Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. |
-
-### Deploy the Upgrade Analytics deployment script
-
-You can use the Upgrade Analytics deployment script to automate and verify your deployment.
-
-See [Upgrade Analytics deployment script](upgrade-analytics-deployment-script.md) for information on obtaining and running the script, and for a description of the error codes that can be displayed.
-
->After data is sent from computers to Microsoft, it generally takes 48 hours for the data to populate in Upgrade Analytics. The compatibility update KB takes several minutes to run. If the KB does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Upgrade Analytics. For this reason, you can expect most your computers to be populated in OMS in about 1-2 weeks after deploying the KB and configuration to user computers.
-
-## Deploy Upgrade Analytics at scale
-
-When you have completed a pilot deployment, you are ready to automate data collection and distribute the deployment script to the remaining computers in your organization.
-
-### Automate data collection
-
-To ensure that user computers are receiving the most up to date data from Microsoft, we recommend that you establish the following data sharing and analysis processes.
-
-- Enable automatic updates for the compatibility update and related KBs. These KBs are updated frequently to include the latest application and driver issue information as we discover it during testing.
-- Schedule the Upgrade Analytics deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated. Computers are re-scanned only when the compatibility KBs are updated, so if your inventory changes significantly between KB releases you won’t see the changes in Upgrade Analytics until you run the script again.
-- Schedule monthly user computer scans to view monthly active computer and usage information.
-
-### Distribute the deployment script at scale
-
-Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Analytics deployment script at scale. For more information, see the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
\ No newline at end of file
+redirect_url: upgrade-readiness-get-started.md
+---
\ No newline at end of file
diff --git a/windows/deploy/upgrade-analytics-identify-apps.md b/windows/deploy/upgrade-analytics-identify-apps.md
index cfd5df068f..243be13215 100644
--- a/windows/deploy/upgrade-analytics-identify-apps.md
+++ b/windows/deploy/upgrade-analytics-identify-apps.md
@@ -1,36 +1,5 @@
---
title: Upgrade Analytics - Identify important apps (Windows 10)
-description: Describes how to prepare your environment so that you can use Upgrade Analytics to manage Windows upgrades.
-ms.prod: w10
-author: greg-lindsay
+redirect_url: upgrade-readiness-identify-apps.md
---
-# Upgrade Analytics - Step 1: Identify important apps
-
-This is the first step of the Upgrade Analytics workflow. In this step, applications are listed and grouped by importance level. Setting the importance level enables you to prioritize applications for upgrade.
-
-
-
-
-
-Select **Assign importance** to change an application’s importance level. By default, applications are marked **Not reviewed** or **Low install count** until you assign a different importance level to them.
-
-To change an application’s importance level:
-
-1. Select **Not reviewed** or **Low install count** on the **Prioritize applications** blade to view the list of applications with that importance level.
-2. Select the applications you want to change to a specific importance level and then select the appropriate option from the **Select importance level** list.
-3. Click **Save** when finished.
-
-Importance levels include:
-
-| Importance level | When to use it | Recommendation |
-|--------------------|------------------|------------------|
-| Low install count | We give you a head start by identifying applications that are installed on 2% or less of your total computer inventory. \[Number of computers application is installed on/total number of computers in your inventory.\]
Low install count applications are automatically marked as **Ready to upgrade** in the **UpgradeDecision** column unless they have issues that need attention.
| Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. For example, payroll apps or tax accounting apps tend to be installed on a relatively small number of machines but are still considered business critical applications.
|
-| Not reviewed | Applications that are installed on more than 2% of your total computer inventory are marked not reviewed until you set their importance level.
| Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns. |
-| Business critical | By default, no applications are marked as business critical because only you can make that determination. If you know that an application is critical to your organization’s functioning, mark it **Business critical**.
| You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this business critical application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
|
-| Important | By default, no applications are marked as important because only you can make that determination. If the application is important but not critical to your organization’s functioning, mark it **Important**. | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this important application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
|
-| Ignore | By default, no applications are marked as ignore because only you can make that determination. If the application is not important to your organization’s functioning, such as user-installed applications and games, you may not want to spend time and money validating that these applications will migrate successfully. Mark these applications **Ignore**.
| Set the application’s importance level to **Ignore** to let other team members know that it can be left as-is with no further investigation or testing. If you set the importance level to ignore, and this is an app that you are not planning on testing or validating, consider changing the upgrade decision to **Ready to upgrade**. By marking these apps ready to upgrade, you are indicating that you are comfortable upgrading with the app remaining in its current state.
|
-| Review in progress | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns.
| As you learn more about the application’s importance to your organization’s functioning, change the importance level to **Business critical**, **Important**, or **Ignore**.
Until you’ve determined that priority applications will migrate successfully, leave the upgrade decision status as **Review in progress**.
|
-
diff --git a/windows/deploy/upgrade-analytics-prepare-your-environment.md b/windows/deploy/upgrade-analytics-prepare-your-environment.md
index 78eeaa078b..1cfb353c46 100644
--- a/windows/deploy/upgrade-analytics-prepare-your-environment.md
+++ b/windows/deploy/upgrade-analytics-prepare-your-environment.md
@@ -1,4 +1,4 @@
---
title: Upgrade Analytics - Identify important apps (Windows 10)
-redirect_url: upgrade-analytics-identify-apps
+redirect_url: upgrade-readiness-identify-apps.md
---
\ No newline at end of file
diff --git a/windows/deploy/upgrade-analytics-release-notes.md b/windows/deploy/upgrade-analytics-release-notes.md
index dbf92527d7..527b616631 100644
--- a/windows/deploy/upgrade-analytics-release-notes.md
+++ b/windows/deploy/upgrade-analytics-release-notes.md
@@ -1,5 +1,5 @@
---
title: Upgrade Analytics release notes (Windows 10)
description: Provides tips and limitations about Upgrade Analytics.
-redirect_url: https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements#important-information-about-this-release
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-requirements#important-information-about-this-release
---
\ No newline at end of file
diff --git a/windows/deploy/upgrade-analytics-requirements.md b/windows/deploy/upgrade-analytics-requirements.md
index 3875acc090..76e48e5b44 100644
--- a/windows/deploy/upgrade-analytics-requirements.md
+++ b/windows/deploy/upgrade-analytics-requirements.md
@@ -1,88 +1,5 @@
---
title: Upgrade Analytics requirements (Windows 10)
-description: Provides requirements for Upgrade Analytics.
-ms.prod: w10
-author: greg-lindsay
+redirect_url: upgrade-readiness-requirements.md
---
-# Upgrade Analytics requirements
-
-This article introduces concepts and steps needed to get up and running with Upgrade Analytics. We recommend that you review this list of requirements before getting started as you may need to collect information, such as account credentials, and get approval from internal IT groups, such as your network security group, before you can start using Upgrade Analytics.
-
-## Supported upgrade paths
-
-To perform an in-place upgrade, user computers must be running the latest version of either Windows 7 SP1 or Windows 8.1. After you enable Windows telemetry, Upgrade Analytics performs a full inventory of computers so that you can see which version of Windows is installed on each computer.
-
-The compatibility update KB that sends telemetry data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Analytics cannot evaluate Windows XP or Windows Vista for upgrade eligibility.
-
-
-
-If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center.
-
-Note: Upgrade Analytics is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Analytics insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance.
-
-See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements.
-
-## Operations Management Suite
-
-Upgrade Analytics is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
-
-If you’re already using OMS, you’ll find Upgrade Analytics in the Solutions Gallery. Click the Upgrade Analytics tile in the gallery and then click Add on the solution’s details page. Upgrade Analytics is now visible in your workspace.
-
-If you are not using OMS, go to [the Upgrade Analytics page on Microsoft.com](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics) and select **Sign up** to kick off the OMS onboarding process. During the onboarding process, you’ll create an OMS workspace and add the Upgrade Analytics solution to it.
-
-Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
-
-## System Center Configuration Manager integration
-
-Upgrade Analytics can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Analytics with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics).
-
-## Telemetry and data sharing
-
-After you’ve signed in to Operations Management Suite and added the Upgrade Analytics solution to your workspace, you’ll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Analytics.
-
-See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Analytics collects and assesses. See [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data.
-
-**Whitelist telemetry endpoints.** To enable telemetry data to be sent to Microsoft, you’ll need to whitelist the following Microsoft telemetry endpoints on your proxy server or firewall. You may need to get approval from your security group to do this.
-
-`https://v10.vortex-win.data.microsoft.com/collect/v1`
-`https://vortex-win.data.microsoft.com/health/keepalive`
-`https://settings-win.data.microsoft.com/settings`
-`https://vortex.data.microsoft.com/health/keepalive`
-`https://settings.data.microsoft.com/qos`
-`https://go.microsoft.com/fwlink/?LinkID=544713`
-`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc/extended`
-
->**Note** The compatibility update KB runs under the computer’s system account and does not support user authentication in this release.
-
-**Generate your commercial ID key.** Microsoft uses a unique commercial ID GUID to map data from your computers to your OMS workspace. You’ll need to generate your commercial ID key in OMS. We recommend that you save your commercial ID key as you’ll need it later.
-
-**Subscribe your OMS workspace to Upgrade Analytics.** For Upgrade Analytics to receive and display upgrade readiness data from Microsoft, you’ll need to subscribe your OMS workspace to Upgrade Analytics.
-
-**Enable telemetry and connect data sources.** To allow Upgrade Analytics to collect system, application, and driver data and assess your organization’s upgrade readiness, communication must be established between Upgrade Analytics and user computers. You’ll need to connect Upgrade Analytics to your data sources and enable telemetry to establish communication.
-
-**Deploy compatibility update and related KBs.** The compatibility update KB scans your systems and enables application usage tracking. If you don’t already have this KB installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
-
->**Important**
The compatibility update and related KBs are updated frequently to include new compatibility issues as they become known to Microsoft. We recommend that you use a deployment system that allows for automatic updates of these KBs. The compatibility update KB collects inventory information from computers only when it is updated.
-
-**Configure and deploy Upgrade Analytics deployment script.** Configure and deploy the Upgrade Analytics deployment script to user computers to finish setting up.
-
-## Important information about this release
-
-Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release.
-
-**User authenticated proxies are not supported in this release.** User computers communicate with Microsoft through Windows telemetry. The Windows telemetry client runs in System context and requires a connection to various Microsoft telemetry endpoints. User authenticated proxies are not supported at this time. Work with your Network Administrator to ensure that user computers can communicate with telemetry endpoints.
-
-**Upgrade Analytics does not support on-premises Windows deployments.** Upgrade Analytics is built as a cloud service, which allows Upgrade Analytics to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises.
-
-**In-region data storage requirements.** Windows telemetry data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Analytics solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. We’re adding support for additional regions and we’ll update this information when new international regions are supported.
-
-### Tips
-
-- When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export a list with fewer items.
-
-- Sorting data by clicking a column heading may not sort your complete list of items. For information about how to sort data in OMS, see [Sorting DocumentDB data using Order By](https://azure.microsoft.com/documentation/articles/documentdb-orderby).
-
-## Get started
-
-See [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) for detailed, step-by-step instructions for configuring Upgrade Analytics and getting started on your Windows upgrade project.
diff --git a/windows/deploy/upgrade-analytics-resolve-issues.md b/windows/deploy/upgrade-analytics-resolve-issues.md
index ec6f782f9e..7a4a756cdf 100644
--- a/windows/deploy/upgrade-analytics-resolve-issues.md
+++ b/windows/deploy/upgrade-analytics-resolve-issues.md
@@ -1,145 +1,5 @@
---
title: Upgrade Analytics - Resolve application and driver issues (Windows 10)
-description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Analytics.
