fix conflicts

.openpublishing.redirection.json

@@ -8,7 +8,7 @@
     {
       "source_path": "devices/hololens/hololens-whats-new.md",
       "redirect_url": "https://docs.microsoft.com/hololens/hololens-release-notes",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "devices/hololens/hololens-upgrade-enterprise.md",
@@ -28,7 +28,7 @@
     {
       "source_path": "devices/hololens/hololens-setup.md",
       "redirect_url": "https://docs.microsoft.com/hololens/hololens1-setup",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "devices/hololens/hololens-use-apps.md",
@@ -38,17 +38,17 @@
     {
       "source_path": "devices/hololens/hololens-get-apps.md",
       "redirect_url": "https://docs.microsoft.com/hololens/holographic-store-apps",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "devices/hololens/hololens-spaces-on-hololens.md",
       "redirect_url": "https://docs.microsoft.com/hololens/hololens-spaces",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "devices/hololens/hololens-clicker.md",
       "redirect_url": "https://docs.microsoft.com/hololens/hololens1-clicker",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "devices/hololens/hololens-clicker-restart-recover.md",
@@ -108,7 +108,7 @@
     {
       "source_path": "windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md",
       "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-containers-help-protect-windows",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md",
@@ -173,12 +173,12 @@
     {
       "source_path": "windows/deployment/update/waas-windows-insider-for-business-aad.md",
       "redirect_url": "https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-add",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/update/waas-windows-insider-for-business-faq.md",
       "redirect_url": "https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-get-started",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md",
@@ -6213,27 +6213,27 @@
     {
       "source_path": "devices/surface/surface-diagnostic-toolkit.md",
       "redirect_url": "https://docs.microsoft.com/surface/index",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "devices/surface/manage-surface-dock-firmware-updates.md",
       "redirect_url": "https://docs.microsoft.com/surface/indexdevices/surface/update",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md",
       "redirect_url": "https://docs.microsoft.com/surface-hub/finishing-your-surface-hub-meeting",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "devices/hololens/hololens-microsoft-layout-app.md",
       "redirect_url": "https://docs.microsoft.com/hololens/hololens-microsoft-dynamics-365-layout-app",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "devices/hololens/hololens-microsoft-dynamics-365-layout-app.md",
       "redirect_url": "https://docs.microsoft.com/dynamics365/mixed-reality/layout/",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "devices/hololens/hololens-microsoft-remote-assist-app.md",

browsers/edge/about-microsoft-edge.md

@@ -11,7 +11,6 @@ ms.prod: edge
 ms.mktglfcycl: general
 ms.topic: reference
 ms.sitesec: library
-title: Microsoft Edge for IT Pros
 ms.localizationpriority: medium
 ms.date: 10/02/2018
 ---

browsers/edge/troubleshooting-microsoft-edge.md

@@ -9,7 +9,6 @@ author: dansimp
 ms.author: dansimp
 ms.prod: edge
 ms.sitesec: library
-title: Deploy Microsoft Edge kiosk mode
 ms.localizationpriority: medium
 ms.date: 10/15/2018
 ---

browsers/edge/use-powershell-to manage-group-policy.md

@@ -5,7 +5,6 @@ ms.prod: edge
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros)
 ms.localizationpriority: medium
 ms.date: 10/02/2018
 ms.reviewer: 

windows/client-management/change-default-removal-policy-external-storage-media.md

@@ -5,7 +5,6 @@ ms.prod: w10
 author: Teresa-Motiv
 ms.author: v-tea
 ms.date: 12/13/2019
-ms.prod: w10
 ms.topic: article
 ms.custom: 
 - CI 111493

windows/client-management/mdm/certificatestore-csp.md

@@ -17,7 +17,9 @@ ms.date: 02/28/2020
 
 The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates.
 
-> **Note**   The CertificateStore configuration service provider does not support installing client certificates.
+> [!Note]
+> The CertificateStore configuration service provider does not support installing client certificates.
+> The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive.
 
  
 
@@ -643,4 +645,3 @@ Configure the device to automatically renew an MDM client certificate with the s
 
 
 
-

windows/client-management/mdm/dmclient-ddf-file.md

@@ -1022,7 +1022,6 @@ The XML below is for Windows 10, version 1803.
                 <DFProperties>
                   <AccessType>
                     <Add />
-                    <Delete />
                     <Get />
                     <Replace />
                   </AccessType>

windows/client-management/troubleshoot-tcpip-netmon.md

@@ -16,6 +16,9 @@ manager: dansimp
 
 In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic.
 
+> [Note]
+> Network Monitor is the archived protocol analyzer and is no longer under development. **Microsoft Message Analyzer** is the replacement for Network Monitor. For more details, see [Microsoft Message Analyzer Operating Guide](https://docs.microsoft.com/message-analyzer/microsoft-message-analyzer-operating-guide).
+
 To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image.
 
 ![Adapters](images/nm-adapters.png)

windows/configuration/windows-spotlight.md

@@ -44,7 +44,7 @@ For managed devices running Windows 10 Enterprise and Windows 10 Education, en
 
 -   **Feature suggestions, fun facts, tips**
 
-    The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**.
+    The lock screen background will occasionally make reccomendations on how to enhance your productivity and enjoyment of Microsoft products including suggesting other relevant Microsoft products and services.
     
     ![fun facts](images/funfacts.png)
 

windows/deployment/Windows-AutoPilot-EULA-note.md

@@ -7,12 +7,11 @@ ms.sitesec: library
 ms.pagetype: deploy
 ms.localizationpriority: medium
 ms.audience: itpro
-
+author: greg-lindsay
 ms.date: 08/22/2017
 ms.reviewer: 
 manager: laurawi
 audience: itpro
-author: greg-lindsay
 ROBOTS: noindex,nofollow
 ms.topic: article
 ---

windows/deployment/configure-a-pxe-server-to-load-windows-pe.md

@@ -11,7 +11,6 @@ audience: itpro
 author: greg-lindsay
 ms.reviewer: 
 manager: laurawi
-ms.audience: itpro
 ms.author: greglin
 ms.topic: article
 ---

windows/deployment/deploy-windows-to-go.md

@@ -12,7 +12,6 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: mobility
 audience: itpro
-author: greg-lindsay
 ms.topic: article
 ---
 

windows/deployment/deploy.md

@@ -11,7 +11,6 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: medium
 audience: itpro
-author: greg-lindsay
 ms.topic: article
 ---
 

windows/deployment/mbr-to-gpt.md

@@ -12,7 +12,6 @@ ms.date: 02/13/2018
 ms.reviewer: 
 manager: laurawi
 ms.audience: itpro
-author: greg-lindsay
 ms.localizationpriority: medium
 ms.topic: article
 ---

