Merge pull request #4512 from MicrosoftDocs/av-4758555

Update manage-updates-baselines-microsoft-defender-antivirus.md

windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md

@@ -1,13 +1,12 @@
 ---
-title: WDAC and virtualization-based code integrity (Windows 10)
-description: Hardware and software system integrity-hardening capabilites that can be deployed separately or in combination with Windows Defender Application Control (WDAC).
+title: Windows Defender Application Control and virtualization-based code integrity (Windows 10)
+description: Hardware and software system integrity-hardening capabilities that can be deployed separately or in combination with Windows Defender Application Control (WDAC).
 keywords: virtualization, security, malware, device guard
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.date: 07/01/2019
 ms.reviewer: 
 manager: dansimp
 ms.custom: asr
@@ -19,24 +18,24 @@ ms.custom: asr
 -   Windows 10
 -   Windows Server 2016
 
-Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI). 
+Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks by using virtualization-based protection of code integrity (more specifically, HVCI). 
 
-Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices.  
+Configurable code integrity policies and HVCI are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows 10 devices.  
 
 Using configurable code integrity to restrict devices to only authorized apps has these advantages over other solutions:
 
 1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. 
 2. Configurable code integrity allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows. 
-3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy. 
-4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.
+3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy. 
+4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.
 
 ## Windows Defender Application Control
 
-When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either. 
+When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with more hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either. 
 
 Configurable code integrity carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability.
 
-Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as a independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control). 
+Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as an independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control). 
 We hope this change will help us better communicate options for adopting application control within an organization.
 
 ## Related articles

windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md

@@ -21,12 +21,12 @@ manager: dansimp
 
 You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable. 
 
-This topic describes some common mistake that you should avoid when defining exclusions. 
+This article describes some common mistake that you should avoid when defining exclusions. 
 
 Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions).
 
 ## Excluding certain trusted items
-There are certain files, file types, folders, or processes that you should not exclude from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning.
+Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning.
 
 **Do not add exclusions for the following folder locations:**
 
@@ -61,44 +61,44 @@ There are certain files, file types, folders, or processes that you should not e
 - C:\Windows\Temp\*
 
 **Do not add exclusions for the following file extensions:**  
-- .7zip
-- .bat
-- .bin
-- .cab
-- .cmd
-- .com
-- .cpl
-- .dll
-- .exe
-- .fla
-- .gif
-- .gz
-- .hta
-- .inf
-- .java
-- .jar
-- .job
-- .jpeg
-- .jpg
-- .js
-- .ko
-- .ko.gz
-- .msi
-- .ocx
-- .png
-- .ps1
-- .py
-- .rar
-- .reg
-- .scr
-- .sys
-- .tar
-- .tmp
-- .url
-- .vbe
-- .vbs
-- .wsf
-- .zip
+- `.7zip`
+- `.bat`
+- `.bin`
+- `.cab`
+- `.cmd`
+- `.com`
+- `.cpl`
+- `.dll`
+- `.exe`
+- `.fla`
+- `.gif`
+- `.gz`
+- `.hta`
+- `.inf`
+- `.java`
+- `.jar`
+- `.job`
+- `.jpeg`
+- `.jpg`
+- `.js`
+- `.ko`
+- `.ko.gz`
+- `.msi`
+- `.ocx`
+- `.png`
+- `.ps1`
+- `.py`
+- `.rar`
+- `.reg`
+- `.scr`
+- `.sys`
+- `.tar`
+- `.tmp`
+- `.url`
+- `.vbe`
+- `.vbs`
+- `.wsf`
+- `.zip`
 
 >[!NOTE]
 > You can chose to exclude file types, such as .gif, .jpg, .jpeg, .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
@@ -150,7 +150,7 @@ Do not use a single exclusion list to define exclusions for multiple server work
 Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables.
 See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists.
 