-ms.prod: w10
-author: greg-lindsay
+redirect_url: upgrade-readiness-resolve-issues.md
---
-# Upgrade Analytics - Step 2: Resolve app and driver issues
-
-This section of the Upgrade Analytics workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them.
-
-You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list.
-
-Upgrade decisions include:
-
-| Upgrade decision | When to use it | Guidance |
-|--------------------|-------------------|-------------|
-| Not reviewed | All drivers are marked as Not reviewed by default.
Any app that has not been marked **Low install count** will also have an upgrade decision of **Not reviewed** by default.
| Apps you have not yet reviewed or are waiting to review later should be marked as **Not reviewed**. When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.
|
-| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change its upgrade decision to **Review in progress**.
Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**.
| Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**.
|
-| Ready to upgrade | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is. | Applications with no known issues and with low installation rates are marked **Ready to upgrade** by default.
In Step 1, you might have marked some of your apps as **Ignore**. These should be marked as **Ready to upgrade**. Apps with low installation rates are marked as **Ready to upgrade** by default. Be sure to review any low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates.
|
-| Won’t upgrade | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination.
Use **Won’t upgrade** for applications and drivers that you do not work on your target operating system, or that you are unable to upgrade.
| If, during your investigation into an application or driver, you determine that they should not or cannot be upgraded, mark them **Won’t upgrade**.
|
-
-The blades in the **Resolve issues** section are:
-
-- Review applications with known issues
-- Review applications with no known issues
-- Review drivers with known issues
-
-As you review applications with known issues, you can also see ISV support statements or applications using [Ready for Windows](https://www.readyforwindows.com/).
-
-## Review applications with known issues
-
-Applications with issues known to Microsoft are listed, grouped by upgrade assessment into **Attention needed** or **Fix available**.
-
-
-
-
-
-To change an application's upgrade decision:
-
-1. Select **Decide upgrade readiness** to view applications with issues.
-2. In the table view, select an **UpgradeDecision** value.
-3. Select **Decide upgrade readiness** to change the upgrade decision for each application.
-4. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
-5. Click **Save** when finished.
-
-IMORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information.
-
-For applications assessed as **Attention needed**, review the table below for details about known issues and for guidance about how to resolve them, when possible.
-
-| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance |
-|--------------------|-----------------------------------|-----------|-----------------|------------|
-| Attention needed | No | Application is removed during upgrade | Compatibility issues were detected and the application will not migrate to the new operating system.
| No action is required for the upgrade to proceed. |
-| Attention needed | Yes | Blocking upgrade | Blocking issues were detected and Upgrade Analytics is not able to remove the application during upgrade.
The application may work on the new operating system.
| Remove the application before upgrading, and reinstall and test on new operating system. |
-| Attention needed | No | Evaluate application on new OS | The application will migrate, but issues were detected that may impact its performance on the new operating system. | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system.
|
-| Attention needed | No | Does not work with new OS, but won’t block upgrade | The application is not compatible with the new operating system, but won’t block the upgrade. | No action is required for the upgrade to proceed, however, you’ll have to install a compatible version of the application on the new operating system.
|
-| Attention needed | Yes | Does not work with new OS, and will block upgrade | The application is not compatible with the new operating system and will block the upgrade. | Remove the application before upgrading.
A compatible version of the application may be available.
|
-| Attention needed | Yes | May block upgrade, test application | Issues were detected that may interfere with the upgrade, but need to be investigated further.
| Test the application’s behavior during upgrade. If it blocks the upgrade, remove it before upgrading and reinstall and test it on the new operating system.
|
-| Attention needed | Maybe | Multiple | Multiple issues are affecting the application. See detailed view for more information.| When you see Multiple in the query detailed view, click **Query** to see details about what issues were detected with the different versions of the application. |
-
-For applications assessed as **Fix available**, review the table below for details about known issues and ways to fix them that are known to Microsoft.
-
-| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance |
-|--------------------|-----------------------------------|----------|-----------------|-------------|
-| Fix available | Yes | Blocking upgrade, update application to newest version | The existing version of the application is not compatible with the new operating system and won’t migrate. A compatible version of the application is available. | Update the application before upgrading. |
-| Fix available | No | Reinstall application after upgrading | The application is compatible with the new operating system, but must be reinstalled after upgrading. The application is removed during the upgrade process.
| No action is required for the upgrade to proceed. Reinstall application on the new operating system. |
-| Fix available | Yes | Blocking upgrade, but can be reinstalled after upgrading | The application is compatible with the new operating system, but won’t migrate. | Remove the application before upgrading and reinstall on the new operating system.
|
-| Fix available | Yes | Disk encryption blocking upgrade | The application’s encryption features are blocking the upgrade. | Disable the encryption feature before upgrading and enable it again after upgrading.
|
-
-### ISV support for applications with Ready for Windows
-
-[Ready for Windows](https://www.readyforwindows.com/) lists software solutions that are supported and in use for Windows 10. This site leverages data about application adoption from commercial Windows 10 installations and helps IT managers upgrade to Windows 10 with confidence. For more information, see [Ready for Windows Frequently Asked Questions](https://developer.microsoft.com/windows/ready-for-windows/#/faq/).
-
-Click **Review Applications With Known Issues** to see the status of applications for Ready for Windows and corresponding guidance. For example:
-
-
-
-If there are known issues with an application, the specific guidance for that known issue takes precedence over the Ready for Windows guidance.
-
-
-
-If you query with RollupLevel="NamePublisher", each version of the application can have a different status for Ready for Windows. In this case, different values appear for Ready for Windows.
-
-
-
-The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/en-us/windows/ready-for-windows#/faq/?scrollTo=faqStatuses)
-
-| Ready for Windows Status | Query rollup level | What this means | Guidance |
-|-------------------|--------------------------|-----------------|----------|
-|Supported version available | Granular | The software provider has declared support for one or more versions of this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10. |
-| Highly adopted | Granular | This version of this application has been highly adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 100,000 commercial Windows 10 devices. |
-| Adopted | Granular | This version of this application has been adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 10,000 commercial Windows 10 devices. |
-| Insufficient Data | Granular | Too few commercial Windows 10 devices are sharing information about this version of this application for Microsoft to categorize its adoption. | N/A |
-| Contact developer | Granular | There may be compatibility issues with this version of the application, so Microsoft recommends contacting the software provider to learn more. | Check [Ready for Windows](https://www.readyforwindows.com/) for additional information.|
-|Supported version available | NamePublisher | The software provider has declared support for this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10.|
-|Adoption status available | NamePublisher | A Ready for Windows adoption status is available for one or more versions of this application. Please check Ready for Windows to learn more. |Check [Ready for Windows](https://www.readyforwindows.com/) for adoption information for this application.|
-| Unknown | Any | There is no Ready for Windows information available for this version of this application. Information may be available for other versions of the application at [Ready for Windows](https://www.readyforwindows.com/). | N/A |
-
-## Review applications with no known issues
-
-Applications with no issues known to Microsoft are listed, grouped by upgrade decision.
-
-
-
-Applications with no known issues that are installed on 2% or less of your total computer inventory \[number of computers application is installed on/total number of computers in your inventory\] are automatically marked **Ready to upgrade** and included in the applications reviewed count. Applications with no known issues that are installed on more than 2% of your total computer inventory are automatically marked **Not reviewed**.
-
-Be sure to review low install count applications for any business critical or important applications that may not yet be upgrade-ready, despite their low installation rates.
-
-To change an application's upgrade decision:
-
-1. Select **Decide upgrade readiness** to view applications with issues. Select **Table** to view the list in a table.
-
-2. Select **User changes** to change the upgrade decision for each application.
-
-3. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
-
-4. Click **Save** when finished.
-
-## Review drivers with known issues
-
-Drivers that won’t migrate to the new operating system are listed, grouped by availability.
-
-
-
-Availability categories are explained in the table below.
-
-| Driver availability | Action required before or after upgrade? | What it means | Guidance |
-|-----------------------|------------------------------------------|----------------|--------------|
-| Available in-box | No, for awareness only | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system.
| No action is required for the upgrade to proceed. |
-| Import from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system; however, a compatible version is available from Windows Update.
| If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
|
-| Available in-box and from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system.
Although a new driver is installed during upgrade, a newer version is available from Windows Update.
| If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
|
-| Check with vendor | Yes | The driver won’t migrate to the new operating system and we are unable to locate a compatible version.
| Check with the independent hardware vendor (IHV) who manufactures the driver for a solution. |
-
-To change a driver’s upgrade decision:
-
-1. Select **Decide upgrade readiness** and then select the group of drivers you want to review. Select **Table** to view the list in a table.
-
-2. Select **User changes** to enable user input.
-
-3. Select the drivers you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list.
-
-4. Click **Save** when finished.
-
diff --git a/windows/deploy/upgrade-analytics-review-site-discovery.md b/windows/deploy/upgrade-analytics-review-site-discovery.md
index e42b53e9d0..d85a94284a 100644
--- a/windows/deploy/upgrade-analytics-review-site-discovery.md
+++ b/windows/deploy/upgrade-analytics-review-site-discovery.md
@@ -1,6 +1,6 @@
---
title: Review site discovery
-redirect_url: upgrade-analytics-additional-insights
+redirect_url: upgrade-readiness-additional-insights.md
---
diff --git a/windows/deploy/upgrade-analytics-upgrade-overview.md b/windows/deploy/upgrade-analytics-upgrade-overview.md
index 4d1885b34a..f3ca98db09 100644
--- a/windows/deploy/upgrade-analytics-upgrade-overview.md
+++ b/windows/deploy/upgrade-analytics-upgrade-overview.md
@@ -1,51 +1,4 @@
---
title: Upgrade Analytics - Upgrade Overview (Windows 10)
-description: Displays the total count of computers sharing data and upgraded.
-ms.prod: w10
-author: greg-lindsay
+redirect_url: upgrade-readiness-upgrade-overview.md
---
-
-# Upgrade Analytics - Upgrade overview
-
-The first blade in the Upgrade Analytics solution is the upgrade overview blade. This blade displays the total count of computers sharing data with Microsoft, and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases.
-
-The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The following status changes are reflected on the upgrade overview blade:
-
-- Computers with incomplete data:
- - Less than 4% = count is displayed in green.
- - 4% - 10% = Count is displayed in amber.
- - Greater than 10% = Count is displayed in red.
-- Delay processing device inventory data = The "Last updated" banner is displayed in amber.
-- Pending user changes = User changes count displays "Data refresh pending" in amber.
-- No pending user changes = User changes count displays "Up to date" in green.
-
-In the following example, less than 4% of (3k\355k) computers have incomplete data, and there are no pending user changes:
-
-
-
-
-
-If data processing is delayed, you can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed. Data is typically refreshed and the display will return to normal again within 24 hours.
-
-Select **Total computers** for a list of computers and details about them, including:
-
-- Computer ID and computer name
-- Computer manufacturer
-- Computer model
-- Operating system version and build
-- Count of system requirement, application, and driver issues per computer
-- Upgrade assessment based on analysis of computer telemetry data
-- Upgrade decision status
-
-Select **Total applications** for a list of applications discovered on user computers and details about them, including:
-
-- Application vendor
-- Application version
-- Count of computers the application is installed on
-- Count of computers that opened the application at least once in the past 30 days
-- Percentage of computers in your total computer inventory that opened the application in the past 30 days
-- Issues detected, if any
-- Upgrade assessment based on analysis of application data
-- Rollup level
\ No newline at end of file
diff --git a/windows/deploy/upgrade-readiness-additional-insights.md b/windows/deploy/upgrade-readiness-additional-insights.md
new file mode 100644
index 0000000000..e7a8b7a54c
--- /dev/null
+++ b/windows/deploy/upgrade-readiness-additional-insights.md
@@ -0,0 +1,81 @@
+---
+title: Upgrade Readiness - Additional insights
+description: Explains additional features of Upgrade Readiness.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Upgrade Readiness - Additional insights
+
+This topic provides information on additional features that are available in Upgrade Readiness to provide insights into your environment. These include:
+
+- [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7 or Windows 8.1 using Internet Explorer.