windows/deployment/planning/windows-10-enterprise-faq-itpro.md

@@ -6,12 +6,12 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.localizationpriority: medium
 ms.sitesec: library
-audience: itpro
+author: greg-lindsay
 ms.date: 08/18/2017
 ms.reviewer: 
 manager: laurawi
 ms.author: greglin
-author: greg-lindsay
+audience: itpro
 ms.topic: article
 ---
 

windows/deployment/planning/windows-10-removed-features.md

@@ -27,6 +27,7 @@ The following features and functionalities have been removed from the installed
 
 |Feature    |  Details and mitigation  | Removed in version |
 | ----------- | --------------------- | ------ |
+| Rinna and Japanese Address suggestion | The Rinna and Japanese Address suggestion service for Microsoft Japanese Input Method Editor (IME) will end on August 13th, 2020. For more information, see [Rinna and Japanese Address suggestion will no longer be offered](https://support.microsoft.com/help/4576767/windows-10-rinna-and-japanese-address-suggestion) | 8/13/2020 |
 | Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 |
 | Windows To Go | Windows To Go was announced as deprecated in Windows 10, version 1903 and is removed in this release. | 2004 |
 | Mobile Plans and Messaging apps | Both apps are still supported, but are now distributed in a different way. OEMs can now include these apps in Windows images for cellular enabled devices.  The apps are removed for non-cellular devices.| 2004 |

windows/deployment/s-mode.md

@@ -12,7 +12,6 @@ manager: laurawi
 ms.audience: itpro
 
 audience: itpro
-author: greg-lindsay
 ms.topic: article
 ---
 

windows/deployment/update/WIP4Biz-intro.md

@@ -7,9 +7,7 @@ ms.mktglfcycl: manage
 audience: itpro
 itproauthor: jaimeo
 author: jaimeo
-ms.localizationprioauthor: jaimeo
 ms.audience: itpro
-author: jaimeo
 ms.reviewer: 
 manager: laurawi
 ms.topic: article

windows/deployment/update/plan-determine-app-readiness.md

@@ -9,7 +9,6 @@ ms.mktglfcycl: manage
 audience: itpro
 ms.localizationpriority: medium
 ms.audience: itpro
-author: jaimeo
 ms.topic: article
 ms.collection: M365-modern-desktop
 ---

windows/deployment/update/update-policies.md

@@ -10,7 +10,6 @@ audience: itpro
 author: jaimeo
 ms.localizationpriority: medium
 ms.audience: itpro
-author: jaimeo
 ms.topic: article
 ms.collection: M365-modern-desktop
 ---

windows/deployment/update/waas-manage-updates-wsus.md

@@ -83,6 +83,9 @@ When using WSUS to manage updates on Windows client devices, start by configurin
 
    ![Example of UI](images/waas-wsus-fig5.png)
    
+   >[!IMPORTANT]
+   > Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdateDoNotConnectToWindowsUpdateInternetLocations
+    
    > [!NOTE]
    > There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx). 
     

windows/deployment/update/waas-morenews.md

@@ -4,13 +4,11 @@ ms.prod: w10
 ms.topic: article
 ms.manager: elizapo
 audience: itpro
-itproauthor: jaimeo
 author: jaimeo
 ms.author: jaimeo
 ms.reviewer: 
 manager: laurawi
 ms.localizationpriority: high
-ms.topic: article
 ---
 # Windows as a service - More news
 

windows/deployment/update/waas-wufb-intune.md

@@ -6,7 +6,6 @@ ms.mktglfcycl: manage
 audience: itpro
 ms.localizationpriority: medium
 ms.audience: itpro
-author: jaimeo
 ms.date: 07/27/2017
 ms.reviewer: 
 manager: laurawi

windows/deployment/update/windows-update-error-reference.md

@@ -8,7 +8,6 @@ itproauthor: jaimeo
 author: jaimeo
 ms.localizationpriority: medium
 ms.audience: itpro
-author: jaimeo
 ms.date: 09/18/2018
 ms.reviewer: 
 manager: laurawi

windows/deployment/update/windows-update-errors.md

@@ -5,8 +5,6 @@ ms.prod: w10
 ms.mktglfcycl: 
 audience: itpro
 itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
 ms.audience: itpro
 author: jaimeo
 ms.date: 09/18/2018

windows/deployment/update/windows-update-logs.md

@@ -5,8 +5,6 @@ ms.prod: w10
 ms.mktglfcycl: 
 audience: itpro
 itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
 ms.audience: itpro
 author: jaimeo
 ms.date: 09/18/2018

windows/deployment/update/windows-update-overview.md

@@ -6,9 +6,7 @@ ms.mktglfcycl:
 audience: itpro
 itproauthor: jaimeo
 author: jaimeo
-ms.localizationprioauthor: jaimeo
 ms.audience: itpro
-author: jaimeo
 ms.date: 09/18/2018
 ms.reviewer: 
 manager: laurawi

windows/deployment/update/windows-update-resources.md

@@ -6,7 +6,6 @@ ms.mktglfcycl:
 audience: itpro
 ms.localizationpriority: medium
 ms.audience: itpro
-author: jaimeo
 ms.date: 09/18/2018
 ms.reviewer:
 manager: laurawi

windows/deployment/update/windows-update-troubleshooting.md

@@ -5,8 +5,6 @@ ms.prod: w10
 ms.mktglfcycl: 
 audience: itpro
 itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
 ms.audience: itpro
 author: jaimeo
 ms.reviewer: 

windows/deployment/update/wufb-autoupdate.md

@@ -6,9 +6,7 @@ ms.mktglfcycl: manage
 audience: itpro
 itproauthor: jaimeo
 author: jaimeo
-ms.localizationprioauthor: jaimeo
 ms.audience: itpro
-author: jaimeo
 ms.date: 06/20/2018
 ms.reviewer: 
 manager: laurawi

windows/deployment/update/wufb-basics.md

@@ -8,7 +8,6 @@ itproauthor: jaimeo
 author: jaimeo
 ms.localizationprioauthor: jaimeo
 ms.audience: itpro
-author: jaimeo
 ms.reviewer: 
 manager: laurawi
 ms.topic: article

windows/deployment/update/wufb-managedrivers.md

@@ -5,8 +5,6 @@ ms.prod: w10
 ms.mktglfcycl: manage
 audience: itpro
 itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
 ms.audience: itpro
 author: jaimeo
 ms.date: 06/21/2018

windows/deployment/update/wufb-manageupdate.md

@@ -6,9 +6,7 @@ ms.mktglfcycl: manage
 audience: itpro
 itproauthor: jaimeo
 author: jaimeo
-ms.localizationprioauthor: jaimeo
 ms.audience: itpro
-author: jaimeo
 ms.date: 06/20/2018
 ms.reviewer: 
 manager: laurawi

windows/deployment/update/wufb-onboard.md

@@ -5,8 +5,6 @@ ms.prod: w10
 ms.mktglfcycl: manage
 audience: itpro
 itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
 ms.audience: itpro
 author: jaimeo
 ms.reviewer: 