-## Related topics
+## Related articles
 
 - [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
 - [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)

windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md

@@ -11,7 +11,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 01/06/2021
 ms.reviewer: 
 manager: dansimp
 ---
@@ -39,20 +39,20 @@ To configure these settings:
 
 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
 
 3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
 
-4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+4. Select the policy **Setting** as specified in the table below, and set the option to your desired configuration. Select **OK**, and repeat for any other settings.
 
-Location | Setting | Description | Default setting (if not configured)
----|---|---|---
-Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled
-Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days
-Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically)
-Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed
-Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
-Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable
+|Location | Setting | Description | Default setting (if not configured) |
+|:---|:---|:---|:---|
+|Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled|
+|Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days |
+|Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) |
+|Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed |
+|Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable |
+|Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable |
 
 > [!IMPORTANT]
 > Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.

windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md

@@ -11,7 +11,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 01/06/2021
 ms.reviewer: 
 manager: dansimp
 ---
@@ -29,11 +29,11 @@ Depending on the management tool you are using, you may need to specifically ena
 
 See the table in [Deploy, manage, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
 
-Some scenarios require additional guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
+Some scenarios require more guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
 
-The remaining topic in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md).
+The remaining article in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md).
 
-## Related topics
+## Related articles
 
 - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
 - [Deploy, manage updates, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)

windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md

@@ -64,7 +64,7 @@ You can manage the distribution of updates through one of the following methods:
 For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
 
 > [!NOTE]
-> We release these monthly updates in phases. This results in multiple packages visible in your WSUS server.
+> Monthly updates are released in phases, resulting in multiple packages visible in your [Window Server Update Services](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus).
 
 ## Monthly platform and engine versions
 
@@ -143,7 +143,7 @@ No known issues
 
 ### Previous version updates: Technical upgrade support only
 
-Previous version updates are listed below, and are provided for technical upgrade support only. 
+After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only. 
 <br/><br/>
 
 <details>
@@ -369,16 +369,16 @@ The below table provides the Microsoft Defender Antivirus platform and engine ve
 
 |Windows 10 release  |Platform version  |Engine version |Support phase |
 |:---|:---|:---|:---|
-|2004  (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade Support (Only) |
-|1909  (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) |
-|1903  (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) |
-|1809  (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) |
-|1803  (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade Support (Only) |
-|1709  (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade Support (Only) |
-|1703  (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) |
-|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) |  
+|2004  (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade support (only) |
+|1909  (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade support (only) |
+|1903  (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade support (only) |
+|1809  (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade support (only) |
+|1803  (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade support (only) |
+|1709  (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade support (only) |
+|1703  (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade support (only) |
+|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade support (only) |  
 
-Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet).
+For Windows 10 release information, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet).
 
 ## Updates for Deployment Image Servicing and Management (DISM)
 

windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md

@@ -1,6 +1,6 @@
 ---
 title: Customize controlled folder access
-description: Add additional folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files.
+description: Add other folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files.
 keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -12,7 +12,7 @@ author: denisebmsft
 ms.author: deniseb
 ms.reviewer: jcedola, dbodorin, vladiso, nixanm, anvascon
 manager: dansimp
-ms.date: 12/16/2020
+ms.date: 01/06/2021
 ---
 
 # Customize controlled folder access
@@ -38,7 +38,7 @@ This article describes how to customize controlled folder access capabilities, a
 
 ## Protect additional folders
 
-Controlled folder access applies to a number of system folders and default locations, including folders such as **Documents**, **Pictures**, and **Movies**. You can add additional folders to be protected, but you cannot remove the default folders in the default list.
+Controlled folder access applies to many system folders and default locations, including folders such as **Documents**, **Pictures**, and **Movies**. You can add additional folders to be protected, but you cannot remove the default folders in the default list.
 
 Adding other folders to controlled folder access can be helpful for cases when you don't store files in the default Windows libraries, or you've changed the default location of your libraries.
 