+- [Office add-ins](#office-add-ins): A list of the Microsoft Office add-ins that are installed on client computers.
+
+## Site discovery
+
+The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 8.1 and Windows 7. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
+
+> Note: Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
+
+### Install prerequisite security update for Internet Explorer
+
+Ensure the following prerequisites are met before using site discovery:
+
+1. Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update.
+2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)).
+3. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it.
+
+ If necessary, you can also enable it by creating the following registry entry.
+
+ HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
+
+ Entry name: IEDataOptIn
+
+ Data type: DWORD
+
+ Values:
+
+ > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
+ >
+ > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
+ >
+ > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
+ >
+ > *IEOptInLevel = 3 Data collection is enabled for all sites*
+
+ For more information about Internet Explorer Security Zones, see [About URL Security Zones](https://msdn.microsoft.com/library/ms537183.aspx).
+
+ 
+
+### Review most active sites
+
+This blade indicates the most visited sites by computers in your environment. Review this list to determine which web applications and sites are used most frequently. The number of visits is based on the total number of views, and not by the number of unique devices accessing a page.
+
+For each site, the fully qualified domain name will be listed. You can sort the data by domain name or by URL.
+
+
+
+Click the name of any site in the list to drill down into more details about the visits, including the time of each visit and the computer name.
+
+
+
+### Review document modes in use
+
+This blade provides information about which document modes are used in the sites that are visited in your environment. Document modes are used to provide compatibility with older versions of Internet Explorer. Sites that use older technologies may require additional testing and are less likely to be compatible with Microsoft Edge. Counts are based on total page views and not the number of unique devices. For more information about document modes, see [Deprecated document modes](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/deprecated-document-modes).
+
+
+
+### Run browser-related queries
+
+You can run predefined queries to capture more info, such as sites that have Enterprise Mode enabled, or the number of unique computers that have visited a site. For example, this query returns the most used ActiveX controls. You can modify and save the predefined queries.
+
+
+
+## Office add-ins
+
+Office add-ins provides a list of the Microsoft Office add-ins in your environment, and enumerates the computers that have these add-ins installed. This information should not affect the upgrade decision workflow, but can be helpful to an administrator.
+
+## Related topics
+
+[Upgrade Readiness release notes](upgrade-readiness-release-notes.md)
diff --git a/windows/deploy/upgrade-readiness-architecture.md b/windows/deploy/upgrade-readiness-architecture.md
new file mode 100644
index 0000000000..c4cafc8768
--- /dev/null
+++ b/windows/deploy/upgrade-readiness-architecture.md
@@ -0,0 +1,30 @@
+---
+title: Upgrade Readiness architecture (Windows 10)
+description: Describes Upgrade Readiness architecture.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Upgrade Readiness architecture
+
+Microsoft analyzes system, application, and driver telemetry data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Readiness components work together in a typical installation.
+
+
+
+
+
+After you enable Windows telemetry on user computers and install the compatibility update KB (1), user computers send computer, application and driver telemetry data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Readiness, telemetry data is analyzed by the Upgrade Readiness Service (3) and pushed to your OMS workspace (4). You can then use the Upgrade Readiness solution (5) to plan and manage Windows upgrades.
+
+For more information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
+
+[Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
+[Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+[Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
+
+##**Related topics**
+
+[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
+[Upgrade Readiness release notes](upgrade-readiness-release-notes.md)
+[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
diff --git a/windows/deploy/upgrade-readiness-deploy-windows.md b/windows/deploy/upgrade-readiness-deploy-windows.md
new file mode 100644
index 0000000000..bb54670f8d
--- /dev/null
+++ b/windows/deploy/upgrade-readiness-deploy-windows.md
@@ -0,0 +1,97 @@
+---
+title: Upgrade Readiness - Get a list of computers that are upgrade-ready (Windows 10)
+description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Readiness.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Upgrade Readiness - Step 3: Deploy Windows
+
+All of your work up to now involved reviewing and resolving application and driver issues. Along the way, as you’ve resolved issues and decided which applications and drivers are ready to upgrade, you’ve been building a list of computers that are upgrade ready.
+The blades in the **Deploy** section are:
+
+- [Deploy eligible computers](#deploy-eligible-computers)
+- [Deploy computers by group](#computer-groups)
+
+>Computers that are listed in this step are assigned an **UpgradeDecision** value, and the total count of computers in each upgrade decision category is displayed. Additionally, computers are assigned an **UpgradeAssessment** value. This value is displayed by drilling down into a specific upgrade decision category. For information about upgrade assessment values, see [Upgrade assessment](#upgrade-assessment).
+
+## Deploy eligible computers
+
+In this blade, computers grouped by upgrade decision are listed. The upgrade decision on the machines is a calculated value based on the upgrade decision status for the apps and drivers installed on the computer. This value cannot be modified directly. The upgrade decision is calculated in the following ways:
+- **Review in progress**: At least one app or driver installed on the computer is marked **Review in progress**.
+- **Ready to upgrade**: All apps and drivers installed on the computer are marked as **Ready to Upgrade**.
+- **Won’t upgrade**: At least one app or driver installed on the computer is marked as **Won’t upgrade**, or a system requirement is not met.
+
+
+
+
+
+Select **Export computers** for more details, including computer name, manufacturer and model, and Windows edition currently running on the computer. Sort or further query the data and then select **Export** to generate and save a comma-separated value (csv) list of upgrade-ready computers.
+
+>**Important**
When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time.
+
+## Computer groups
+
+Computer groups allow you to segment your environment by creating device groups based on OMS log search results, or by importing groups from Active Directory, WSUS or System Center Configuration Manager. Computer groups are an OMS feature. For more information, see [Computer groups in OMS](https://blogs.technet.microsoft.com/msoms/2016/04/04/computer-groups-in-oms/).
+
+Query based computer groups are recommended in the initial release of this feature. A feature known as **Configuration Manager Upgrade Readiness Connector** is anticipated in a future release that will enable synchronization of **ConfigMgr Collections** with computer groups in OMS.
+
+### Getting started with Computer Groups
+
+When you sign in to OMS, you will see a new blade entitled **Computer Groups**. See the following example:
+
+
+
+To create a computer group, open **Log Search** and create a query based on **Type=UAComputer**, for example:
+
+```
+Type=UAComputer Manufacturer=DELL
+```
+
+
+
+When you are satisfied that the query is returning the intended results, add the following text to your search:
+
+```
+| measure count() by Computer
+```
+
+This will ensure every computer only shows up once. Then, save your group by clicking **Save** and **Yes**. See the following example:
+
+
+
+Your new computer group will now be available in Upgrade Readiness. See the following example:
+
+
+
+### Using Computer Groups
+
+When you drill into a computer group, you will see that computers are categorized by **UpgradeDecision**. For computers with the status **Review in progress** or **Won’t upgrade** you can drill down to view issues that cause a computer to be in each category, or you can simply display a list of the computers in the category. For computers that are designated **Ready to upgrade**, you can go directly to the list of computers that are ready.
+
+
+
+Viewing a list of computers in a certain status is self-explanatory, Let’s look at what happens when you click the details link on **Review in progress**:
+
+
+
+Next, select if you want to see application issues (**UAApp**) or driver issues (**UADriver**). See the following example of selecting **UAApp**:
+
+
+
+A list of apps that require review so that Dell Computers are ready for upgrade to Windows 10 is displayed.
+
+### Upgrade assessment
+
+Upgrade assessment and guidance details are explained in the following table.
+
+| Upgrade assessment | Action required before or after upgrade pilot? | Issue | What it means | Guidance |
+|-----------------------|------------------------------------------------|----------|-----------------|---------------|
+| No known issues | No | None | Computers will upgrade seamlessly.
| OK to use as-is in pilot. |
+| OK to pilot, fixed during upgrade | No, for awareness only | Application or driver will not migrate to new OS | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system. | OK to use as-is in pilot. |
+| OK to pilot with new driver from Windows Update | Yes | Driver will not migrate to new OS | The currently installed version of a driver won’t migrate to the new operating system; however, a newer, compatible version is available from Windows Update. | Although a compatible version of the driver is installed during upgrade, a newer version is available from Windows Update.
If the computer automatically receives updates from Windows Update, no action is required. Otherwise, replace the new in-box driver with the Windows Update version after upgrading.
|
+
+Select **Export computers** to view pilot-ready computers organized by operating system. After you select the computers you want to use in a pilot, click Export to generate and save a comma-separated value (csv) file.
+
+>**Important**> When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time.
\ No newline at end of file
diff --git a/windows/deploy/upgrade-readiness-deployment-script.md b/windows/deploy/upgrade-readiness-deployment-script.md
new file mode 100644
index 0000000000..e1decfb250
--- /dev/null
+++ b/windows/deploy/upgrade-readiness-deployment-script.md
@@ -0,0 +1,265 @@
+---
+title: Upgrade Readiness deployment script (Windows 10)
+description: Deployment script for Upgrade Readiness.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+---
+
+# Upgrade Readiness deployment script
+
+To automate the steps provided in [Get started with Upgrade Readiness](upgrade-readiness-get-started.md), and to troubleshoot data sharing issues, you can run the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
+
+>[!IMPORTANT]
+>Upgrade Readiness was previously called Upgrade Analytics. References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution.
+
+For detailed information about using the Upgrade Readiness (also known as upgrade analytics) deployment script, see the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
+
+> The following guidance applies to version 11.11.16 or later of the Upgrade Readiness deployment script. If you are using an older version, please download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
+
+The Upgrade Readiness deployment script does the following:
+
+1. Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys.
+2. Verifies that user computers can send data to Microsoft.
+3. Checks whether the computer has a pending restart.
+4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended).
+5. If enabled, turns on verbose mode for troubleshooting.
+6. Initiates the collection of the telemetry data that Microsoft needs to assess your organization’s upgrade readiness.
+7. If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file.
+
+To run the Upgrade Readiness deployment script:
+
+1. Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
+
+2. Edit the following parameters in RunConfig.bat:
+
+ 1. Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics
+
+ 2. Input your commercial ID key. This can be found in your OMS workspace under Settings -> Connected Sources -> Windows Telemetry.
+
+ 3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
+
+ > *logMode = 0 log to console only*
+>
+ > *logMode = 1 log to file and console*
+>
+ > *logMode = 2 log to file only*
+
+3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
+
+ > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
+ >
+ > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
+ >
+ > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
+ >
+ > *IEOptInLevel = 3 Data collection is enabled for all sites*
+
+4. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
+
+The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
+
+
+
+
+
+| Exit code |
+Meaning
+ | Suggested fix
+
+ |
| 0 |
+Success
+ | N/A
+
+ |
| 1 |
+Unexpected error occurred while executing the script.
+ | The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again.
+
+ |
| 2 |
+Error when logging to console. $logMode = 0.
(console only)
+ | Try changing the $logMode value to **1** and try again.
$logMode value 1 logs to both console and file.
+
+ |
| 3 |
+Error when logging to console and file. $logMode = 1.
+ | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
+
+ |
| 4 |
+Error when logging to file. $logMode = 2.
+ | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
+
+ |
| 5 |
+Error when logging to console and file. $logMode = unknown.
+ | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
+
+ |
| 6 |
+The commercialID parameter is set to unknown.
Modify the runConfig.bat file to set the CommercialID value.
+ | The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace.
+
See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace.
+
+ |
| 8 |
+Failure to create registry key path: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
+ | The Commercial Id property is set at the following registry key path: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
+
Verify that the context under which the script in running has access to the registry key.
+
+ |
| 9 |
+The script failed to write Commercial Id to registry.
+
Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
+ | Verify that the context under which the script in running has access to the registry key.
+
+ |
| 10 |
+Error when writing **CommercialDataOptIn** to the registry at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
+ | Verify that the deployment script is running in a context that has access to the registry key.
+
+ |
| 11 |
+Function **SetupCommercialId** failed with an unexpected exception.
+ | The **SetupCommercialId** function updates the Commercial Id at the registry key path: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
Verify that the configuration script has access to this location.
+
+ |
| 12 |
+Can’t connect to Microsoft - Vortex. Check your network/proxy settings.
+ | **Http Get** on the end points did not return a success exit code.
+For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive.
+For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive.
+
If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).
+
+
+ |
| 13 |
+Can’t connect to Microsoft - setting.
+ | An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).
+
+
+ |
| 14 |
+Can’t connect to Microsoft - compatexchange.
+ | An error occurred connecting to https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc . This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).
+
+ |
| 15 |
+Function CheckVortexConnectivity failed with an unexpected exception.
+ | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Check the logs for the exception message and the HResult.
+
+ |
| 16 |
+The computer requires a reboot before running the script.
+ | A reboot is required to complete the installation of the compatibility update and related KBs. Reboot the computer before running the Upgrade Readiness deployment script.
+
+ |
| 17 |
+Function **CheckRebootRequired** failed with an unexpected exception.
+ | A reboot is required to complete installation of the compatibility update and related KBs. Check the logs for the exception message and the HResult.
+
+ |
| 18 |
+Appraiser KBs not installed or **appraiser.dll** not found.
+ | Either the Appraiser KBs are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser telemetry events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic.
+
+ |
| 19 |
+Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception.
+ | Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed.
+
+ |
| 20 |
+An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at **HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Appraiser**
+ | The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key.
+
+ |
| 21 |
+Function **SetRequestAllAppraiserVersions** failed with an unexpected exception.
+ | Check the logs for the exception message and HResult.
+
+ |
| 22 |
+**RunAppraiser** failed with unexpected exception.
+ | Check the logs for the exception message and HResult. Check the **%windir%\System32*8 directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file.
+
+ |
| 23 |
+Error finding system variable **%WINDIR%**.
+ | Verify that this environment variable is configured on the computer.
+
+ |
| 24 |
+The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
+ | This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult.
+
+ |
| 25 |
+The function **SetIEDataOptIn** failed with unexpected exception.
+ | Check the logs for the exception message and HResult.
+
+ |
| 26 |
+The operating system is Server or LTSB SKU.
+ | The script does not support Server or LTSB SKUs.
+
+ |
| 27 |
+The script is not running under **System** account.
+ | The Upgrade Readiness configuration script must be run as **System**.
+
+ |
| 28 |
+Could not create log file at the specified **logPath**.
+ | Make sure the deployment script has access to the location specified in the **logPath** parameter.
+
+ |
| 29 |
+Connectivity check failed for proxy authentication.
+ | Install the cumulative updates on the computer and enable the **DisableEnterpriseAuthProxy** authentication proxy setting.
+
The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7.
+
For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled).
+
For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
+
+ |
| 30 |
+Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled.
+ | The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7.
+
For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled).
+
For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
+
+ |
| 31 |
+There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer.
+ | Use the Windows Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled to run daily at 3 a.m.
+
+ |
| 32 |
+Appraiser version on the machine is outdated.
+ | The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for Windows 7 SP1/Windows 8.1.
+
+ |
| 33 |
+**CompatTelRunner.exe** exited with an exit code
+ | **CompatTelRunner.exe** runs the appraise task on the machine. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Please check the logs for more details.
+
+ |
| 34 |
+Function **CheckProxySettings** failed with an unexpected exception.
+ | Check the logs for the exception message and HResult.
+
+ |
| 35 |
+Function **CheckAuthProxy** failed with an unexpected exception.
+ | Check the logs for the exception message and HResult.
+
+ |
| 36 |
+Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception.
+ | Check the logs for the exception message and HResult.
+
+ |
| 37 |
+**Diagnose_internal.cmd** failed with an unexpected exception.
+ | Check the logs for the exception message and HResult.
+
+ |
| 38 |
+Function **Get-SqmID** failed with an unexpected exception.
+ | Check the logs for the exception message and HResult.
+
+ |
| 39 |
+For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**
+or **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
+ | For Windows 10 machines, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will throw an error if this is not true. For more information, see [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization).
+
+ |
| 40 |
+Function **CheckTelemetryOptIn** failed with an unexpected exception.
+ | Check the logs for the exception message and HResult.
+
+ |
| 41 |
+The script failed to impersonate the currently logged on user.
+ | The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the logged on user. The script also tries to mimic this, but the process failed.
+
+ |
| 42 |
+Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception.
+ | Check the logs for the exception message and HResult.
+
+ |
| 43 |
+Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception.
+ | Check the logs for the exception message and HResult.
+
+ |
+
+
+ - [Upgrade Readiness requirements](upgrade-readiness-requirements.md): Provides detailed requirements to use Upgrade Readiness.
+ - [Upgrade Readiness blog](https://blogs.technet.microsoft.com/UpgradeAnalytics): Contains announcements of new features and provides helpful tips for using Upgrade Readiness.
+
+>If you are using System Center Configuration Manager, also check out information about how to integrate Upgrade Readiness with Configuration Manager: [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics).
+
+When you are ready to begin using Upgrade Readiness, perform the following steps:
+
+1. Review [data collection and privacy](#data-collection-and-privacy) information.
+2. [Add Upgrade Readiness to OMS](#add-upgrade-readiness-to-operations-management-suite).
+3. [Enable data sharing](#enable-data-sharing).
+4. [Deploy required updates](#deploy-the-compatibility-update-and-related-kbs) to computers, and validate using a pilot deployment.
+5. [Deploy Upgrade Readiness at scale](#deploy-upgrade-readiness-at-scale).
+
+## Data collection and privacy
+
+To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see the following topics:
+
+- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
+- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
+
+## Add Upgrade Readiness to Operations Management Suite
+
+Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
+
+If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace.
+
+If you are not using OMS:
+
+1. Go to the [Upgrade Readiness page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **Sign up** to kick off the onboarding process.
+2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+3. Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
+4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator.
+
+ > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.
+
+1. To add the Upgrade Readiness solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Readiness** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Readiness.
+
+2. Click the **Upgrade Readiness** tile to configure the solution. The **Settings Dashboard** opens.
+
+### Generate your commercial ID key
+
+Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. Generate your commercial ID key in OMS and then deploy it to user computers.
+
+1. On the Settings Dashboard, navigate to the **Windows telemetry** panel.
+
+ 
+
+2. On the Windows telemetry panel, copy and save your commercial ID key. You’ll need to insert this key into the Upgrade Readiness deployment script later so it can be deployed to user computers.
+
+ >**Important**
Regenerate a commercial ID key only if your original ID key can no longer be used. Regenerating a commercial ID key resets the data in your workspace for all solutions that use the ID. Additionally, you’ll need to deploy the new commercial ID key to user computers again.
+
+### Subscribe to Upgrade Readiness
+
+For Upgrade Readiness to receive and display upgrade readiness data from Microsoft, subscribe your OMS workspace to Upgrade Readiness.
+
+1. On the **Windows telemetry** panel, click **Subscribe**. The button changes to **Unsubscribe**. Unsubscribe from the Upgrade Readiness solution if you no longer want to receive upgrade-readiness information from Microsoft. Note that user computer data will continue to be shared with Microsoft for as long as the opt-in keys are set on user computers and the proxy allows the traffic.
+
+1. Click **Overview** on the Settings Dashboard to return to your OMS workspace portal. The Upgrade Readiness tile now displays summary data. Click the tile to open Upgrade Readiness.
+
+## Enable data sharing
+
+To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this.
+
+Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://go.microsoft.com/fwlink/?linkid=838688) to learn what you need to do to run it under the logged on user account.
+
+| **Endpoint** | **Function** |
+|---------------------------------------------------------|-----------|
+| `https://v10.vortex-win.data.microsoft.com/collect/v1`
`https://Vortex-win.data.microsoft.com/health/keepalive` | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. |
+| `https://settings.data.microsoft.com/qos` | Enables the compatibility update KB to send data to Microsoft. |
+| `https://go.microsoft.com/fwlink/?LinkID=544713`
`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. |
+
+
+## Deploy the compatibility update and related KBs
+
+The compatibility update KB scans your computers and enables application usage tracking. If you don’t already have these KBs installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
+
+| **Operating System** | **KBs** |
+|----------------------|-----------------------------------------------------------------------------|
+| Windows 10 | The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility KBs are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com) Note: Windows 10 LTSB is not supported by Upgrade Readiness. See [Upgrade readiness requirements](upgrade-readiness-requirements.md) for more information. |
+| Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)
Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2976978 must be installed before you can download and install KB3150513. |
+| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2952664 must be installed before you can download and install KB3150513. |
+
+IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time.
+
+If you are planning to enable IE Site Discovery, you will need to install a few additional KBs.
+
+| **Site discovery** | **KB** |
+|----------------------|-----------------------------------------------------------------------------|
+| [Review site discovery](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-additional-insights#site-discovery) | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149)
Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices.
For more information about this KB, see
Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. |
+
+### Deploy the Upgrade Readiness deployment script
+
+You can use the Upgrade Readiness deployment script to automate and verify your deployment.
+
+See [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) for information on obtaining and running the script, and for a description of the error codes that can be displayed.
+
+>After data is sent from computers to Microsoft, it generally takes 48 hours for the data to populate in Upgrade Readiness. The compatibility update KB takes several minutes to run. If the KB does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Upgrade Readiness. For this reason, you can expect most your computers to be populated in OMS in about 1-2 weeks after deploying the KB and configuration to user computers.
+
+## Deploy Upgrade Readiness at scale
+
+When you have completed a pilot deployment, you are ready to automate data collection and distribute the deployment script to the remaining computers in your organization.
+
+### Automate data collection
+
+To ensure that user computers are receiving the most up to date data from Microsoft, we recommend that you establish the following data sharing and analysis processes.
+
+- Enable automatic updates for the compatibility update and related KBs. These KBs are updated frequently to include the latest application and driver issue information as we discover it during testing.
+- Schedule the Upgrade Readiness deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated.
+- Schedule monthly user computer scans to view monthly active computer and usage information.
+
+>When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas are created when the update package is installed. A full scan averages to about 2 MB, but the delta scans are very small. For Windows 10 devices, its already part of the OS. This is the **Windows Compat Appraiser** task. Deltas are invoked via the nightly scheduled task. It attempts to run around 3AM, but if system is off at that time, the task will run when the system is turned on.