windows/deployment/vda-subscription-activation.md

@@ -12,7 +12,6 @@ ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: mdt
 audience: itpro
-author: greg-lindsay
 ms.topic: article
 ms.collection: M365-modern-desktop
 ---

windows/deployment/windows-10-deployment-posters.md

@@ -12,7 +12,6 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 ms.sitesec: library
 audience: itpro
-author: greg-lindsay
 ms.topic: article
 ---
 

windows/deployment/windows-10-deployment-scenarios.md

@@ -12,7 +12,6 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 ms.sitesec: library
 audience: itpro
-author: greg-lindsay
 ms.topic: article
 ---
 

windows/deployment/windows-10-deployment-tools-reference.md

@@ -10,7 +10,6 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 audience: itpro
-author: greg-lindsay
 ms.date: 07/12/2017
 ms.topic: article
 ---

windows/deployment/windows-10-deployment-tools.md

@@ -10,7 +10,6 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 audience: itpro
-author: greg-lindsay
 ms.date: 10/16/2017
 ms.topic: article
 ---

windows/deployment/windows-10-enterprise-e3-overview.md

@@ -13,7 +13,6 @@ manager: laurawi
 ms.audience: itpro
 author: greg-lindsay
 audience: itpro
-
 ms.collection: M365-modern-desktop
 ms.topic: article
 ---

windows/deployment/windows-10-media.md

@@ -12,7 +12,6 @@ ms.audience: itpro
 
 ms.sitesec: library
 audience: itpro
-author: greg-lindsay
 ms.topic: article
 ---
 

windows/deployment/windows-10-missing-fonts.md

@@ -7,8 +7,8 @@ ms.mktglfcycl: plan
 ms.sitesec: library
 ms.localizationpriority: medium
 audience: itpro
-ms.audience: itpro
 author: greg-lindsay
+ms.audience: itpro
 ms.date: 10/31/2017
 ms.reviewer: 
 manager: laurawi

windows/deployment/windows-10-poc-mdt.md

@@ -13,7 +13,6 @@ manager: laurawi
 ms.audience: itpro
 
 audience: itpro
-author: greg-lindsay
 ms.topic: article
 ---
 

windows/deployment/windows-10-poc-sc-config-mgr.md

@@ -12,7 +12,6 @@ manager: laurawi
 ms.audience: itpro
 
 audience: itpro
-author: greg-lindsay
 ms.topic: article
 ---
 

windows/deployment/windows-10-poc.md

@@ -12,7 +12,6 @@ ms.pagetype: deploy
 keywords: deployment, automate, tools, configure, mdt, sccm
 ms.localizationpriority: medium
 audience: itpro
-author: greg-lindsay
 ms.topic: article
 ---
 

windows/deployment/windows-10-pro-in-s-mode.md

@@ -12,7 +12,6 @@ ms.prod: w10
 ms.sitesec: library
 ms.pagetype: deploy
 audience: itpro
-
 ms.collection: M365-modern-desktop
 ms.topic: article
 ---

windows/deployment/windows-adk-scenarios-for-it-pros.md

@@ -11,7 +11,10 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 ms.sitesec: library
 audience: itpro
+<<<<<<< HEAD
 
+=======
+>>>>>>> 3e2e455e105ceb5e17d04cbe4524d621b13b03ba
 ms.date: 07/27/2017
 ms.topic: article
 ---

windows/deployment/windows-deployment-scenarios-and-tools.md

@@ -11,7 +11,6 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 audience: itpro
-author: greg-lindsay
 ms.topic: article
 ---
 

windows/privacy/manage-windows-2004-endpoints.md

@@ -71,7 +71,6 @@ The following methodology was used to derive these network endpoints:
 |||HTTPS|*licensing.mp.microsoft.com|
 |Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
 ||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2|*maps.windows.com|
-|| The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTP|fs.microsoft.com*|
 |Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
 ||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2|*login.live.com|
 |Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com|

windows/security/identity-protection/enterprise-certificate-pinning.md

@@ -11,7 +11,6 @@ ms.collection: M365-identity-device-management
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
-ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 ms.date: 07/27/2017

windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md

@@ -98,6 +98,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
 | 0x801C03F0  | ​There is no key registered for the user. |
 | 0x801C03F1  | ​There is no UPN in the token. |
 | ​0x801C044C  | There is no core window for the current thread. |
+| 0x801c004D  | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request AAD token for provisioning. Unable to enroll a device to use a PIN for login. |
 
 
 ## Related topics

windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md

@@ -74,9 +74,12 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
 
 The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
 
+> [!NOTE]
+> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more details about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows 10 device settings to enable Windows Hello for Business in Intune](https://docs.microsoft.com/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp). For more details about policy conflicts, see [Policy conflicts from multiple policy sources](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-manage-in-organization#policy-conflicts-from-multiple-policy-sources)
+
 #### Enable Windows Hello for Business
 
-The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business.  A user will only attempt enrollment if this policy setting is configured to enabled.  
+The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business.  A user will only attempt enrollment if this policy setting is configured to enabled.  
 
 You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment.  Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
 

windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md

@@ -8,7 +8,6 @@ ms.sitesec: library
 ms.pagetype: security, mobile
 author: DaniHalfin
 audience: ITPro
-author: mikestephens-MS
 ms.author: dolmont
 manager: dansimp
 ms.collection: M365-identity-device-management

windows/security/identity-protection/user-account-control/user-account-control-overview.md

@@ -14,7 +14,6 @@ ms.author: dansimp
 manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
-ms.localizationpriority: medium
 ms.date: 07/27/2017
 ---
 

windows/security/identity-protection/vpn/vpn-profile-options.md

@@ -63,7 +63,6 @@ The following is a sample Native VPN profile. This blob would fall under the Pro
     <!--Sample EAP profile (PEAP)--> 
     <Authentication>  
       <UserMethod>Eap</UserMethod> 
-      <MachineMethod>Eap</MachineMethod>  
       <Eap>  
        <Configuration>
           <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">

windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md

@@ -4,7 +4,6 @@ description: Learn how unenlightened and enlightened apps might behave, based on
 keywords: WIP, Enterprise Data Protection, EDP, Windows Information Protection, unenlightened apps, enlightened apps
 ms.prod: w10
 ms.mktglfcycl: explore
-ms.pagetype: security
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium

windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md

@@ -214,6 +214,8 @@ Path                   Publisher
 
 Where `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the **Publisher** name and `WORDPAD.EXE` is the **File** name.
 