@@ -72,7 +72,7 @@ You can use the Windows Security app, Group Policy, PowerShell cmdlets, or mobil
 
 ### Use PowerShell to protect additional folders
 
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
+1. Type **PowerShell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
 
 2. Enter the following cmdlet:
 
@@ -125,7 +125,7 @@ An allowed application or service only has write access to a controlled folder a
 
 ### Use PowerShell to allow specific apps
 
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
+1. Type **PowerShell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
 2. Enter the following cmdlet:
 
     ```PowerShell

windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md

@@ -11,7 +11,7 @@ ms.localizationpriority: medium
 audience: ITPro
 author: denisebmsft
 ms.author: deniseb
-ms.date: 08/28/2020
+ms.date: 01/06/2021
 ms.reviewer: 
 manager: dansimp
 ---
@@ -38,20 +38,20 @@ You can set mitigation in audit mode for specific programs either by using the W
 
 ### Windows Security app
 
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**.
 
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
+2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**.
 
 3. Go to **Program settings** and choose the app you want to apply protection to:
 
-    1. If the app you want to configure is already listed, click it and then click **Edit**
-    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
-        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+    1. If the app you want to configure is already listed, select it and then select **Edit**
+    2. If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
+        - Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
         - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 
-5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+5. Repeat this procedure for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration.
 
 ### PowerShell
 

windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md

@@ -11,7 +11,7 @@ ms.localizationpriority: medium
 audience: ITPro
 author: denisebmsft
 ms.author: deniseb
-ms.date: 07/20/2020
+ms.date: 01/06/2021
 ms.reviewer: cjacks
 manager: dansimp
 ms.custom: asr
@@ -223,7 +223,7 @@ Block low integrity images will prevent the application from loading files that
 
 ### Description
 
-Block remote images will prevent the application from loading files that are hosted on a remote device, such as a UNC share. This helps protect against loading binaries into memory that are on an external device controlled by the attacker.
+Blocking remote images helps to prevent the application from loading files that are hosted on a remote device, such as a UNC share. Blocking remote images helps protect against loading binaries into memory that are on an external device controlled by the attacker.
 
 This mitigation will block image loads if the image is determined to be on a remote device. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a remote file, it will trigger a STATUS_ACCESS_DENIED error.
 
@@ -257,7 +257,7 @@ The most common use of fonts outside of the system fonts directory is with [web
 
 ### Description
 
-Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. This includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process.
+Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. Code integrity guard includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process.
 
 This mitigation is implemented within the memory manager, which blocks the binary from being mapped into memory. If you attempt to load a binary that is not signed by Microsoft, the memory manger will return the error STATUS_INVALID_IMAGE_HASH. By blocking at the memory manager level, this prevents both binaries loaded by the process and binaries injected into the process.
 
@@ -275,9 +275,9 @@ This mitigation specifically blocks any binary that is not signed by Microsoft.
 
 ### Description
 
-Control flow guard (CFG) mitigates the risk of attackers leveraging memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program).
+Control flow guard (CFG) mitigates the risk of attackers using memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program).
 
-This mitigation is provided by injecting an additional check at compile time. Before each indirect function call, additional instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications that are compiled with CFG support can benefit from this mitigation.
+This mitigation is provided by injecting another check at compile time. Before each indirect function call, another instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications that are compiled with CFG support can benefit from this mitigation.
 
 The check for a valid target is provided by the Windows kernel. When executable files are loaded, the metadata for indirect call targets is extracted at load time and marked as valid call targets. Additionally, when memory is allocated and marked as executable (such as for generated code), these memory locations are also marked as valid call targets, to support mechanisms such as JIT compilation.
 
@@ -296,7 +296,7 @@ Since applications must be compiled to support CFG, they implicitly declare thei
 
 ### Description
 
-Data execution prevention (DEP) prevents memory that was not explicitly allocated as executable from being executed. This helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code.
+Data execution prevention (DEP) prevents memory that was not explicitly allocated as executable from being executed. DEP helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code.
 
 If you attempt to set the instruction pointer to a memory address not marked as executable, the processor will throw an exception (general-protection violation), causing the application to crash.
 