+
+### Distribute the deployment script at scale
+
+Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see the [Upgrade Readiness blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
\ No newline at end of file
diff --git a/windows/deploy/upgrade-readiness-identify-apps.md b/windows/deploy/upgrade-readiness-identify-apps.md
new file mode 100644
index 0000000000..33b5d248c5
--- /dev/null
+++ b/windows/deploy/upgrade-readiness-identify-apps.md
@@ -0,0 +1,36 @@
+---
+title: Upgrade Readiness - Identify important apps (Windows 10)
+description: Describes how to prepare your environment so that you can use Upgrade Readiness to manage Windows upgrades.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Upgrade Readiness - Step 1: Identify important apps
+
+This is the first step of the Upgrade Readiness workflow. In this step, applications are listed and grouped by importance level. Setting the importance level enables you to prioritize applications for upgrade.
+
+
+
+
+
+Select **Assign importance** to change an application’s importance level. By default, applications are marked **Not reviewed** or **Low install count** until you assign a different importance level to them.
+
+To change an application’s importance level:
+
+1. Select **Not reviewed** or **Low install count** on the **Prioritize applications** blade to view the list of applications with that importance level.
+2. Select the applications you want to change to a specific importance level and then select the appropriate option from the **Select importance level** list.
+3. Click **Save** when finished.
+
+Importance levels include:
+
+| Importance level | When to use it | Recommendation |
+|--------------------|------------------|------------------|
+| Low install count | We give you a head start by identifying applications that are installed on 2% or less of your total computer inventory. \[Number of computers application is installed on/total number of computers in your inventory.\]
Low install count applications are automatically marked as **Ready to upgrade** in the **UpgradeDecision** column unless they have issues that need attention.
| Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. For example, payroll apps or tax accounting apps tend to be installed on a relatively small number of machines but are still considered business critical applications.
|
+| Not reviewed | Applications that are installed on more than 2% of your total computer inventory are marked not reviewed until you set their importance level.
| Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns. |
+| Business critical | By default, no applications are marked as business critical because only you can make that determination. If you know that an application is critical to your organization’s functioning, mark it **Business critical**.
| You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this business critical application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
|
+| Important | By default, no applications are marked as important because only you can make that determination. If the application is important but not critical to your organization’s functioning, mark it **Important**. | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this important application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
|
+| Ignore | By default, no applications are marked as ignore because only you can make that determination. If the application is not important to your organization’s functioning, such as user-installed applications and games, you may not want to spend time and money validating that these applications will migrate successfully. Mark these applications **Ignore**.
| Set the application’s importance level to **Ignore** to let other team members know that it can be left as-is with no further investigation or testing. If you set the importance level to ignore, and this is an app that you are not planning on testing or validating, consider changing the upgrade decision to **Ready to upgrade**. By marking these apps ready to upgrade, you are indicating that you are comfortable upgrading with the app remaining in its current state.
|
+| Review in progress | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns.
| As you learn more about the application’s importance to your organization’s functioning, change the importance level to **Business critical**, **Important**, or **Ignore**.
Until you’ve determined that priority applications will migrate successfully, leave the upgrade decision status as **Review in progress**.
|
+
diff --git a/windows/deploy/upgrade-readiness-release-notes.md b/windows/deploy/upgrade-readiness-release-notes.md
new file mode 100644
index 0000000000..e023406035
--- /dev/null
+++ b/windows/deploy/upgrade-readiness-release-notes.md
@@ -0,0 +1,5 @@
+---
+title: Upgrade Readiness release notes (Windows 10)
+description: Provides tips and limitations about Upgrade Readiness.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-requirements#important-information-about-this-release
+---
\ No newline at end of file
diff --git a/windows/deploy/upgrade-readiness-requirements.md b/windows/deploy/upgrade-readiness-requirements.md
new file mode 100644
index 0000000000..5f706bab59
--- /dev/null
+++ b/windows/deploy/upgrade-readiness-requirements.md
@@ -0,0 +1,95 @@
+---
+title: Upgrade Readiness requirements (Windows 10)
+description: Provides requirements for Upgrade Readiness.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Upgrade Readiness requirements
+
+This article introduces concepts and steps needed to get up and running with Upgrade Readiness. We recommend that you review this list of requirements before getting started as you may need to collect information, such as account credentials, and get approval from internal IT groups, such as your network security group, before you can start using Upgrade Readiness.
+
+## Supported upgrade paths
+
+### Windows 7 and Windows 8.1
+
+To perform an in-place upgrade, user computers must be running the latest version of either Windows 7 SP1 or Windows 8.1. After you enable Windows telemetry, Upgrade Readiness performs a full inventory of computers so that you can see which version of Windows is installed on each computer.
+
+The compatibility update KB that sends telemetry data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility.
+
+
+
+If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center.
+
+Note: Upgrade Readiness is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Readiness insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance.
+
+See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements.
+
+### Windows 10
+
+Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates.
+The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility KBs are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com).
+
+Windows 10 LTSB is not supported by Upgrade Readiness. The LTSB (long term servicing branch) of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not compatible with Upgrade Readiness. See [Windows as a service overview](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#long-term-servicing-branch) to understand more about LTSB.
+
+## Operations Management Suite
+
+Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+
+If you’re already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Click the Upgrade Readiness tile in the gallery and then click Add on the solution’s details page. Upgrade Readiness is now visible in your workspace.
+
+If you are not using OMS, go to the [Upgrade Readiness page](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics) on Microsoft.com and select **Sign up** to kick off the OMS onboarding process. During the onboarding process, you’ll create an OMS workspace and add the Upgrade Readiness solution to it.
+
+Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions.
+
+## System Center Configuration Manager integration
+
+Upgrade Readiness can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics).
+
+## Telemetry and data sharing
+
+After you’ve signed in to Operations Management Suite and added the Upgrade Readiness solution to your workspace, you’ll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Readiness.
+
+See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Readiness collects and assesses. See [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data.
+
+**Whitelist telemetry endpoints.** To enable telemetry data to be sent to Microsoft, you’ll need to whitelist the following Microsoft telemetry endpoints on your proxy server or firewall. You may need to get approval from your security group to do this.
+
+`https://v10.vortex-win.data.microsoft.com/collect/v1`
+`https://vortex-win.data.microsoft.com/health/keepalive`
+`https://settings.data.microsoft.com/qos`
+`https://go.microsoft.com/fwlink/?LinkID=544713`
+`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc`
+
+>**Note** The compatibility update KB runs under the computer’s system account and does not support user authentication in this release.
+
+**Generate your commercial ID key.** Microsoft uses a unique commercial ID GUID to map data from your computers to your OMS workspace. You’ll need to generate your commercial ID key in OMS. We recommend that you save your commercial ID key as you’ll need it later.
+
+**Subscribe your OMS workspace to Upgrade Readiness.** For Upgrade Readiness to receive and display upgrade readiness data from Microsoft, you’ll need to subscribe your OMS workspace to Upgrade Readiness.
+
+**Enable telemetry and connect data sources.** To allow Upgrade Readiness to collect system, application, and driver data and assess your organization’s upgrade readiness, communication must be established between Upgrade Readiness and user computers. You’ll need to connect Upgrade Readiness to your data sources and enable telemetry to establish communication.
+
+**Deploy compatibility update and related KBs.** The compatibility update KB scans your systems and enables application usage tracking. If you don’t already have this KB installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
+
+>**Important**
The compatibility update and related KBs are updated frequently to include new compatibility issues as they become known to Microsoft. We recommend that you use a deployment system that allows for automatic updates of these KBs. The compatibility update KB collects inventory information from computers only when it is updated.
+
+**Configure and deploy Upgrade Readiness deployment script.** Configure and deploy the Upgrade Readiness deployment script to user computers to finish setting up.
+
+## Important information about this release
+
+Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release.
+
+**User authenticated proxies are not supported in this release.** User computers communicate with Microsoft through Windows telemetry. The Windows telemetry client runs in System context and requires a connection to various Microsoft telemetry endpoints. User authenticated proxies are not supported at this time. Work with your Network Administrator to ensure that user computers can communicate with telemetry endpoints.
+
+**Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises.
+
+**In-region data storage requirements.** Windows telemetry data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. We’re adding support for additional regions and we’ll update this information when new international regions are supported.
+
+### Tips
+
+- When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export a list with fewer items.
+
+- Sorting data by clicking a column heading may not sort your complete list of items. For information about how to sort data in OMS, see [Sorting DocumentDB data using Order By](https://azure.microsoft.com/documentation/articles/documentdb-orderby).
+
+## Get started
+
+See [Get started with Upgrade Readiness](upgrade-readiness-get-started.md) for detailed, step-by-step instructions for configuring Upgrade Readiness and getting started on your Windows upgrade project.
diff --git a/windows/deploy/upgrade-readiness-resolve-issues.md b/windows/deploy/upgrade-readiness-resolve-issues.md
new file mode 100644
index 0000000000..7436b86607
--- /dev/null
+++ b/windows/deploy/upgrade-readiness-resolve-issues.md
@@ -0,0 +1,152 @@
+---
+title: Upgrade Readiness - Resolve application and driver issues (Windows 10)
+description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Readiness.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Upgrade Readiness - Step 2: Resolve app and driver issues
+
+This section of the Upgrade Readiness workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them.
+
+You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list.
+
+Upgrade decisions include:
+
+| Upgrade decision | When to use it | Guidance |
+|--------------------|-------------------|-------------|
+| Not reviewed | All drivers are marked as Not reviewed by default.
Any app that has not been marked **Low install count** will also have an upgrade decision of **Not reviewed** by default.
| Apps you have not yet reviewed or are waiting to review later should be marked as **Not reviewed**. When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.
|
+| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change its upgrade decision to **Review in progress**.
Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**.
| Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**.
|
+| Ready to upgrade | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is. | Applications with no known issues and with low installation rates are marked **Ready to upgrade** by default.
In Step 1, you might have marked some of your apps as **Ignore**. These should be marked as **Ready to upgrade**. Apps with low installation rates are marked as **Ready to upgrade** by default. Be sure to review any low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates.
|
+| Won’t upgrade | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination.
Use **Won’t upgrade** for applications and drivers that you do not work on your target operating system, or that you are unable to upgrade.
| If, during your investigation into an application or driver, you determine that they should not or cannot be upgraded, mark them **Won’t upgrade**.
|
+
+The blades in the **Resolve issues** section are:
+
+- Review applications with known issues
+- Review applications with no known issues
+- Review drivers with known issues
+
+As you review applications with known issues, you can also see ISV support statements or applications using [Ready for Windows](https://www.readyforwindows.com/).
+
+## Review applications with known issues
+
+Applications with issues known to Microsoft are listed, grouped by upgrade assessment into **Attention needed** or **Fix available**.
+
+
+
+
+
+To change an application's upgrade decision:
+
+1. Select **Decide upgrade readiness** to view applications with issues.
+2. In the table view, select an **UpgradeDecision** value.
+3. Select **Decide upgrade readiness** to change the upgrade decision for each application.
+4. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
+5. Click **Save** when finished.
+
+IMORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information.
+
+For applications assessed as **Attention needed**, review the table below for details about known issues and for guidance about how to resolve them, when possible.
+
+| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance |
+|--------------------|-----------------------------------|-----------|-----------------|------------|
+| Attention needed | No | Application is removed during upgrade | Compatibility issues were detected and the application will not migrate to the new operating system.
| No action is required for the upgrade to proceed. |
+| Attention needed | Yes | Blocking upgrade | Blocking issues were detected and Upgrade Analytics is not able to remove the application during upgrade.