+Regarding to how to get the Product Name for the Apps you wish to Add, please reach out to our Windows Support Team to request the guidelines
+
 ### Import a list of apps 
 
 This section covers two examples of using an AppLocker XML file to the **Protected apps** list. You’ll use this option if you want to add multiple apps at the same time. 
@@ -461,10 +463,10 @@ contoso.sharepoint.com|contoso.visualstudio.com
 
 Specify the domains used for identities in your environment. 
 All traffic to the fully-qualified domains appearing in this list will be protected.
-Separate multiple domains with the "," delimiter.
+Separate multiple domains with the "|" delimiter.
 
 ```code
-exchange.contoso.com,contoso.com,region.contoso.com
+exchange.contoso.com|contoso.com|region.contoso.com
 ```
 
 ### Network domains

windows/security/threat-protection/TOC.md

@@ -338,8 +338,9 @@
 
 
 #### [Custom detections]()
-##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md)
+##### [Custom detections overview](microsoft-defender-atp/overview-custom-detections.md)
-##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md)
+##### [Create detection rules](microsoft-defender-atp/custom-detection-rules.md)
+##### [View & manage detection rules](microsoft-defender-atp/custom-detections-manage.md)
 
 ### [Behavioral blocking and containment]()
 #### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md)

windows/security/threat-protection/auditing/event-4624.md

@@ -146,6 +146,7 @@ This event generates when a logon session is created (on destination machine). I
 
 | Logon Type | Logon Title         | Description                                                                                                                                                                                                                                                                                                                |
 |:----------:|---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|  `0`       | `System`            | Used only by the System account, for example at system startup.                                                                                                                                                                                                                                                            |
 |  `2`       | `Interactive`       | A user logged on to this computer.                                                                                                                                                                                                                                                                                         |
 |  `3`       | `Network`           | A user or computer logged on to this computer from the network.                                                                                                                                                                                                                                                            |
 |  `4`       | `Batch`             | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.                                                                                                                                                                                         |
@@ -155,6 +156,8 @@ This event generates when a logon session is created (on destination machine). I
 |  `9`       | `NewCredentials`    | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.                                                                                                                 |
 | `10`       | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop.                                                                                                                                                                                                                                      |
 | `11`       | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.                                                                                                                                                    |
+| `12`       | `CashedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing.                                                                                                                                                                                                                                                        |
+| `13`       | `CachedUnlock` | Workstation logon.                                                                                                                                                                                                                                                                                                             |
 
 -   **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10.
 

windows/security/threat-protection/index.md

@@ -1,7 +1,7 @@
 ---
 title: Threat Protection (Windows 10)
 description: Learn how Microsoft Defender ATP helps protect against threats.
-keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
+keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -27,7 +27,7 @@ ms.topic: conceptual
 <tr>
 <td><a href="#tvm"><center><img src="images/TVM_icon.png"> <br><b>Threat & Vulnerability Management</b></center></a></td>
 <td><a href="#asr"><center><img src="images/asr-icon.png"> <br><b>Attack surface reduction</b></center></a></td>
-<td><center><a href="#ngp"><img src="images/ngp-icon.png"><br> <b>Next generation protection</b></a></center></td>
+<td><center><a href="#ngp"><img src="images/ngp-icon.png"><br> <b>Next-generation protection</b></a></center></td>
 <td><center><a href="#edr"><img src="images/edr-icon.png"><br> <b>Endpoint detection and response</b></a></center></td>
 <td><center><a href="#ai"><img src="images/air-icon.png"><br> <b>Automated investigation and remediation</b></a></center></td>
 <td><center><a href="#mte"><img src="images/mte-icon.png"><br> <b>Microsoft Threat Experts</b></a></center></td>
@@ -77,8 +77,8 @@ The attack surface reduction set of capabilities provide the first line of defen
 
 <a name="ngp"></a>
 
-**[Next generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**<br>
+**[Next-generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**<br>
-To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
+To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next-generation protection designed to catch all types of emerging threats.
 
 - [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus)
 - [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus)

windows/security/threat-protection/intelligence/fileless-threats.md

@@ -2,7 +2,7 @@
 title: Fileless threats
 ms.reviewer: 
 description: Learn about the categories of fileless threats and malware that "live off the land"
-keywords: fileless, fileless malware, living off the land, lolbins, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP, next generation protection
+keywords: fileless, fileless malware, living off the land, lolbins, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP, next-generation protection
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library

windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md

@@ -6,7 +6,6 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb

windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md

@@ -6,7 +6,6 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
@@ -32,7 +31,7 @@ You can [specify how long the file should be prevented from running](configure-c
 
 When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean.
 
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
 ![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)  
 
 In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.

windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md

@@ -11,7 +11,6 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
 ---

windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md

@@ -6,7 +6,6 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb

windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md

@@ -6,7 +6,6 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb

windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md

@@ -6,7 +6,6 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb

windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md

@@ -6,7 +6,6 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: detect
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb

windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md

@@ -6,7 +6,6 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
@@ -24,7 +23,7 @@ ms.custom: nextgen
 > [!NOTE]
 > The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
 
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
 ![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)  
 
 You can enable or disable Microsoft Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.

windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md

@@ -6,7 +6,6 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
@@ -30,7 +29,7 @@ Use this guide to determine how well Microsoft Defender Antivirus protects you f
 >- Fast learning (including Block at first sight)
 >- Potentially unwanted application blocking
 
-It explains the important next generation protection features of Microsoft Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network.
+It explains the important next-generation protection features of Microsoft Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network.
 
 You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the settings.
 

windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md

@@ -6,7 +6,6 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb

windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md

@@ -6,7 +6,6 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb

windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md

@@ -6,7 +6,6 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb

windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md

@@ -6,7 +6,6 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
@@ -23,7 +22,7 @@ ms.custom: nextgen
 
 Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.  
 
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
 ![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)  
 
 To take advantage of the power and speed of these next-generation technologies, Microsoft Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense. 

windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md

@@ -6,7 +6,6 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro 
 ms.topic: article 

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md

@@ -57,3 +57,4 @@ Table and column names are also listed within the Microsoft Defender Security Ce
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Work with query results](advanced-hunting-query-results.md)
 - [Learn the query language](advanced-hunting-query-language.md)
+- [Advanced hunting data schema changes](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914)

windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md

@@ -1,9 +1,8 @@
 ---
 title: Test how Microsoft Defender ATP features work
-description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it were enabled
+description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it was enabled.
 keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab
 search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
@@ -23,17 +22,17 @@ manager: dansimp
 
 * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
+You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what *would* have happened if you had enabled the feature.
 
-You might want to do this when testing how the features will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
+You may want to enable audit mode when testing how the features will work in your organization. Ensure it doesn't affect your line-of-business apps, and get an idea of how many suspicious file modification attempts generally occur over a certain period of time.
 
-While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
+The features won't block or prevent apps, scripts, or files from being modified. However, the Windows Event Log will record events as if the features were fully enabled. With audit mode, you can review the event log to see what impact the feature would have had if it was enabled.
 
 To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**.
 
