATP administrator (default) role.
-- **Manage security settings in Security Center** - Configure alert suppression settings, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications, manage evaluation lab.
+- **Manage security settings in Security Center** - Configure alert suppression settings, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications, manage evaluation lab
- **Live response capabilities**
- **Basic** commands:
- Start a live response session
- Perform read only live response commands on remote device (excluding file copy and execution
- **Advanced** commands:
- - Download a file from the remote device
+ - Download a file from the remote device via live response
+ - Download PE and non-PE files from the file page
- Upload a file to the remote device
- View a script from the files library
- Execute a script on the remote device from the files library
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user.md b/windows/security/threat-protection/microsoft-defender-atp/user.md
index e895a9b146..e94dd0bb1d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user.md
@@ -18,6 +18,9 @@ ms.topic: article
# User resource type
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -25,4 +28,4 @@ ms.topic: article
Method|Return Type |Description
:---|:---|:---
[List User related alerts](get-user-related-alerts.md) | [alert](alerts.md) collection | List all the alerts that are associated with a [user](user.md).
-[List User related devices](get-user-related-machines.md) | [machine](machine.md) collection | List all the devices that were logged on by a [user](user.md).
\ No newline at end of file
+[List User related devices](get-user-related-machines.md) | [machine](machine.md) collection | List all the devices that were logged on by a [user](user.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
index 73f10d1488..a1fa8c6d8a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
@@ -19,6 +19,9 @@ ms.topic: article
---
# View and organize the Microsoft Defender Advanced Threat Protection Incidents queue
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
index 15ec215f1c..121df4f64b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
@@ -18,6 +18,9 @@ ms.topic: article
# Vulnerability resource type
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
index cc9c36fae9..692170a5cc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
@@ -19,6 +19,9 @@ ms.topic: article
# Web content filtering
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -76,12 +79,26 @@ To add a new policy:
4. Specify the policy scope. Select the device groups to specify where to apply the policy. Only devices in the selected device groups will be prevented from accessing websites in the selected categories.
5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected devices.
+Tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy.
+
>[!NOTE]
>If you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment.
->ProTip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy.
+>[!IMPORTANT]
+>Blocking the "Uncategorized" category may lead to unexpected and undesired results.
-## Web content filtering cards and details
+### Allow specific websites
+
+It is possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it is applied to the device group in question.
+
+1. Create a custom indicator in the Microsoft Defender Security Center by going to **Settings** > **Indicators** > **URL/Domain** > **Add Item**
+2. Enter the domain of the site
+3. Set the policy action to **Allow**.
+
+## Web content filtering
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+ cards and details
Select **Reports > Web protection** to view cards with information about web content filtering and web threat protection. The following cards provide summary information about web content filtering.
@@ -93,7 +110,10 @@ In the first 30 days of using this feature, your organization might not have suf
-### Web content filtering summary card
+### Web content filtering
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+ summary card
This card displays the distribution of blocked access attempts across the different parent web content categories. Select one of the colored bars to view more information about a specific parent web category.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
index 748fd7d9dc..bcceac7999 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
@@ -19,6 +19,9 @@ ms.topic: article
# Monitor web browsing security
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
Web protection lets you monitor your organization’s web browsing security through reports under **Reports > Web protection** in the Microsoft Defender Security Center. The report contains cards that provide web threat detection statistics.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
index bd1b95e08a..717f128f7c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
@@ -19,6 +19,9 @@ ms.topic: article
# Web protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
Web protection in Microsoft Defender ATP is a capability made up of [Web threat protection](web-threat-protection.md) and [Web content filtering](web-content-filtering.md). Web protection lets you secure your devices against web threats and helps you regulate unwanted content. You can find Web protection reports in the Microsoft Defender Security Center by going to **Reports > Web protection**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
index 6faacb1439..41fb1e22a8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
@@ -19,6 +19,9 @@ ms.topic: article
# Respond to web threats
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
Web protection in Microsoft Defender ATP lets you efficiently investigate and respond to alerts related to malicious websites and websites in your custom indicator list.