The application may work on the new operating system.
| Remove the application before upgrading, and reinstall and test on new operating system. |
+| Attention needed | No | Evaluate application on new OS | The application will migrate, but issues were detected that may impact its performance on the new operating system. | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system.
|
+| Attention needed | No | Does not work with new OS, but won’t block upgrade | The application is not compatible with the new operating system, but won’t block the upgrade. | No action is required for the upgrade to proceed, however, you’ll have to install a compatible version of the application on the new operating system.
|
+| Attention needed | Yes | Does not work with new OS, and will block upgrade | The application is not compatible with the new operating system and will block the upgrade. | Remove the application before upgrading.
A compatible version of the application may be available.
|
+| Attention needed | Yes | May block upgrade, test application | Issues were detected that may interfere with the upgrade, but need to be investigated further.
| Test the application’s behavior during upgrade. If it blocks the upgrade, remove it before upgrading and reinstall and test it on the new operating system.
|
+| Attention needed | Maybe | Multiple | Multiple issues are affecting the application. See detailed view for more information.| When you see Multiple in the query detailed view, click **Query** to see details about what issues were detected with the different versions of the application. |
+
+For applications assessed as **Fix available**, review the table below for details about known issues and ways to fix them that are known to Microsoft.
+
+| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance |
+|--------------------|-----------------------------------|----------|-----------------|-------------|
+| Fix available | Yes | Blocking upgrade, update application to newest version | The existing version of the application is not compatible with the new operating system and won’t migrate. A compatible version of the application is available. | Update the application before upgrading. |
+| Fix available | No | Reinstall application after upgrading | The application is compatible with the new operating system, but must be reinstalled after upgrading. The application is removed during the upgrade process.
| No action is required for the upgrade to proceed. Reinstall application on the new operating system. |
+| Fix available | Yes | Blocking upgrade, but can be reinstalled after upgrading | The application is compatible with the new operating system, but won’t migrate. | Remove the application before upgrading and reinstall on the new operating system.
|
+| Fix available | Yes | Disk encryption blocking upgrade | The application’s encryption features are blocking the upgrade. | Disable the encryption feature before upgrading and enable it again after upgrading.
|
+
+### ISV support for applications with Ready for Windows
+
+[Ready for Windows](https://www.readyforwindows.com/) lists software solutions that are supported and in use for Windows 10. This site leverages data about application adoption from commercial Windows 10 installations and helps IT managers upgrade to Windows 10 with confidence. For more information, see [Ready for Windows Frequently Asked Questions](https://developer.microsoft.com/windows/ready-for-windows/#/faq/).
+
+Click **Review Applications With Known Issues** to see the status of applications for Ready for Windows and corresponding guidance. For example:
+
+
+
+If there are known issues with an application, the specific guidance for that known issue takes precedence over the Ready for Windows guidance.
+
+
+
+If you query with RollupLevel="NamePublisher", each version of the application can have a different status for Ready for Windows. In this case, different values appear for Ready for Windows.
+
+
+
+>[!TIP]
+>Within the Upgrade Readiness data model, an object of Type **UAApp** refers to a particular application installed on a specific computer.
+
+>To support dynamic aggregation and summation of data the Upgrade Readiness solution "rolls up" (aggregates) data in preprocessing. Rolling up to the **Granular** level enables display of the **App** level. In Upgrade Readiness terminology, an **App** is a unique combination of: app name, app vendor, app version, and app language. Thus, at the Granular level, you can see attributes such as **total install count**, which is the number of machines with a specific **App** installed.
+
+>Upgrade Readiness also has a roll up level of **NamePublisher**, This level enables you to ignore different app versions within your organization for a particular app. In other words, **NamePublisher** displays statistics about a given app, aggregated across all versions.
+
+The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/en-us/windows/ready-for-windows#/faq/?scrollTo=faqStatuses)
+
+| Ready for Windows Status | Query rollup level | What this means | Guidance |
+|-------------------|--------------------------|-----------------|----------|
+|Supported version available | Granular | The software provider has declared support for one or more versions of this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10. |
+| Highly adopted | Granular | This version of this application has been highly adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 100,000 commercial Windows 10 devices. |
+| Adopted | Granular | This version of this application has been adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 10,000 commercial Windows 10 devices. |
+| Insufficient Data | Granular | Too few commercial Windows 10 devices are sharing information about this version of this application for Microsoft to categorize its adoption. | N/A |
+| Contact developer | Granular | There may be compatibility issues with this version of the application, so Microsoft recommends contacting the software provider to learn more. | Check [Ready for Windows](https://www.readyforwindows.com/) for additional information.|
+|Supported version available | NamePublisher | The software provider has declared support for this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10.|
+|Adoption status available | NamePublisher | A Ready for Windows adoption status is available for one or more versions of this application. Please check Ready for Windows to learn more. |Check [Ready for Windows](https://www.readyforwindows.com/) for adoption information for this application.|
+| Unknown | Any | There is no Ready for Windows information available for this version of this application. Information may be available for other versions of the application at [Ready for Windows](https://www.readyforwindows.com/). | N/A |
+
+## Review applications with no known issues
+
+Applications with no issues known to Microsoft are listed, grouped by upgrade decision.
+
+
+
+Applications with no known issues that are installed on 2% or less of your total computer inventory \[number of computers application is installed on/total number of computers in your inventory\] are automatically marked **Ready to upgrade** and included in the applications reviewed count. Applications with no known issues that are installed on more than 2% of your total computer inventory are automatically marked **Not reviewed**.
+
+Be sure to review low install count applications for any business critical or important applications that may not yet be upgrade-ready, despite their low installation rates.
+
+To change an application's upgrade decision:
+
+1. Select **Decide upgrade readiness** to view applications with issues. Select **Table** to view the list in a table.
+
+2. Select **User changes** to change the upgrade decision for each application.
+
+3. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
+
+4. Click **Save** when finished.
+
+## Review drivers with known issues
+
+Drivers that won’t migrate to the new operating system are listed, grouped by availability.
+
+
+
+Availability categories are explained in the table below.
+
+| Driver availability | Action required before or after upgrade? | What it means | Guidance |
+|-----------------------|------------------------------------------|----------------|--------------|
+| Available in-box | No, for awareness only | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system.
| No action is required for the upgrade to proceed. |
+| Import from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system; however, a compatible version is available from Windows Update.
| If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
|
+| Available in-box and from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system.
Although a new driver is installed during upgrade, a newer version is available from Windows Update.
| If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
|
+| Check with vendor | Yes | The driver won’t migrate to the new operating system and we are unable to locate a compatible version.
| Check with the independent hardware vendor (IHV) who manufactures the driver for a solution. |
+
+To change a driver’s upgrade decision:
+
+1. Select **Decide upgrade readiness** and then select the group of drivers you want to review. Select **Table** to view the list in a table.
+
+2. Select **User changes** to enable user input.
+
+3. Select the drivers you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list.
+
+4. Click **Save** when finished.
+
diff --git a/windows/deploy/upgrade-readiness-upgrade-overview.md b/windows/deploy/upgrade-readiness-upgrade-overview.md
new file mode 100644
index 0000000000..29777cad6f
--- /dev/null
+++ b/windows/deploy/upgrade-readiness-upgrade-overview.md
@@ -0,0 +1,62 @@
+---
+title: Upgrade Readiness - Upgrade Overview (Windows 10)
+description: Displays the total count of computers sharing data and upgraded.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Upgrade Readiness - Upgrade overview
+
+The first blade in the Upgrade Readiness solution is the upgrade overview blade. This blade displays the total count of computers sharing data with Microsoft, and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases.
+
+The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The upgrade overview blade also displays the current target OS version. For more information about the target OS version, see [target version](use-upgrade-readiness-to-manage-windows-upgrades.md).
+
+The following color-coded status changes are reflected on the upgrade overview blade:
+
+- The "Last updated" banner:
+ - No delay in processing device inventory data = "Last updated" banner is displayed in green.
+ - Delay processing device inventory data = "Last updated" banner is displayed in amber.
+- Computers with incomplete data:
+ - Less than 4% = Count is displayed in black.
+ - 4% - 10% = Count is displayed in amber.
+ - Greater than 10% = Count is displayed in red.
+- User changes:
+ - Pending user changes = User changes count displays "Data refresh pending" in amber.
+ - No pending user changes = User changes count displays "Up to date" in green.
+- Target version:
+ - If the current value matches the recommended value, the version is displayed in green.
+ - If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber.
+ - If the current value is a deprecated OS version, the version is displayed in red.
+
+In the following example, there is no delay in data processing, less than 4% of computers (6k\294k) have incomplete data, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
+
+
+
+
+
+If data processing is delayed, you can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed. Data is typically refreshed and the display will return to normal again within 24 hours.
+
+If there are computers with incomplete data, verify that you have installed the latest compatibilty update and run the most recent [Update Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the Microsoft download center.
+
+Select **Total computers** for a list of computers and details about them, including:
+
+- Computer ID and computer name
+- Computer manufacturer
+- Computer model
+- Operating system version and build
+- Count of system requirement, application, and driver issues per computer
+- Upgrade assessment based on analysis of computer telemetry data
+- Upgrade decision status
+
+Select **Total applications** for a list of applications discovered on user computers and details about them, including:
+
+- Application vendor
+- Application version
+- Count of computers the application is installed on
+- Count of computers that opened the application at least once in the past 30 days
+- Percentage of computers in your total computer inventory that opened the application in the past 30 days
+- Issues detected, if any
+- Upgrade assessment based on analysis of application data
+- Rollup level
\ No newline at end of file
diff --git a/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md b/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md
index 3b686e8dae..deb278bd8f 100644
--- a/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md
+++ b/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md
@@ -1,52 +1,4 @@
---
title: Use Upgrade Analytics to manage Windows upgrades (Windows 10)
-description: Describes how to use Upgrade Analytics to manage Windows upgrades.
-ms.prod: w10
-author: greg-lindsay
+redirect_url: use-upgrade-readiness-to-manage-windows-upgrades.md
---
-
-# Use Upgrade Analytics to manage Windows upgrades
-
-You can use Upgrade Analytics to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Analytics enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues.
-
-- Based on telemetry data from user computers, Upgrade Analytics identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
-- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them.
-
-When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks.
-
-
-
-Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step.
-
->**Important**: You can use the [Target OS](#target-os) setting to evaluate computers that are runnign a specified version of Windows before starting the Upgrade Analytics workflow. By default, the Target OS is configured to the released version of Windows 10 for the Current Branch for Business (CBB).
-
-The following information and workflow is provided:
-
-- [Upgrade overview](upgrade-analytics-upgrade-overview.md): Review compatibility and usage information about computers, applications, and drivers.
-- [Step 1: Identify important apps](upgrade-analytics-identify-apps.md): Assign importance levels to prioritize your applications.
-- [Step 2: Resolve issues](upgrade-analytics-resolve-issues.md): Identify and resolve problems with applications.
-- [Step 3: Deploy](upgrade-analytics-deploy-windows.md): Start the upgrade process.
-
-Also see the following topic for information about additional items that can be affected by the upgrade process:
-
-- [Additional insights](upgrade-analytics-additional-insights.md): Find out which MS Office add-ins are installed, and review web site activity.
-
-## Target OS
-
-The target OS setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version.
-
-As mentioned previously, the default target OS in Upgrade Analytics is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target OS setting is used to evaluate the number of computers that are already running this version of Windows, or a later version.
-
-The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target OS. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Analytics is based on the target OS version.
-
-You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, and Windows version 1610.
-
-To change the target OS setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Analytics solution:
-
-
-
->You must be signed in to Upgrade Analytics as an administrator to view settings.
-
-On the **Upgrade Analytics Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target OS setting are reflected in evaluations when a new snapshot is uploaded to your workspace.