 You can use Microsoft Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
 
-This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
+This article provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
 
 You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.
 

windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md

@@ -3,13 +3,11 @@ title: Prevent ransomware and threats from encrypting and changing files
 description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware from encrypting your files.
 keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders
 search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-audience: ITPro
 author: denisebmsft
 ms.author: deniseb
 audience: ITPro

windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md

@@ -1,7 +1,7 @@
 ---
-title: Create and manage custom detection rules in Microsoft Defender ATP
+title: Create custom detection rules in Microsoft Defender ATP
 ms.reviewer: 
-description: Learn how to create and manage custom detection rules based on advanced hunting queries
+description: Learn how to create custom detection rules based on advanced hunting queries
 keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -18,26 +18,27 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-
+# Create custom detection rules
-# Create and manage custom detection rules
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
+Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
 
-> [!NOTE]
+Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md). 
-> To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
 
-## Create a custom detection rule
+## 1. Check required permissions
-### 1. Prepare the query.
 
-In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results.
+To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+
+## 2. Prepare the query
+
+In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.
 
 >[!IMPORTANT]
 >To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
 
 
-#### Required columns in the query results
+### Required columns in the query results
 To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
 
 There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device. 
@@ -52,83 +53,60 @@ DeviceEvents
 | where count_ > 5
 ```
 
-### 2. Create new rule and provide alert details.
+## 3. Create new rule and provide alert details
 
 With the query in the query editor, select **Create detection rule** and specify the following alert details:
 
-- **Detection name** — name of the detection rule
+- **Detection name**—name of the detection rule
-- **Frequency** — interval for running the query and taking action. [See additional guidance below](#rule-frequency)
+- **Frequency**—interval for running the query and taking action. [See additional guidance below](#rule-frequency)
-- **Alert title** — title displayed with alerts triggered by the rule
+- **Alert title**—title displayed with alerts triggered by the rule
-- **Severity** — potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity)
+- **Severity**—potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity)
-- **Category** — type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
+- **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
-- **Description** — more information about the component or activity identified by the rule 
+- **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with certain alert categories, such as malware, ransomware, suspicious activity, and unwanted software
-- **Recommended actions** — additional actions that responders might take in response to an alert 
+- **Description**—more information about the component or activity identified by the rule 
+- **Recommended actions**—additional actions that responders might take in response to an alert 
 
 For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md).
 
-#### Rule frequency
+### Rule frequency
 When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
 
-- **Every 24 hours** — runs every 24 hours, checking data from the past 30 days
+- **Every 24 hours**—runs every 24 hours, checking data from the past 30 days
-- **Every 12 hours** — runs every 12 hours, checking data from the past 24 hours
+- **Every 12 hours**—runs every 12 hours, checking data from the past 24 hours
-- **Every 3 hours** — runs every 3 hours, checking data from the past 6 hours
+- **Every 3 hours**—runs every 3 hours, checking data from the past 6 hours
-- **Every hour** — runs hourly, checking data from the past 2 hours
+- **Every hour**—runs hourly, checking data from the past 2 hours
 
 Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
 
-### 3. Specify actions on files or devices.
+## 4. Specify actions on files or devices
 Your custom detection rule can automatically take actions on files or devices that are returned by the query.
 
-#### Actions on devices
+### Actions on devices
 These actions are applied to devices in the `DeviceId` column of the query results:
-- **Isolate device** — applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
+- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
-- **Collect investigation package** — collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
+- **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
-- **Run antivirus scan** — performs a full Microsoft Defender Antivirus scan on the device
+- **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device
-- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the device
+- **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device
 
-#### Actions on files
+### Actions on files
 These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
-- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
+- **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
-- **Quarantine file** — deletes the file from its current location and places a copy in quarantine
+- **Quarantine file**—deletes the file from its current location and places a copy in quarantine
 
-### 4. Click **Create** to save and turn on the rule.
+## 5. Set the rule scope
-After reviewing the rule, click **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
+Set the scope to specify which devices are covered by the rule:
 
-## Manage existing custom detection rules
+- All devices
-In **Settings** > **Custom detections**, you can view the list of existing custom detection rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
+- Specific device groups
 
-### View existing rules
+Only data from devices in scope will be queried. Also, actions will be taken only on those devices.
 
-To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information:
+## 6. Review and turn on the rule
+After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
 
-- **Last run** — when a rule was last run to check for query matches and generate alerts
-- **Last run status** — whether a rule ran successfully
-- **Next run** — the next scheduled run
-- **Status** — whether a rule has been turned on or off
 
-### View rule details, modify rule, and run rule
+## Related topics
-
+- [View and manage detection rules](custom-detections-manage.md)
-To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. This opens a page about the custom detection rule with the following information:
-
-- General information about the rule, including the details of the alert, run status, and scope
-- List of triggered alerts
-- List of triggered actions
-
-![Custom detection rule page](images/atp-custom-detection-rule-details.png)<br>
-*Custom detection rule page*
-
-You can also take the following actions on the rule from this page:
-
-- **Run** — run the rule immediately. This also resets the interval for the next run.
-- **Edit** — modify the rule without changing the query
-- **Modify query** — edit the query in advanced hunting
-- **Turn on** / **Turn off** — enable the rule or stop it from running
-- **Delete** — turn off the rule and remove it
-
->[!TIP]
->To quickly view information and take action on an item in a table, use the selection column [&#10003;] at the left of the table.
-
-## Related topic
 - [Custom detections overview](overview-custom-detections.md)
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the advanced hunting query language](advanced-hunting-query-language.md)

windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md

@@ -0,0 +1,67 @@
+---
+title: View and manage custom detection rules in Microsoft Defender ATP
+ms.reviewer: 
+description: Learn how to view and manage custom detection rules
+keywords: custom detections, view, manage, alerts, edit, run on demand, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+
+# View and manage custom detection rules
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Manage your existing [custom detection rules](custom-detection-rules.md) to ensure they are effectively finding threats and taking actions. Explore how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
+
+## Required permissions
+
+To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+
+## View existing rules
+
+To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information:
+
+- **Last run**—when a rule was last run to check for query matches and generate alerts
+- **Last run status**—whether a rule ran successfully
+- **Next run**—the next scheduled run
+- **Status**—whether a rule has been turned on or off
+
+## View rule details, modify rule, and run rule
+
+To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. A page about the selected rule displays the following information:
+
+- General information about the rule, including the details of the alert, run status, and scope
+- List of triggered alerts
+- List of triggered actions
+
+![Custom detection rule page](images/atp-custom-detection-rule-details.png)<br>
+*Custom detection rule page*
+
+You can also take the following actions on the rule from this page:
+
+- **Run**—run the rule immediately. This action also resets the interval for the next run.
+- **Edit**—modify the rule without changing the query
+- **Modify query**—edit the query in advanced hunting
+- **Turn on** / **Turn off**—enable the rule or stop it from running