@@ -68,4 +71,4 @@ With web protection in Microsoft Defender ATP, your end users will be prevented
- [Web protection overview](web-protection-overview.md)
- [Web content filtering](web-content-filtering.md)
- [Web threat protection](web-threat-protection.md)
-- [Monitor web security](web-protection-monitoring.md)
\ No newline at end of file
+- [Monitor web security](web-protection-monitoring.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md
index 4be0e00f08..d9d063c82f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md
@@ -19,6 +19,9 @@ ms.topic: article
# Protect your organization against web threats
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
Web threat protection is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It uses [network protection](network-protection.md) to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect devices while they are away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md).
@@ -42,4 +45,4 @@ To turn on network protection on your devices:
- [Web threat protection](web-threat-protection.md)
- [Monitor web security](web-protection-monitoring.md)
- [Respond to web threats](web-protection-response.md)
-- [Network protection](network-protection.md)
\ No newline at end of file
+- [Network protection](network-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index 5b63a7546e..2f6aaf198d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# What's new in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -35,6 +38,9 @@ For more information preview features, see [Preview features](https://docs.micro
> https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us
> ```
+## September 2020
+- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
Microsoft Defender ATP now adds support for Android. Learn how to install, configure, update, and use Microsoft Defender ATP for Android.
+- [Threat and vulnerability management macOS support](tvm-supported-os.md)
Threat and vulnerability management for macOS is now in public preview, and will continuously detect vulnerabilities on your macOS devices to help you prioritize remediation by focusing on risk. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-adds-depth-and-breadth-to-threat/ba-p/1695824).
## July 2020
- [Create indicators for certificates](manage-indicators.md)
Create indicators to allow or block certificates.
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
index 3956891c0c..263e076dda 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
author: dansimp
ms.localizationpriority: medium
-ms.date: 1/26/2018
+ms.date: 09/28/2020
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -78,7 +78,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
## MDM settings
If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices.
-For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer).
+For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser).
| Setting |
@@ -220,5 +220,3 @@ To better help you protect your organization, we recommend turning on and using
- [Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies)
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 9e241156a8..4941242b47 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -45,11 +45,13 @@ The Security Compliance Toolkit consists of:
- Microsoft 365 Apps for enterprise (Sept 2019)
- Microsoft Edge security baseline
- - Version 80
+ - Version 85
- Tools
- Policy Analyzer tool
- Local Group Policy Object (LGPO) tool
+ - Set Object Security tool
+ - GPO to PolicyRules tool
- Scripts
- Baseline-ADImport.ps1
@@ -81,3 +83,15 @@ It can export local policy to a GPO backup.
It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
Documentation for the LGPO tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/lgpo-exe-local-group-policy-object-utility-v1-0/ba-p/701045) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+
+## What is the Set Object Security tool?
+
+SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc.). For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value.
+
+Documentation for the Set Object Security tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+
+## What is the GPO to Policy Rules tool?
+
+Automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a command-line tool that is included with the Policy Analyzer download.
+
+Documentation for the GPO to PolicyRules tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index 9fef84e4b2..14f67ae3d2 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -83,6 +83,8 @@ Set this policy to *Disabled* or don't configure this security policy for domain
If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. If you enable this policy, you allow your users to authenticate by using local certificates between systems that aren't part of a domain that uses PKU2U. This configuration allows users to share resources between devices.
+Please be aware that some roles/features (such as Failover Clustering) do not utilize a domain account for its PKU2U authentication and will cease to function properly when disabling this policy.
+
## Related topics
- [Security options](security-options.md)
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index da3aea58e5..58051a41aa 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -24,8 +24,7 @@ Learn about an approach to collect events from devices in your organization. Thi
Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server.
-To accomplish this, there are two different of subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The
-Suspect subscription collects additional events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations.
+To accomplish this, there are two different subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The Suspect subscription collects additional events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations.
This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices with online analytical capability, such as Security Event Manager (SEM), while also sending events to a MapReduce system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they are largely used for host forensic analysis.
diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index a7254e397b..7ec755da77 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -25,7 +25,7 @@ ms.date: 10/30/2019
Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications as well as Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows 10 in S mode devices.
-With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from “every app is Microsoft-verified" to “every app is verified by Microsoft or your organization”.
+With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from "every app is Microsoft-verified" to "every app is verified by Microsoft or your organization".
Refer to the below video for an overview and brief demo.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mlcp]
@@ -57,7 +57,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de
```powershell
Set-RuleOption -FilePath "\SupplementalPolicy.xml>" -Option 3 –Delete
```
- This deletes the ‘audit mode’ qualifier.