-
-
diff --git a/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md
new file mode 100644
index 0000000000..cd081245c1
--- /dev/null
+++ b/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md
@@ -0,0 +1,54 @@
+---
+title: Use Upgrade Readiness to manage Windows upgrades (Windows 10)
+description: Describes how to use Upgrade Readiness to manage Windows upgrades.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Use Upgrade Readiness to manage Windows upgrades
+
+You can use Upgrade Readiness to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Readiness enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues.
+
+- Based on telemetry data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
+- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them.
+
+When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks.
+
+
+
+Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step.
+
+>**Important**: You can use the [Target version](#target-version) setting to evaluate computers that are runnign a specified version of Windows before starting the Upgrade Readiness workflow. By default, the Target version is configured to the released version of Windows 10 for the Current Branch for Business (CBB).
+
+The following information and workflow is provided:
+
+- [Upgrade overview](upgrade-readiness-upgrade-overview.md): Review compatibility and usage information about computers, applications, and drivers.
+- [Step 1: Identify important apps](upgrade-readiness-identify-apps.md): Assign importance levels to prioritize your applications.
+- [Step 2: Resolve issues](upgrade-readiness-resolve-issues.md): Identify and resolve problems with applications.
+- [Step 3: Deploy](upgrade-readiness-deploy-windows.md): Start the upgrade process.
+
+Also see the following topic for information about additional items that can be affected by the upgrade process:
+
+- [Additional insights](upgrade-readiness-additional-insights.md): Find out which MS Office add-ins are installed, and review web site activity.
+
+## Target version
+
+The target version setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version. The target version of Windows 10 is displayed on the upgrade overview tile. See the following example:
+
+
+
+As mentioned previously, the default target version in Upgrade Readiness is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version.
+
+The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version.
+
+You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, and Windows version 1610.
+
+To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution:
+
+
+
+>You must be signed in to Upgrade Readiness as an administrator to view settings.
+
+On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace.
+
+
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 3a3d3bcda1..4e77353f2f 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -722,6 +722,7 @@
#### [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
### [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
#### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
+#### [Preview features](preview-windows-defender-advanced-threat-protection.md)
#### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
#### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
#### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)
@@ -735,21 +736,53 @@
##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
#### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
#### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md)
-##### [View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+##### [View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
##### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
##### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
-##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
+###### [Alert process tree](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree)
+###### [Incident graph](investigate-alerts-windows-defender-advanced-threat-protection.md#incident-graph)
+###### [Alert timeline](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline)
##### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)
##### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
+##### [View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
+##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
+###### [Search for specific alerts](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts)
+###### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+###### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+###### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
+##### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)
##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md)
+##### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)
+###### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+####### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
+####### [Undo machine isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation)
+####### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package)
+####### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+###### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)
+####### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
+####### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
+####### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+####### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+####### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
+######## [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
+######## [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
+######## [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
#### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
-#### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+#### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md)
+##### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+###### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
+###### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
+#### [Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md)
+##### [Update general settings](general-settings-windows-defender-advanced-threat-protection.md)
+##### [Turn on advanced features](advanced-features-windows-defender-advacned-threat-protection.md)
+##### [Turn on preview experience](preview-settings-windows-defender-advanced-threat-protection.md)
+##### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
#### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
#### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/advanced-features-windows-defender-advacned-threat-protection.md b/windows/keep-secure/advanced-features-windows-defender-advacned-threat-protection.md
new file mode 100644
index 0000000000..d7678c4832
--- /dev/null
+++ b/windows/keep-secure/advanced-features-windows-defender-advacned-threat-protection.md
@@ -0,0 +1,30 @@
+---
+title: Turn on advanced features in Windows Defender Advanced Threat Protection
+description: Turn on advanced features such as block file in Windows Defender Advanced Threat Protection.
+keywords: advanced features, preferences setup, block file
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+# Turn on advanced features in Windows Defender ATP
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+1. In the navigation pane, select **Preferences setup** > **Advanced features**.
+2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
+3. Click **Save preferences**.
+
+## Related topics
+- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
+- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
+- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
index 3a4746998e..f9805f6b95 100644
--- a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
@@ -21,55 +21,99 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-As a security operations team member, you can manage Windows Defender ATP alerts as part of your routine activities. Alerts will appear in queues according to their current status.
+The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In any of the queues, you'll see details such as the severity of alerts and the number of machines where the alerts were seen.
+
+Alerts are organized in queues by their workflow status or assignment:
+
+- **New**
+- **In progress**
+- **Resolved**
+- **Assigned to me**
To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.
> [!NOTE]
> By default, the queues are sorted from newest to oldest.
-The following table and screenshot demonstrate the main areas of the **Alerts queue**.
+## Sort and filter the alerts
+You can sort and filter the alerts by using the available filters or clicking columns that allows you to sort the view in ascending or descending order.
-
+
Highlighted area|Area name|Description
:---|:---|:---
-(1)|**Alerts queue**| Select to show **New**, **In Progress**, or **Resolved alerts**
-(2)|Alerts|Each alert shows:- The severity of an alert as a colored bar
- A short description of the alert, including the name of the threat actor (in cases where the attribution is possible)
- The last occurrence of the alert on any machine
- The number of days the alert has been in the queue
- The severity of the alert
- The general category or type of alert, or the alert's kill-chain stage
- The affected machine (if there are multiple machines, the number of affected machines will be shown)
- A **Manage Alert** menu icon  that allows you to update the alert's status and add comments
Clicking an alert expands to display more information about the threat and brings you to the date in the timeline when the alert was detected.
-(3)|Alerts sorting and filters | You can sort alerts by: - **Newest** (when the threat was last seen on your network)
- **Time in queue** (how long the threat has been in your queue)
- **Severity**
You can also filter the displayed alerts by:See [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) for more details.
+1 | Alert filters | Filter the list of alerts by severity, detection source, time period, or change the view from flat to grouped.
+2 | Alert selected | Select an alert to bring up the **Alert management** to manage and see details about the alert.
+3 | Alert management pane | View and manage alerts without leaving the alerts queue view.
-##Sort and filter the Alerts queue
-You can filter and sort (or "pivot") the Alerts queue to identify specific alerts based on certain criteria.
-There are three mechanisms to pivot the queue against:
+### Sort, filter, and group the alerts list
+You can use the following filters to limit the list of alerts displayed during an investigation:
-1. Sort the queue by opening the drop-down menu in the **Sort by** field and choosing:
+**Severity**
- - **Newest** - Sorts alerts based on when the alert was last seen on an endpoint.
- - **Time in queue** - Sorts alerts by the length of time an alert has been in the queue.
- - **Severity** - Sorts alerts by their level of severity.
+Alert severity | Description
+:---|:---
+High (Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints.
+Medium (Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
+Low (Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
+Informational (Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.
-2. Filter alerts by their **Severity** by opening the drop-down menu in the **Filter by** field and selecting one or more of the check boxes:
+Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints.
- - High (Red) - Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints.
- - Medium (Orange) - Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
- - Low (Yellow) - Threats associated with prevalent malware and hack-tools that do not appear to indicate an advanced threat targeting the organization.
+**Detection source**
+- Windows Defender AV
+- Windows Defender ATP
-3. Limit the queue to see alerts from various set periods by clicking the drop-down menu in the date range field (by default, this is selected as **6 months**):
+>[!NOTE]
+>The Windows Defender AV filter will only appear if your endpoints are using Windows Defender as the default real-time protection antimalware product.
- - **1 day**
- - **3 days**
- - **7 days**
- - **30 days**
- - **6 months**
+**Time period**
+- 1 day
+- 3 days
+- 7 days
+- 30 days
+- 6 months
- > [!NOTE]
- > You can change the sort order (for example, from most recent to least recent) by clicking the sort order icon 
+**View**
+- **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top.
+- **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating alerts together.
-### Related topics
+The group view allows for efficient alert triage and management.
+
+### Use the Alert management pane
+Selecting an alert brings up the **Alert management** pane where you can manage and see details about the alert.
+
+You can take immediate action on an alert and see details about an alert in the **Alert management** pane:
+
+- Change the status of an alert from new, to in progress, or resolved.
+- Specify the alert classification from true alert or false alert.
+ Selecting true alert displays the **Determination** drop-down list to provide additional information about the true alert:
+ - APT
+ - Malware
+ - Security personnel
+ - Security testing
+ - Unwanted software
+ - Other
+- Assign the alert to yourself if the alert is not yet assigned.
+- View related activity on the machine.
+- Add and view comments about the alert.
+
+>[!NOTE]
+>You can also access the **Alert management** pane from the machine details view by selecting an alert in the **Alerts related to this machine** section.
+
+### Bulk edit alerts
+Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together, which allows resolving multiple similar alerts in one action.
+
+
+
+## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
-- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
index 129b49f08e..95c54414fa 100644
--- a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Assign user access to the Windows Defender Advanced Threat Protection portal
+title: Assign user access to the Windows Defender ATP portal
description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal.
keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..6f9e2ee36d
--- /dev/null
+++ b/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,55 @@
+---
+title: Check sensor health state in Windows Defender ATP
+description: Check sensor health on machines to see if they are misconfigured or inactive.
+keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communication, communication
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Check sensor health state in Windows Defender ATP
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+The sensor health tile provides information on the individual endpoint’s ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
+
+
+
+There are two status indicators on the tile that provide information on the number of machines that are not reporting properly to the service:
+- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month.
+- **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected.
+
+Clicking any of the groups directs you to Machines view, filtered according to your choice.
+
+
+
+You can filter the health state list by the following status:
+- **Active** - Machines that are actively reporting to the Windows Defender ATP service.
+- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service.
+- **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service but have configuration errors that need to be corrected. Misconfigured machines can have either one or a combination of the following issues:
+ - **No sensor data** - Machines has stopped sending sensor data. Limited alerts can be triggered from the machine.
+ - **Impaired communication** - Ability to communicate with machine is impaired. Sending files for deep analysis, blocking files, isolating machine from network and other actions that require communication with the machine may not work.
+
+You can view the machine details when you click on a misconfigured or inactive machine. You’ll see more specific machine information when you click the information icon.
+
+
+
+In the **Machines view**, you can download a full list of all the machines in your organization in a CSV format. To download, click the **Manage Alert** menu icon on the top corner of the page.
+
+>[!NOTE]
+>Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is.
+
+## Related topic
+- [Fix unhealthy sensors in Windows Defender ATP](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
index 19e99c915d..2ad2430c0e 100644
--- a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ author: mjcaparas
localizationpriority: high
---
-# Configure email notifications
+# Configure email notifications in Windows Defender ATP
**Applies to:**
@@ -61,3 +61,8 @@ This section lists various issues that you may encounter when using email notifi
1. Check that the Windows Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk.
2. Check that your email security product is not blocking the email notifications from Windows Defender ATP.
3. Check your email application rules that might be catching and moving your Windows Defender ATP email notifications.
+
+## Related topics
+- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
+- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md)
+- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index c842ea1668..d5fb36ac0b 100644
--- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Configure Windows Defender ATP endpoints using Mobile Device Management tools
+title: Configure endpoints using Mobile Device Management tools
description: Use Mobile Device Management tools to deploy the configuration package on endpoints so that they are onboarded to the service.
keywords: configure endpoints using mdm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, mdm
search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 33563eea6f..775b756512 100644
--- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Configure Windows Defender ATP endpoints using System Center Configuration Manager
+title: Configure endpoints using System Center Configuration Manager
description: Use System Center Configuration Manager to deploy the configuration package on endpoints so that they are onboarded to the service.
keywords: configure endpoints using sccm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm
search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
index cca969958e..73d4781fa1 100644
--- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
title: Configure Windows Defender ATP endpoints
-description: Configure endpoints so that they are onboarded to the service.