+- **Delete**—turn off the rule and remove it
+
+>[!TIP]
+>To quickly view information and take action on an item in a table, use the selection column [&#10003;] at the left of the table.
+
+## Related topics
+- [Custom detections overview](overview-custom-detections.md)
+- [Create detection rules](custom-detection-rules.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [View and organize alerts](alerts-queue.md)

windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md

@@ -1,17 +1,15 @@
 ---
 title: Configure how attack surface reduction rules work to fine-tune protection in your network
-description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
+description: Individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from attack surface reduction rules
 keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 author: levinec
 ms.author: ellevin
-ms.date: 05/20/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -34,21 +32,21 @@ You can set attack surface reduction rules for devices running any of the follow
 - Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
 - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
+You can use Group Policy, PowerShell, and Mobile Device Management (MDM) configuration service providers (CSP) to configure these settings.
 
 ## Exclude files and folders
 
-You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running.
+You can choose to exclude files and folders from being evaluated by attack surface reduction rules. Once excluded, the file won't be blocked from running even if an attack surface reduction rule detects that the file contains malicious behavior.
 
 > [!WARNING]
 > This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
 
-An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to a specific rule.
+An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource. However, you cannot limit an exclusion to a specific rule.
 
 An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
 
-Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
-If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode to test the rule](evaluate-attack-surface-reduction.md).
+If you are encountering problems with rules detecting files that you believe should not be detected, [use audit mode to test the rule](evaluate-attack-surface-reduction.md).
 
 Rule description | GUID
 -|-|-
@@ -72,20 +70,20 @@ See the [attack surface reduction](attack-surface-reduction.md) topic for detail
 
 ### Use Group Policy to exclude files and folders
 
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
 
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
 
 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
 
-4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
+4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
 
 > [!WARNING]
 > Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
 
 ### Use PowerShell to exclude files and folders
 
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
 2. Enter the following cmdlet:
 
     ```PowerShell
@@ -103,7 +101,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusio
 
 ## Customize the notification
 
-See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+You can customize the notification for when a rule is triggered and blocks an app or file. See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) article.
 
 ## Related topics
 

windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md

@@ -1,17 +1,15 @@
 ---
 title: Add additional folders and apps to be protected 
-description: Add additional folders that should be protected by Controlled folder access, or allow apps that are incorrectly blocking changes to important files.
+description: Add additional folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files.
 keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 author: levinec
 ms.author: ellevin
-ms.date: 05/13/2019
 ms.reviewer: 
 manager: dansimp
 ---
@@ -22,9 +20,9 @@ manager: dansimp
 
 * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
+Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients.
 
-This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
+This article describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).
 
 * [Add additional folders to be protected](#protect-additional-folders)
 * [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders)
@@ -36,11 +34,9 @@ This topic describes how to customize the following settings of the controlled f
 
 ## Protect additional folders
 
-Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
+Controlled folder access applies to a number of system folders and default locations, such as Documents, Pictures, Movies, and Desktop. You can add additional folders to be protected, but you can't remove the default folders in the default list.
 
-You can add additional folders to be protected, but you cannot remove the default folders in the default list.
+Adding other folders to controlled folder access can be useful. Some use-cases include if you don't store files in the default Windows libraries, or you've changed the location of the libraries away from the defaults.
-
-Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
 
 You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
 
@@ -48,27 +44,27 @@ You can use the Windows Security app or Group Policy to add and remove additiona
 
 ### Use the Windows Security app to protect additional folders
 
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**.
 
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**:
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**.
 
-3. Under the **Controlled folder access** section, click **Protected folders**
+3. Under the **Controlled folder access** section, select **Protected folders**.
 
-4. Click **Add a protected folder** and follow the prompts to add apps.
+4. Select **Add a protected folder** and follow the prompts to add apps.
 
 ### Use Group Policy to protect additional folders
 
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
 
-2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
 
 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
 
-4. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder.
+4. Double-click **Configured protected folders** and set the option to **Enabled**. Select **Show** and enter each folder.
 
 ### Use PowerShell to protect additional folders
 
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
 2. Enter the following cmdlet:
 
     ```PowerShell
@@ -88,41 +84,41 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m
 
 ## Allow specific apps to make changes to controlled folders
 
-You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature.
+You can specify if certain apps are always considered safe and give write access to files in protected folders. Allowing apps can be useful if a particular app you know and trust is being blocked by the controlled folder access feature.
 
 > [!IMPORTANT]
 > By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
 > You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
 
-When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access.
+When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders. If the app (with the same name) is in a different location, it will not be added to the allow list and may be blocked by controlled folder access.
 
-An allowed application or service only has write access to a controlled folder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
+An allowed application or service only has write access to a controlled folder after it starts. For example, an update service will continue to trigger events after it's allowed until it is stopped and restarted.
 
 ### Use the Windows Defender Security app to allow specific apps
 
-1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security by selecting the shield icon in the task bar or searching the start menu for **Defender**.
 
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**.
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**.
 
-3. Under the **Controlled folder access** section, click **Allow an app through Controlled folder access**
+3. Under the **Controlled folder access** section, select **Allow an app through Controlled folder access**
 
-4. Click **Add an allowed app** and follow the prompts to add apps.
+4. Select **Add an allowed app** and follow the prompts to add apps.
 
     ![Screenshot of how to add an allowed app button](../images/cfa-allow-app.png)
 
 ### Use Group Policy to allow specific apps
 
-1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
 
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
 
 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
 
-4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
+4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Select **Show** and enter each app.
 
 ### Use PowerShell to allow specific apps
 
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
 2. Enter the following cmdlet:
 
     ```PowerShell
@@ -148,7 +144,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications]
 
 ## Customize the notification
 
-See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center).
 
 ## Related topics
 

windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md

@@ -1,12 +1,11 @@
 ---
-title: Enable or disable specific mitigations used by Exploit protection
+title: Enable or disable specific mitigations used by exploit protection
 keywords: Exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr
 description: You can enable individual mitigations using the Windows Security app or PowerShell. You can also audit mitigations and export configurations.
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 author: levinec

windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md

@@ -41,13 +41,15 @@ There are several methods you can use to onboard to the service. For information
 ## In Scope
 
 The following is in scope for this deployment guide:
+
 -   Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service
+
 -   Enabling Microsoft Defender ATP endpoint protection platform (EPP)
     capabilities
 