+ This deletes the 'audit mode' qualifier.
- Since you'll be signing your policy, you must authorize the signing certificate you will use to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. For more information, refer to Section 2, Sign policy. Use Add-SignerRule to add the signing certificate to the WDAC policy:
```powershell
@@ -88,9 +88,9 @@ Refer to [Intune Standalone - Win32 app management](https://docs.microsoft.com/i
## Optional: Process for Deploying Apps using Catalogs
-Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don’t want to allow as well.
+Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don't want to allow as well.
-Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don’t want to trust all apps that may share the same signing certificate.
+Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate.
The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using the DGSS or a custom PKI. Use the Add-SignerRule PowerShell cmdlet as shown above to authorize the catalog signing certificate in the supplemental policy. After that, IT Pros can use the standard Intune app deployment process outlined above. Refer to [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md) for more in-depth guidance on generating catalogs.
@@ -184,8 +184,6 @@ Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Regis
In order to revert users to an unmodified S mode policy, an IT Pro can remove a user or users from the targeted Intune group which received the policy, which will trigger a removal of both the policy and the authorization token from the device.
IT Pros also have the choice of deleting a supplemental policy through Intune.
-> [!Note]
-> This feature currently has a known bug which occurs when an S mode supplemental policy is deleted through Intune, in which the policy is not immediately removed from the devices to which it was deployed. A fix is expected in the 2D update in late February 2020. In the meantime, IT Pros are recommended to update their policy with the below 'empty' policy which makes no changes to S mode.
```xml
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md
index 7462b160a6..a8f8114e8a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@@ -1,6 +1,7 @@
# [Application Control for Windows](windows-defender-application-control.md)
## [WDAC and AppLocker Overview](wdac-and-applocker-overview.md)
### [WDAC and AppLocker Feature Availability](feature-availability.md)
+### [Virtualization-based code integrity](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
## [WDAC design guide](windows-defender-application-control-design-guide.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index f4ee690c02..bf44f8cd81 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 04/15/2020
+ms.date: 09/16/2020
---
# Use multiple Windows Defender Application Control Policies
@@ -24,7 +24,7 @@ ms.date: 04/15/2020
- Windows 10
- Windows Server 2016
-The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios:
+The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios:
1. Enforce and Audit Side-by-Side
- To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side-by-side with an existing enforcement-mode base policy
@@ -44,7 +44,7 @@ The restriction of only having a single code integrity policy active on a system
- Multiple base policies: intersection
- Only applications allowed by both policies run without generating block events
- Base + supplemental policy: union
- - Files that are allowed by the base policy or the supplemental policy are not blocked
+ - Files that are allowed by either the base policy or the supplemental policy are not blocked
## Creating WDAC policies in Multiple Policy Format
diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
index 3b0e313266..19bcd021e5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
@@ -30,10 +30,10 @@ This capability is supported beginning with Windows version 1607.
Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Microsoft Defender ATP:
```
-MiscEvents
-| where EventTime > ago(7d) and
+DeviceEvents
+| where Timestamp > ago(7d) and
ActionType startswith "AppControl"
-| summarize Machines=dcount(ComputerName) by ActionType
+| summarize Machines=dcount(DeviceName) by ActionType
| order by Machines desc
```
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
index 7fac37b115..f076b612e7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
@@ -1,7 +1,7 @@
---
title: WDAC and AppLocker Overview
description: Compare Windows application control technologies.
-keywords: security, malware
+keywords: security, malware, allow-list, block-list
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
@@ -14,7 +14,7 @@ author: denisebmsft
ms.reviewer: isbrahm
ms.author: deniseb
manager: dansimp
-ms.date: 04/15/2020
+ms.date: 09/30/2020
ms.custom: asr
---
@@ -29,58 +29,48 @@ Windows 10 includes two technologies that can be used for application control de
## Windows Defender Application Control
-WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC).
-
-> [!NOTE]
-> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies.
+WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC).
WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
-- Attributes of the codesigning certificate(s) used to sign an app and its binaries;
-- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file;
-- The reputation of the app as determined by Microsoft's Intelligent Security Graph;
-- The identity of the process that initiated the installation of the app and its binaries (managed installer);
-- The path from which the app or file is launched (beginning with Windows 10 version 1903);
-- The process that launched the app or binary.