@@ -304,7 +304,7 @@ If you attempt to set the instruction pointer to a memory address not marked as
 
 All x64, ARM, and ARM-64 executables have DEP enabled by default, and it cannot be disabled. Since an application will have never been executed without DEP, compatibility is assumed.
 
-All x86 (32-bit) binaries will have DEP enabled by default, but it can be disabled per process. Some old legacy applications, typically applications developed prior to Windows XP SP2, may not be compatible with DEP. These are typically applications that dynamically generate code (for example, JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code.
+All x86 (32-bit) binaries have DEP enabled by default, but DEP can be disabled per process. Some old legacy applications, typically applications developed prior to Windows XP SP2, might not be compatible with DEP. Such applications typically generate code dynamically (for example, JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code.
 
 ### Configuration options
 
@@ -324,7 +324,7 @@ This includes:
 
 ### Compatibility considerations
 
-Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third party Legacy IMEs that will not work with the protected application.
+Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third-party Legacy IMEs that will not work with the protected application.
 
 ### Configuration options
 
@@ -341,7 +341,7 @@ Win32k.sys provides a broad attack surface for an attacker. As a kernel-mode com
 
 ### Compatibility considerations
 
-This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will leverage process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation.
+This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will use process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation.
 
 ### Configuration options
 
@@ -379,18 +379,18 @@ This mitigation is primarily an issue for applications such as debuggers, sandbo
 
 ### Configuration options
 
-**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for additional commonly attacked modules:
+**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for other commonly attacked modules:
 
-- mshtml.dll
-- flash*.ocx
-- jscript*.ocx
-- vbscript.dll
-- vgx.dll
-- mozjs.dll
-- xul.dll
-- acrord32.dll
-- acrofx32.dll
-- acroform.api
+- `mshtml.dll`
+- `flash*.ocx`
+- `jscript*.ocx`
+- `vbscript.dll`
+- `vgx.dll`
+- `mozjs.dll`
+- `xul.dll`
+- `acrord32.dll`
+- `acrofx32.dll`
+- `acroform.api`
 
 Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection to the page containing the "MZ" header, the first two bytes of the [DOS header in a PE file](https://docs.microsoft.com/windows/win32/debug/pe-format#ms-dos-stub-image-only), which is another aspect of known memory content which shellcode can look for to identify modules potentially of interest in memory.
 
@@ -400,7 +400,7 @@ Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection t
 
 ### Description
 
-Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker leveraging techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose.
+Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker using techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose.
 
 Mandatory ASLR forces a rebase of all DLLs within the process. A developer can enable ASLR using the [/DYNAMICBASE](https://docs.microsoft.com/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019&preserve-view=true) linker option, and this mitigation has the same effect.
 
@@ -427,31 +427,31 @@ The memory pages for all protected APIs will have the [PAGE_GUARD](https://docs.
 
 This mitigation protects the following Windows APIs:
 
-- GetProcAddress
-- GetProcAddressForCaller
-- LoadLibraryA
-- LoadLibraryExA
-- LoadLibraryW
-- LoadLibraryExW
-- LdrGetProcedureAddress
-- LdrGetProcedureAddressEx
-- LdrGetProcedureAddressForCaller
-- LdrLoadDll
-- VirtualProtect
-- VirtualProtectEx
-- VirtualAlloc
-- VirtualAllocEx
-- NtAllocateVirtualMemory
-- NtProtectVirtualMemory
-- CreateProcessA
-- CreateProcessW
-- WinExec
-- CreateProcessAsUserA
-- CreateProcessAsUserW
-- GetModuleHandleA
-- GetModuleHandleW
-- RtlDecodePointer
-- DecodePointer
+- `GetProcAddress`
+- `GetProcAddressForCaller`
+- `LoadLibraryA`
+- `LoadLibraryExA`
+- `LoadLibraryW`
+- `LoadLibraryExW`
+- `LdrGetProcedureAddress`
+- `LdrGetProcedureAddressEx`
+- `LdrGetProcedureAddressForCaller`
+- `LdrLoadDll`
+- `VirtualProtect`
+- `VirtualProtectEx`
+- `VirtualAlloc`
+- `VirtualAllocEx`
+- `NtAllocateVirtualMemory`
+- `NtProtectVirtualMemory`
+- `CreateProcessA`
+- `CreateProcessW`
+- `WinExec`
+- `CreateProcessAsUserA`
+- `CreateProcessAsUserW`
+- `GetModuleHandleA`
+- `GetModuleHandleW`
+- `RtlDecodePointer`
+- `DecodePointer`
 