-    -   Next Generation Protection
+    -   Next-generation protection
 
-    -   Attack Surface Reduction
+    -   Attack surface reduction
 
 -   Enabling Microsoft Defender ATP endpoint detection and response (EDR)
     capabilities including automatic investigation and remediation

windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md

@@ -3,7 +3,6 @@ title: Enable attack surface reduction rules individually to protect your organi
 description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques.
 keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on
 search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library

windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md

@@ -6,12 +6,10 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 author: denisebmsft
 ms.author: deniseb
-ms.date: 01/08/2020
 ms.reviewer: 
 manager: dansimp
 ---

windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md

@@ -1,6 +1,6 @@
 ---
 title: Turn on network protection 
-description: Enable Network protection with Group Policy, PowerShell, or MDM CSPs
+description: Enable Network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager
 keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -8,11 +8,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-audience: ITPro
 author: levinec
 ms.author: ellevin
 ms.reviewer: 
-audience: ITPro
 manager: dansimp
 ---
 
@@ -22,12 +20,11 @@ manager: dansimp
 
 * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before you enable it.
-You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it.
 
 ## Check if network protection is enabled
 
-You can see if network protection has been enabled on a local device by using Registry editor.
+Check if network protection has been enabled on a local device by using Registry editor.
 
 1. Select the **Start** button in the task bar and type **regedit** to open Registry editor
 1. Choose **HKEY_LOCAL_MACHINE** from the side menu
@@ -40,82 +37,96 @@ You can see if network protection has been enabled on a local device by using Re
 
 ## Enable network protection
 
-You can enable network protection by using any of these methods:
+Enable network protection by using any of these methods:
 
 * [PowerShell](#powershell)
 * [Microsoft Intune](#intune)
-* [Mobile Device Management (MDM)](#mdm)
+* [Mobile Device Management (MDM)](#mobile-device-management-mmd)
 * [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
 * [Group Policy](#group-policy)
 
 ### PowerShell
 
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
 2. Enter the following cmdlet:
 
     ```PowerShell
     Set-MpPreference -EnableNetworkProtection Enabled
     ```
 
-You can enable the feature in audit mode using the following cmdlet:
+3. Optional: Enable the feature in audit mode using the following cmdlet:
 
-```PowerShell
+    ```PowerShell
-Set-MpPreference -EnableNetworkProtection AuditMode
+    Set-MpPreference -EnableNetworkProtection AuditMode
-```
+    ```
 
-Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off.
+    Use `Disabled` instead of `AuditMode` or `Enabled` to turn off the feature.
 
 ### Intune
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-1. Click **Device configuration** > **Profiles** > **Create profile**.
-1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
-   ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
-1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.  
-   ![Enable network protection in Intune](../images/enable-np-intune.png)
-1. Click **OK** to save each open blade and click **Create**.
-1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
 
-### MDM
+2. Go to **Device configuration** > **Profiles** > **Create profile**.
+
+3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
+   
+    ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
+
+4. Select **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.  
+   
+    ![Enable network protection in Intune](../images/enable-np-intune.png)
+
+5. Select **OK** to save each open section and **Create**.
+
+6. Select the profile **Assignments**, assign to **All Users & All Devices**, and **Save**.
+
+### Mobile Device Management (MMD)
 
 Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode.
 
 ## Microsoft Endpoint Configuration Manager
 
-1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-1. Click **Home** > **Create Exploit Guard Policy**.
+
-1. Enter a name and a description, click **Network protection**, and click **Next**.
+2. Then go to **Home** > **Create Exploit Guard Policy**.
-1. Choose whether to block or audit access to suspicious domains and click **Next**.
+
-1. Review the settings and click **Next** to create the policy.
+3. Enter a name and a description, select **Network protection**, and then **Next**.
-1. After the policy is created, click **Close**.
+
+4. Choose whether to block or audit access to suspicious domains and select **Next**.
+
+5. Review the settings and select **Next** to create the policy.
+
+6. After the policy is created, **Close**.
 
 ### Group Policy
 
-You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer.
+Use the following procedure to enable network protection on domain-joined computers or on a standalone computer.
 
-1. On a standalone computer, click **Start**, type and then click **Edit group policy**.
+1. On a standalone computer, go to **Start** and then type and select **Edit group policy**.
 
     *-Or-*
 
-    On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+    On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
 
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
 
 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
 
-4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following:
+4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following options:
-    * **Block** - Users will not be able to access malicious IP addresses and domains
+    * **Block** - Users can't access malicious IP addresses and domains
-    * **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
+    * **Disable (Default)** - The Network protection feature won't work. Users won't be blocked from accessing malicious domains
-    * **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
+    * **Audit Mode** - If a user visits a malicious IP address or domain, an event won't be recorded in the Windows event log. However, the user won't be blocked from visiting the address.
 
 > [!IMPORTANT]
 > To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
 
-You can confirm network protection is enabled on a local computer by using Registry editor:
+Confirm network protection is enabled on a local computer by using Registry editor:
+
+1. Select **Start** and type **regedit** to open **Registry Editor**.
 
-1. Click **Start** and type **regedit** to open **Registry Editor**.
 2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
-3. Click **EnableNetworkProtection** and confirm the value:
+
+3. Select **EnableNetworkProtection** and confirm the value:
    * 0=Off
    * 1=On
    * 2=Audit

windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md

@@ -37,7 +37,7 @@ These capabilities help prevent attacks and exploitations from infecting your or
 - [Evaluate application guard](../microsoft-defender-application-guard/test-scenarios-md-app-guard.md)
 - [Evaluate network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
 
-## Evaluate next generation protection
+## Evaluate next-generation protection
 
 Next gen protections help detect and block the latest threats.
 

windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md

@@ -6,7 +6,6 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 author: levinec

windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md

@@ -6,7 +6,6 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 author: levinec

windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md

@@ -6,7 +6,6 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 author: levinec

windows/security/threat-protection/microsoft-defender-atp/event-views.md

@@ -7,8 +7,6 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
-ms.date: 04/16/2018
 ms.localizationpriority: medium
 audience: ITPro
 author: levinec

windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md

@@ -7,7 +7,6 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 author: levinec

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md

@@ -1,7 +1,7 @@
 ---
 title: Microsoft Defender Advanced Threat Protection
 description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is an enterprise endpoint security platform that helps defend against advanced persistent threats.
-keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
+keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next-generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -52,7 +52,7 @@ Microsoft Defender ATP uses the following combination of technology built into W
 <tr>
 <td><a href="#tvm"><center><img src="images/TVM_icon.png"> <br><b>Threat & Vulnerability Management</b></center></a></td>
 <td><a href="#asr"><center><img src="images/asr-icon.png"><br><b>Attack surface reduction</b></center></a></td>
-<td><center><a href="#ngp"><img src="images/ngp-icon.png"><br> <b>Next generation protection</b></a></center></td>
+<td><center><a href="#ngp"><img src="images/ngp-icon.png"><br> <b>Next-generation protection</b></a></center></td>
 <td><center><a href="#edr"><img src="images/edr-icon.png"><br> <b>Endpoint detection and response</b></a></center></td>
 <td><center><a href="#ai"><img src="images/air-icon.png"><br> <b>Automated investigation and remediation</b></a></center></td>
 <td><center><a href="#mte"><img src="images/mte-icon.png"><br> <b>Microsoft Threat Experts</b></a></center></td>
@@ -87,8 +87,8 @@ The attack surface reduction set of capabilities provide the first line of defen
 
 <a name="ngp"></a>
 
-**[Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)**<br>
+**[Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)**<br>
-To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
+To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next-generation protection designed to catch all types of emerging threats.
 