+- Attributes of the codesigning certificate(s) used to sign an app and its binaries
+- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
+- The reputation of the app as determined by Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md)
+- The identity of the process that initiated the installation of the app and its binaries ([managed installer](use-windows-defender-application-control-with-managed-installer.md))
+- The [path from which the app or file is launched](select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903)
+- The process that launched the app or binary
+
+Note that prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). WDAC was also one of the features which comprised the now-defunct term 'Device Guard'.
### WDAC System Requirements
-WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above.
-WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 and above via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.
+WDAC policies can only be created on devices running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above.
+
+WDAC policies can be applied to devices running any edition of Windows 10 or Windows Server 2016 and above via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10.
## AppLocker
-AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are allowed to run on their Windows clients. AppLocker provides security value as a defense in depth feature and helps end users avoid running unapproved software on their computers.
+AppLocker was introduced with Windows 7 and allows organizations to control which applications are allowed to run on their Windows clients. AppLocker helps to prevent end users from running unapproved software on their computers, but it does not meet the servicing criteria for being a security feature.
AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on:
-- Attributes of the codesigning certificate(s) used to sign an app and its binaries;
-- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file;
-- The path from which the app or file is launched (beginning with Windows 10 version 1903).
+- Attributes of the codesigning certificate(s) used to sign an app and its binaries
+- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
+- The path from which the app or file is launched
### AppLocker System Requirements
-AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md).
+AppLocker policies can only be configured on and applied to devices that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md).
AppLocker policies can be deployed using Group Policy or MDM.
## Choose when to use WDAC or AppLocker
-Although either AppLocker or WDAC can be used to control application execution on Windows 10 clients, the following factors can help you decide when to use each of the technologies.
+Generally, it is recommended that customers who are able to implement application control using WDAC rather than AppLocker do so. WDAC is undergoing continual improvements and will be getting added support from Microsoft management platforms. AppLocker is a legacy technology which will continue to receive security fixes but will not undergo new feature improvements.
-### WDAC is best when:
-
-- You are adopting application control primarily for security reasons.
-- Your application control policy can be applied to all users on the managed computers.
-- All of the devices you wish to manage are running Windows 10.
-
-### AppLocker is best when:
+In some cases, however, AppLocker may be the more appropriate technology for your organization. AppLocker is best when:
- You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS.
-- You need to apply different policies for different users or groups on a shared computer.
-- You are using application control to help users avoid running unapproved software, but you do not require a solution designed as a security feature.
-- You do not wish to enforce application control on application files such as DLLs or drivers.
+- You need to apply different policies for different users or groups on shared computers.
-## When to use both WDAC and AppLocker together
-
-AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps.
-As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
+AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where it is important to prevent some users from running specific apps.
+As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions.
diff --git a/windows/security/threat-protection/windows-defender-security-center/oldTOC.md b/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
deleted file mode 100644
index 0533ec00f5..0000000000
--- a/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
+++ /dev/null
@@ -1,20 +0,0 @@
----
-ms.author: dansimp
-author: dansimp
-title: The Microsoft Defender Security Center app
----
-
-# [The Microsoft Defender Security Center app](windows-defender-security-center.md)
-
-## [Customize the Microsoft Defender Security Center app for your organization](wdsc-customize-contact-information.md)
-## [Hide Microsoft Defender Security Center app notifications](wdsc-hide-notifications.md)
-## [Manage Microsoft Defender Security Center in Windows 10 in S mode](wdsc-windows-10-in-s-mode.md)
-## [Virus and threat protection](wdsc-virus-threat-protection.md)
-## [Account protection](wdsc-account-protection.md)
-## [Firewall and network protection](wdsc-firewall-network-protection.md)
-## [App and browser control](wdsc-app-browser-control.md)
-## [Device security](wdsc-device-security.md)
-## [Device performance and health](wdsc-device-performance-health.md)
-## [Family options](wdsc-family-options.md)
-
-
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
index d6b2ed3cde..98fe19379f 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
@@ -86,7 +86,7 @@ The following table identifies and defines terms used throughout this guide.
| Certificate-based isolation | A way to add devices that cannot use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every device in the isolated domain and the devices that cannot use Kerberos V5 are provided with a device certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).|
| Domain isolation | A technique for helping protect the devices in an organization by requiring that the devices authenticate each other's identity before exchanging information, and refusing connection requests from devices that cannot authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see "Isolated domain" in this table.|
| Encryption zone | A subset of the devices in an isolated domain that process sensitive data. Devices that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Devices that are part of the encryption zone also typically are subject to the access control restrictions of server isolation.|
-| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.