 ### Compatibility considerations
 
@@ -471,7 +471,7 @@ The size of the 32-bit address space places practical constraints on the entropy
 
 ### Compatibility considerations
 
-Most applications that are compatible with Mandatory ASLR (rebasing) will also be compatible with the additional entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4 GB), and thus will be incompatible with the high entropy option (which can be disabled).
+Most applications that are compatible with Mandatory ASLR (rebasing) are also compatible with the other entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4 GB), and thus will be incompatible with the high entropy option (which can be disabled).
 
 ### Configuration options
 
@@ -488,40 +488,40 @@ Simulate execution (SimExec) is a mitigation for 32-bit applications only. This
 
 The APIs intercepted by this mitigation are:
 
-- LoadLibraryA
-- LoadLibraryW
-- LoadLibraryExA
-- LoadLibraryExW
-- LdrLoadDll
-- VirtualAlloc
-- VirtualAllocEx
-- NtAllocateVirtualMemory
-- VirtualProtect
-- VirtualProtectEx
-- NtProtectVirtualMemory
-- HeapCreate
-- RtlCreateHeap
-- CreateProcessA
-- CreateProcessW
-- CreateProcessInternalA
-- CreateProcessInternalW
-- NtCreateUserProcess
-- NtCreateProcess
-- NtCreateProcessEx
-- CreateRemoteThread
-- CreateRemoteThreadEx
-- NtCreateThreadEx
-- WriteProcessMemory
-- NtWriteVirtualMemory
-- WinExec
-- CreateFileMappingA
-- CreateFileMappingW
-- CreateFileMappingNumaW
-- NtCreateSection
-- MapViewOfFile
-- MapViewOfFileEx
-- MapViewOfFileFromApp
-- LdrGetProcedureAddressForCaller
+- `LoadLibraryA`
+- `LoadLibraryW`
+- `LoadLibraryExA`
+- `LoadLibraryExW`
+- `LdrLoadDll`
+- `VirtualAlloc`
+- `VirtualAllocEx`
+- `NtAllocateVirtualMemory`
+- `VirtualProtect`
+- `VirtualProtectEx`
+- `NtProtectVirtualMemory`
+- `HeapCreate`
+- `RtlCreateHeap`
+- `CreateProcessA`
+- `CreateProcessW`
+- `CreateProcessInternalA`
+- `CreateProcessInternalW`
+- `NtCreateUserProcess`
+- `NtCreateProcess`
+- `NtCreateProcessEx`
+- `CreateRemoteThread`
+- `CreateRemoteThreadEx`
+- `NtCreateThreadEx`
+- `WriteProcessMemory`
+- `NtWriteVirtualMemory`
+- `WinExec`
+- `CreateFileMappingA`
+- `CreateFileMappingW`
+- `CreateFileMappingNumaW`
+- `NtCreateSection`
+- `MapViewOfFile`
+- `MapViewOfFileEx`
+- `MapViewOfFileFromApp`
+- `LdrGetProcedureAddressForCaller`
 
 If a ROP gadget is detected, the process is terminated.
 