 <a name="edr"></a>
 

windows/security/threat-protection/microsoft-defender-atp/network-protection.md

@@ -3,7 +3,6 @@ title: Use network protection to help prevent connections to bad sites
 description: Protect your network by preventing users from accessing known malicious and suspicious network addresses
 keywords: Network protection, exploits, malicious website, ip, domain, domains
 search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library

windows/security/threat-protection/microsoft-defender-atp/onboard.md

@@ -1,8 +1,8 @@
 ---
 title: Configure and manage Microsoft Defender ATP capabilities
 ms.reviewer: 
-description: Configure and manage Microsoft Defender ATP capabilities such as attack surface reduction, next generation protection, and security controls 
+description: Configure and manage Microsoft Defender ATP capabilities such as attack surface reduction, next-generation protection, and security controls 
-keywords: configure, manage, capabilities, attack surface reduction, next generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls
+keywords: configure, manage, capabilities, attack surface reduction, next-generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -30,7 +30,7 @@ Configure and manage all the Microsoft Defender ATP capabilities to get the best
 Topic | Description 
 :---|:---
 [Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) |  By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. 
-[Configure next generation protection](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats.
+[Configure next-generation protection](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) | Configure next-generation protection to catch all types of emerging threats.
 [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts.
 [Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP.
 [Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. 

windows/security/threat-protection/microsoft-defender-atp/onboarding.md

@@ -219,8 +219,8 @@ Follow the steps below to identify the Microsoft Defender ATP Workspace ID and W
 
 Once completed, you should see onboarded endpoints in the portal within an hour.
 
-## Next generation protection 
+## next-generation protection 
-Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
+Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers.
 
 1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
 
@@ -228,7 +228,7 @@ Microsoft Defender Antivirus is a built-in antimalware solution that provides ne
 
 2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence   updates** and choose **OK**.
 
-    ![Image of next generation protection pane](images/1566ad81bae3d714cc9e0d47575a8cbd.png)
+    ![Image of next-generation protection pane](images/1566ad81bae3d714cc9e0d47575a8cbd.png)
 
     In certain industries or some select enterprise customers might have specific
 needs on how Antivirus is configured.
@@ -239,29 +239,29 @@ needs on how Antivirus is configured.
     For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
   
     
-    ![Image of next generation protection pane](images/cd7daeb392ad5a36f2d3a15d650f1e96.png)
+    ![Image of next-generation protection pane](images/cd7daeb392ad5a36f2d3a15d650f1e96.png)
 
-    ![Image of next generation protection pane](images/36c7c2ed737f2f4b54918a4f20791d4b.png)
+    ![Image of next-generation protection pane](images/36c7c2ed737f2f4b54918a4f20791d4b.png)
 
-    ![Image of next generation protection pane](images/a28afc02c1940d5220b233640364970c.png)
+    ![Image of next-generation protection pane](images/a28afc02c1940d5220b233640364970c.png)
 
-    ![Image of next generation protection pane](images/5420a8790c550f39f189830775a6d4c9.png)
+    ![Image of next-generation protection pane](images/5420a8790c550f39f189830775a6d4c9.png)
 
-    ![Image of next generation protection pane](images/33f08a38f2f4dd12a364f8eac95e8c6b.png)
+    ![Image of next-generation protection pane](images/33f08a38f2f4dd12a364f8eac95e8c6b.png)
 
-    ![Image of next generation protection pane](images/41b9a023bc96364062c2041a8f5c344e.png)
+    ![Image of next-generation protection pane](images/41b9a023bc96364062c2041a8f5c344e.png)
 
-    ![Image of next generation protection pane](images/945c9c5d66797037c3caeaa5c19f135c.png)
+    ![Image of next-generation protection pane](images/945c9c5d66797037c3caeaa5c19f135c.png)
 
-    ![Image of next generation protection pane](images/3876ca687391bfc0ce215d221c683970.png)
+    ![Image of next-generation protection pane](images/3876ca687391bfc0ce215d221c683970.png)
 
 3. Right-click on the newly created antimalware policy and select **Deploy**.
 
-    ![Image of next generation protection pane](images/f5508317cd8c7870627cb4726acd5f3d.png)
+    ![Image of next-generation protection pane](images/f5508317cd8c7870627cb4726acd5f3d.png)
 
 4. Target the new antimalware policy to your Windows 10 collection and click **OK**.
 
-     ![Image of next generation protection pane](images/configmgr-select-collection.png)
+     ![Image of next-generation protection pane](images/configmgr-select-collection.png)
 
 After completing this task, you now have successfully configured Windows
 Defender Antivirus.

windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md

@@ -18,22 +18,19 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ---
 
-
 # Custom detections overview
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions.
+With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. You can do this with customizable detection rules that automatically trigger alerts and response actions.
 
-Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
+Custom detections work with [advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
 
 Custom detections provide:
 - Alerts for rule-based detections built from advanced hunting queries
 - Automatic response actions that apply to files and devices
 
->[!NOTE]
+## Related topics
->To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+- [Create detection rules](custom-detection-rules.md)
-
+- [View and manage detection rules](custom-detections-manage.md)
-## Related topic
-- [Create and manage custom detection rules](custom-detection-rules.md)
 - [Advanced hunting overview](advanced-hunting-overview.md)

windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md

@@ -174,7 +174,7 @@ how the endpoint security suite should be enabled.
 |-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
 | Endpoint Detection & Response (EDR)     | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. <br> [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response)                                                                                                                                                                                                                                             | 1                   |
 |Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: <br> - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities <br> - Invaluable device vulnerability context during incident investigations <br> -  Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager <br> [Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 |
-| Next Generation Protection (NGP)        | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes: <br> -Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.   <br> -  Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection"). <br> - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research. <br> [Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).                                                                                                                                                                                                                                                                                                                                                                       |3                   |
+| Next-generation protection (NGP)        | Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes: <br> -Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.   <br> -  Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection"). <br> - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research. <br> [Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).                                                                                                                                                                                                                                                                                                                                                                       |3                   |
 | Attack Surface Reduction (ASR)          | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats. <br> [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction)                                                                                                                                                                                                                                                                                                                                                                                       | 4                   |
 | Auto Investigation & Remediation (AIR)  | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. <br>[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable      |
 | Microsoft Threat Experts (MTE)          | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed. <br>[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)                                                                                                                                                                                                                                                                                                                     | Not applicable      |

windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md

@@ -7,7 +7,6 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 author: denisebmsft