By default, the firewall rules in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
+| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.
By default, the firewall rules in Windows Server 2016. Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
| Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).|
| IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.|
| Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).
In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.|
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 8c41f40e80..591f85814f 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -46,7 +46,7 @@ This version of Window 10 includes security improvements for threat protection,
#### Windows Defender ATP
-The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform inludes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management.
+The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform includes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management.
@@ -99,7 +99,7 @@ Endpoint detection and response is improved. Enterprise customers can now take a
- Upgraded detections of ransomware and other advanced attacks.
- Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed.
- **Threat reponse** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
+ **Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
- [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
@@ -128,7 +128,7 @@ This also means you’ll see more links to other security apps within **Windows
You can read more about ransomware mitigations and detection capability at:
- [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/)
-- [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf)
+- [Ransomware security intelligence](https://docs.microsoft.com/windows/security/threat-protection/intelligence/ransomware-malware)
- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/)
Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
@@ -185,7 +185,7 @@ Improvements have been added are to Windows Hello for Business and Credential Gu
New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present.
-New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) inlcude:
+New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) include:
- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.
- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
@@ -208,7 +208,7 @@ Windows Defender Credential Guard has always been an optional feature, but Windo
For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
-### Other security improvments
+### Other security improvements
#### Windows security baselines
@@ -259,17 +259,6 @@ Using Intune, Autopilot now enables locking the device during provisioning durin
You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices).
-#### Windows Autopilot self-deploying mode
-
-Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot.
-
-This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process.
-
-You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required.
-
-To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying).
-
-
#### Autopilot Reset
IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset).
@@ -413,7 +402,7 @@ If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.micro
### Co-management
-Intune and Microsoft Endpoint Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
+Intune and Microsoft Endpoint Configuration Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803)
@@ -456,7 +445,7 @@ Windows Update for Business now provides greater control over updates, with the
The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
-Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
+Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
@@ -465,7 +454,7 @@ Windows Update for Business now provides greater control over updates, with the
The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
-Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
+Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 2f32d6a64d..9d74b2f7b8 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -150,7 +150,7 @@ New features for Microsoft Defender AV in Windows 10, version 1703 include:
In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus).
-You can read more about ransomware mitigations and detection capability in Microsoft Defender AV in the [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/).
+You can read more about ransomware mitigations and detection capability in Microsoft Defender AV in the [ransomware information topic](https://docs.microsoft.com/windows/security/threat-protection/intelligence/ransomware-malware) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/).
### Device Guard and Credential Guard
+ 
5. Click **OK**.
6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
- ```
+ ```powershell
cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
abortpxe.com
@@ -342,31 +346,32 @@ WDSUTIL /Set-Server /AnswerClients:None
wdsmgfw.efi
wdsnbp.com
```
+
>If these files are not present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing "net share REMINST" at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
>You can also type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
- ```
+ ```powershell
Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
```
The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the REMINST share location. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files:
- Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"
+ `Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"`
Once the files are present in the REMINST share location, you can close the cmtrace tool.
-### Create a branding image file
+### Create a branding image file
1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image.
2. Type the following command at an elevated Windows PowerShell prompt:
+ ```powershell
+ Copy-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" -Destination "C:\Sources\OSD\Branding\contoso.bmp"
```
- copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp"
- ```
+
>You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image.
-
-### Create a boot image for Configuration Manager
+### Create a boot image for Configuration Manager
1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**.
2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**.
@@ -380,13 +385,13 @@ WDSUTIL /Set-Server /AnswerClients:None
9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**.
10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1:
- ```
+ ```powershell
Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
```
-
+
In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
- ```
+ ```console
STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590)
```
@@ -395,7 +400,7 @@ WDSUTIL /Set-Server /AnswerClients:None
13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**.
14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
- ```
+ ```console
cmd /c dir /s /b C:\RemoteInstall\SMSImages
C:\RemoteInstall\SMSImages\PS100004
@@ -414,9 +419,10 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
- ```
+ ```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
```
+
2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
@@ -424,12 +430,12 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
5. Use the following settings for the New Deployment Share Wizard:
- - Deployment share path: **C:\MDTBuildLab**
- 
- 
- 
- 
- 
- 