@@ -543,40 +543,40 @@ Validate API invocation (CallerCheck) is a mitigation for return-oriented progra
 
 The APIs intercepted by this mitigation are:
 
-- LoadLibraryA
-- LoadLibraryW
-- LoadLibraryExA
-- LoadLibraryExW
-- LdrLoadDll
-- VirtualAlloc
-- VirtualAllocEx
-- NtAllocateVirtualMemory
-- VirtualProtect
-- VirtualProtectEx
-- NtProtectVirtualMemory
-- HeapCreate
-- RtlCreateHeap
-- CreateProcessA
-- CreateProcessW
-- CreateProcessInternalA
-- CreateProcessInternalW
-- NtCreateUserProcess
-- NtCreateProcess
-- NtCreateProcessEx
-- CreateRemoteThread
-- CreateRemoteThreadEx
-- NtCreateThreadEx
-- WriteProcessMemory
-- NtWriteVirtualMemory
-- WinExec
-- CreateFileMappingA
-- CreateFileMappingW
-- CreateFileMappingNumaW
-- NtCreateSection
-- MapViewOfFile
-- MapViewOfFileEx
-- MapViewOfFileFromApp
-- LdrGetProcedureAddressForCaller
+- `LoadLibraryA`
+- `LoadLibraryW`
+- `LoadLibraryExA`
+- `LoadLibraryExW`
+- `LdrLoadDll`
+- `VirtualAlloc`
+- `VirtualAllocEx`
+- `NtAllocateVirtualMemory`
+- `VirtualProtect`
+- `VirtualProtectEx`
+- `NtProtectVirtualMemory`
+- `HeapCreate`
+- `RtlCreateHeap`
+- `CreateProcessA`
+- `CreateProcessW`
+- `CreateProcessInternalA`
+- `CreateProcessInternalW`
+- `NtCreateUserProcess`
+- `NtCreateProcess`
+- `NtCreateProcessEx`
+- `CreateRemoteThread`
+- `CreateRemoteThreadEx`
+- `NtCreateThreadEx`
+- `WriteProcessMemory`
+- `NtWriteVirtualMemory`
+- `WinExec`
+- `CreateFileMappingA`
+- `CreateFileMappingW`
+- `CreateFileMappingNumaW`
+- `NtCreateSection`
+- `MapViewOfFile`
+- `MapViewOfFileEx`
+- `MapViewOfFileFromApp`
+- `LdrGetProcedureAddressForCaller`
 
 If a ROP gadget is detected, the process is terminated.
 
@@ -594,7 +594,7 @@ This mitigation is incompatible with the Arbitrary Code Guard mitigation.
 
 ### Description
 
-Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured exception handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can leverage a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice.
+Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured exception handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can use a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice.
 
 This mitigation relies on the design of SEH, where each SEH entry contains both a pointer to the exception handler, as well as a pointer to the next handler in the exception chain. This mitigation is called by the exception dispatcher, which validates the SEH chain when an exception is invoked. It verifies that:
 
@@ -619,7 +619,7 @@ Compatibility issues with SEHOP are relatively rare. It's uncommon for an applic
 
 ### Description
 
-*Validate handle usage* is a mitigation that helps protect against an attacker leveraging an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE).
+*Validate handle usage* is a mitigation that helps protect against an attacker using an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE).
 
 This mitigation is automatically applied to Windows Store applications.
 
@@ -639,7 +639,7 @@ Applications that were not accurately tracking handle references, and which were
 The *validate heap integrity* mitigation increases the protection level of heap mitigations in Windows, by causing the application to terminate if a heap corruption is detected. The mitigations include:
 
 - Preventing a HEAP handle from being freed
-- Performing additional validation on extended block headers for heap allocations
+- Performing another validation on extended block headers for heap allocations
 - Verifying that heap allocations are not already flagged as in-use
 - Adding guard pages to large allocations, heap segments, and subsegments above a minimum size
 
@@ -672,48 +672,48 @@ Compatibility issues are uncommon. Applications that depend on replacing Windows
 
 The *validate stack integrity (StackPivot)* mitigation helps protect against the Stack Pivot attack, a ROP attack where an attacker creates a fake stack in heap memory, and then tricks the application into returning into the fake stack that controls the flow of execution.
 
-This mitigation intercepts a number of Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated.
+This mitigation intercepts many Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated.
 
 The APIs intercepted by this mitigation are:
 
-- LoadLibraryA
-- LoadLibraryW
-- LoadLibraryExA
-- LoadLibraryExW
-- LdrLoadDll
-- VirtualAlloc
-- VirtualAllocEx
-- NtAllocateVirtualMemory
-- VirtualProtect
-- VirtualProtectEx
-- NtProtectVirtualMemory
-- HeapCreate
-- RtlCreateHeap
-- CreateProcessA
-- CreateProcessW
-- CreateProcessInternalA
-- CreateProcessInternalW
-- NtCreateUserProcess
-- NtCreateProcess
-- NtCreateProcessEx
-- CreateRemoteThread
-- CreateRemoteThreadEx
-- NtCreateThreadEx
-- WriteProcessMemory
-- NtWriteVirtualMemory
-- WinExec
-- CreateFileMappingA
-- CreateFileMappingW
-- CreateFileMappingNumaW
-- NtCreateSection
-- MapViewOfFile
-- MapViewOfFileEx
-- MapViewOfFileFromApp
-- LdrGetProcedureAddressForCaller
+- `LoadLibraryA`
+- `LoadLibraryW`
+- `LoadLibraryExA`
+- `LoadLibraryExW`
+- `LdrLoadDll`
+- `VirtualAlloc`
+- `VirtualAllocEx`
+- `NtAllocateVirtualMemory`
+- `VirtualProtect`
+- `VirtualProtectEx`
+- `NtProtectVirtualMemory`
+- `HeapCreate`
+- `RtlCreateHeap`
+- `CreateProcessA`
+- `CreateProcessW`
+- `CreateProcessInternalA`
+- `CreateProcessInternalW`
+- `NtCreateUserProcess`
+- `NtCreateProcess`
+- `NtCreateProcessEx`
+- `CreateRemoteThread`
+- `CreateRemoteThreadEx`
+- `NtCreateThreadEx`
+- `WriteProcessMemory`
+- `NtWriteVirtualMemory`
+- `WinExec`
+- `CreateFileMappingA`
+- `CreateFileMappingW`
+- `CreateFileMappingNumaW`
+- `NtCreateSection`
+- `MapViewOfFile`
+- `MapViewOfFileEx`
+- `MapViewOfFileFromApp`
+- `LdrGetProcedureAddressForCaller`
 
 ### Compatibility considerations
 
-Applications that are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications.
+Applications that are using fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications.
 Applications that perform API interception, particularly security software, can cause compatibility problems with this mitigation.
 
 This mitigation is incompatible with the Arbitrary Code Guard mitigation.

windows/security/threat-protection/microsoft-defender-atp/network-protection.md

@@ -11,7 +11,6 @@ ms.localizationpriority: medium
 audience: ITPro
 author: denisebmsft
 ms.author: deniseb
-ms.date: 04/30/2019
 ms.reviewer: 
 manager: dansimp
 ms.custom: asr
@@ -33,7 +32,7 @@ Network protection expands the scope of [Microsoft Defender SmartScreen](../micr
 
 Network protection is supported beginning with Windows 10, version 1709. 
 
-For more details about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
+For more information about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
 
 > [!TIP]
 > You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
@@ -46,7 +45,7 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network
 
 ## Requirements
 
-Network protection requires Windows 10 Pro, Enterprise E3, E5 and Microsoft Defender AV real-time protection.
+Network protection requires Windows 10 Pro, Enterprise E3, E5, and Microsoft Defender AV real-time protection.
 
 Windows 10 version | Microsoft Defender Antivirus
 -|-
@@ -76,7 +75,7 @@ You can review the Windows event log to see events that are created when network
 
 1. [Copy the XML directly](event-views.md).
 
-2. Click **OK**.
+2. Select **OK**.
 
 3. This will create a custom view that filters to only show the following events related to network protection:
 
@@ -88,6 +87,6 @@ You can review the Windows event log to see events that are created when network
 
 ## Related articles
 
-- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
+- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrates how the feature works, and what events would typically be created.
 
 - [Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.