+description: Configure endpoints so that they can send sensor data to the Windows Defender ATP sensor.
keywords: configure endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index dd145bf769..49287b61de 100644
--- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Configure Windows Defender ATP endpoint proxy and Internet connection settings
+title: Configure endpoint proxy and Internet connection settings
description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service.
keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server
search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
index f8f22a049a..35dead1efe 100644
--- a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
-title: Configure security information and events management tools
-description: Configure supported security information and events management tools to receive and consume alerts.
-keywords: configure siem, security information and events management tools, splunk, arcsight
+title: Consume alerts and create custom indicators in Windows Defender Advanced Threat Protection
+description: Learn how to configure supported security information and events management tools to receive and consume alerts and create custom indicators using REST API.
+keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -11,7 +11,7 @@ author: mjcaparas
localizationpriority: high
---
-# Configure security information and events management (SIEM) tools to consume alerts
+# Consume alerts and create custom indicators
**Applies to:**
@@ -21,7 +21,9 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-Windows Defender ATP supports security information and events management (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
+## Consume alerts using supported security information and events management (SIEM) tools
+Windows Defender ATP supports (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
+
Windows Defender ATP currently supports the following SIEM tools:
@@ -35,6 +37,11 @@ To use either of these supported SIEM tools you'll need to:
- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+## Create custom threat indicators in Windows Defender ATP
+You can also create custom threat indicators using the available REST API so that you can create specific alerts that are applicable to your organization.
+
+For more information, see [Create custom threat indicators (TI) using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md).
+
## In this section
Topic | Description
diff --git a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..7c5f60b159
--- /dev/null
+++ b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,357 @@
+---
+title: Create custom threat intelligence using REST API in Windows Defender ATP
+description: Create your custom alert definitions and indicators of compromise in Windows Defender ATP using the available APIs in Windows Enterprise, Education, and Pro editions.
+keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Create custom alerts using the threat intelligence (TI) Application program interface (API)
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to create specific alerts that are applicable to your organization.
+
+## Before you begin
+Before creating custom alerts, you'll need to enable the threat intelligence application in Azure Active Directory and generate access tokens. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md).
+
+### Use the threat intelligence REST APIs to create custom threat intelligence alerts
+You can call and specify the resource URLs using one of the following operations to access and manipulate a threat intelligence resource, you call and specify the resource URLs using one of the following operations:
+
+- GET
+- POST
+- PATCH
+- PUT (used for managing entities relations only)
+- DELETE
+
+All threat intelligence API requests use the following basic URL pattern:
+
+```
+ https://TI.SecurityCenter.Windows.com/{version}/{resource}?[query_parameters]
+```
+
+For this URL:
+- `https://TI.SecurityCenter.Windows.com` is the threat intelligence API endpoint.
+- `{version}` is the target service version. Currently, the only supported version is: v1.0.
+- `{resource}` is resource segment or path, such as:
+ - AlertDefinitions (for specific single resource, add: (id))
+ - IndicatorsOfCompromise (for specific single resource, add: (id))
+- `[query_parameters]` represents additional query parameters such as $filter and $select.
+
+**Quotas**
+Each tenant has a defined quota that limits the number of possible alert definitions, IOCs and another quota for IOCs of Action different than “equals” in the system. If you upload data beyond this quota, you'll encounter an HTTP error status code 507 (Insufficient Storage).
+
+## Threat intelligence API metadata
+The metadata document ($metadata) is published at the service root.
+
+For example, you can view the service document for the v1.0 version using the following URL:
+
+```
+ https://TI.SecurityCenter.Windows.com/v1.0/$metadata
+```
+
+The metadata allows you to see and understand the data model of the custom threat intelligence, including the entity types and sets, complex types, and enums that make up the request and response packets sent to and from the threat intelligence API.
+
+You can use the metadata to understand the relationships between entities in the custom threat intelligence and establish URLs that navigate between entities.
+
+The following sections show a few basic programming pattern calls to the threat intelligence API.
+
+## Create new resource
+Typically, you'd need to create an alert definition to start creating custom threat intelligence. An ID is created for that alert definition.
+You can then proceed to create an indicator of compromise and associate it to the ID of the alert definition.
+
+### Create a new alert definition
+
+```json
+POST https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions HTTP/1.1
+Authorization: Bearer
+Content-Type: application/json;
+
+
+{
+ "Name": " The name of the alert definition. Does not appear in the portal. Max length: 100 ",
+ "Severity": "Low",
+ "InternalDescription": "Internal description for the alert definition. Does not appear in the portal. Max length: 350",
+ "Title": "A short, one sentence, description of the alert definition. Max length: 120",
+ "UxDescription": "Max length: 500",
+ "RecommendedAction": "Custom text to explain what should be done in case of detection. Max length: 2000",
+ "Category": "Category from the metadata",
+ "Enabled": true
+}
+```
+
+The following values correspond to the alert sections surfaced on the Windows Defender ATP portal:
+
+
+Highlighted section | JSON key name
+:---:|:---
+1 | Title
+2 | Severity
+3 | Category
+4 | UX description
+5 | Recommended Action
+
+If successful, you should get a 201 CREATED response containing the representation of the newly created alert definition, for example:
+
+```json
+
+ "Name": "Connection to restricted company IP address",
+ "Severity": "Low",
+ "InternalDescription": "Unusual connection to restricted IP from production machine",
+ "Title": "Connection to restricted company IP address",
+ "UxDescription": "Any connection to this IP address from a production machine should be suspicious. Only special build machines should access this IP address.",
+ "RecommendedAction": "Isolate machine immediately and contact machine owner for awareness.",
+ "Category": "Trojan",
+ "Id": 2,
+ "CreatedAt": "2017-02-01T10:46:22.08Z",
+ "CreatedBy": "User1",
+ "LastModifiedAt": null,
+ "LastModifiedBy": null,
+ "Enabled": true
+
+```
+
+### Create a new indicator of compromise
+
+```json
+POST https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise HTTP/1.1
+Authorization: Bearer
+Content-Type: application/json;
+
+
+{
+"Type": "SHA1",
+"Value": "8311e8b377736fb93b18b15372355f3f26c4cd29",
+"DetectionFunction": "Equals",
+"Enabled": true,
+"AlertDefinition@odata.bind": "AlertDefinitions(1)"
+}
+```
+If successful, you should get a 201 CREATED response containing the representation of the newly created indicators of compromise in the payload.
+
+
+## Bulk upload of alert definitions and IOCs
+Bulk upload of multiple entities can be done by sending an HTTP POST request to `/{resource}/Actions.BulkUpload`.
+
+>[!WARNING]
+>- This operation is atomic. The entire operation can either succeed or fail. If one alert definition or IOC has a malformed property, the entire upload will fail.
+>- If your upload exceeds the IOCs or alert definitions quota, the entire operation will fail. Consider limiting your uploads.
+
+
+The request’s body should contain a single JSON object with a single field. The name of the field in the case that the entity is alert definition is `alertDefinitions` and in the case of IOC is `iocs`. This field’s value should contain a list of the desired entities.
+
+For example:
+Sending an HTTP POST to https://TI.SecurityCenter.Windows.com/V1.0/IndicatorsOfCompromise/Actions.BulkUpload
+
+JSON Body:
+
+```json
+{
+ "iocs": [{
+ "Type": "SHA1",
+ "Value": "b68e0b50420dbb03cb8e56a927105bf4b06f3793",
+ "DetectionFunction": "Equals",
+ "Enabled": true,
+ "AlertDefinition@odata.bind": "AlertDefinitions(1)"
+ },
+ {
+ "Type": "SHA1",
+ "Value": "b68e0b50420dbb03cb8e56a927105bf4b06f3793",
+ "DetectionFunction": "Equals",
+ "Enabled": true,
+ "AlertDefinition@odata.bind": "AlertDefinitions(1)"
+ }
+ ]
+}
+```
+
+>[!NOTE]
+> - Max bulk size is 5000 entities
+
+## Read existing data
+### Get a specific resource
+
+```json
+GET https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise(1) HTTP/1.1
+Authorization: Bearer
+Accept: application/json;odata.metadata=none
+```
+
+If successful, you should get a 200 OK response containing a single indicator of compromise representation (for the specified ID) in the payload, as shown as follows:
+
+```json
+HTTP/1.1 200 OK
+content - type: application/json;odata.metadata = none
+
+
+{
+ "value": [{
+ "Type": "SHA1",
+ "Value": "abcdeabcde1212121212abcdeabcde1212121212",
+ "DetectionFunction": "Equals",
+ "ExpiresAt": null,
+ "Id": 1,
+ "CreatedAt": "2016-12-05T15:51:02Z",
+ "CreatedBy": "user2@Company1.contoso.com",
+ "LastModifiedAt": null,
+ "LastModifiedBy": null,
+ "Enabled": true
+ }]
+}
+```
+
+
+### Get the entire collection of entities of a given resource
+
+ ```
+ GET https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions HTTP/1.1
+ Authorization: Bearer
+ ```
+
+ If successful, you should get a 200 OK response containing the collection of alert definitions representation in the payload, as shown as follows:
+
+ ```json
+ HTTP/1.1 200 OK
+ content - type: application / json;odata.metadata = none
+
+
+ {
+ "@odata.context": "https://TI.SecurityCenter.Windows.com/V1.0/$metadata#AlertDefinitions",
+ "value": [{
+ "Name": "Demo alert definition",
+ "Severity": "Medium",
+ "InternalDescription": "Some description",
+ "Title": "Demo short ux description",
+ "UxDescription": "Demo ux description",
+ "RecommendedAction": "Actions",
+ "Category": "Malware",
+ "Id": 1,
+ "CreatedAt": "2016-12-05T15:50:53Z",
+ "CreatedBy": "user@Company1.contoso.com",
+ "LastModifiedAt": null,
+ "LastModifiedBy": null,
+ "Enabled": true
+ },
+ {
+ "Name": "Demo alert definition 2",
+ "Severity": "Low",
+ "InternalDescription": "Some description",
+ "Title": "Demo short ux description2",
+ "UxDescription": "Demo ux description2",
+ "RecommendedAction": null,
+ "Category": "Malware",
+ "Id": 2,
+ "CreatedAt": "2016-12-06T13:30:00Z",
+ "CreatedBy": "user2@Company1.contoso.com",
+ "LastModifiedAt": null,
+ "LastModifiedBy": null,
+ "Enabled": true
+ }
+ ]
+ }
+ ```
+
+
+## Update an existing resource
+You can use the same pattern for both full and partial updates.
+
+```json
+PATCH https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions(2) HTTP/1.1
+Authorization: Bearer
+Content-Type: application/json;
+Accept: application/json;odata.metadata=none
+
+{
+ "Category": "Backdoor",
+ "Enabled": false
+}
+```
+
+If successful, you should get a 200 OK response containing the updated alert definition representation (per the specified ID) in the payload.
+
+## Update the association (relation) between an indicator of compromise to a different alert definition
+
+```json
+PUT https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise(3)/AlertDefinition/$ref HTTP/1.1
+Authorization : Bearer
+Content-Type: application/json;
+
+{
+ "@odata.id": "https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions(6)"
+}
+```
+
+## Delete a resource
+
+```
+DELETE https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise(1) HTTP/1.1
+Authorization: Bearer
+```
+
+If successful, you should get a 204 NO CONTENT response.
+
+>[!NOTE]
+ > - Deleting an alert definition also deletes its corresponding IOCs.
+ > - Deleting an IOC or an alert definition will not delete or hide past alerts matching the alert definition. However, deleting an alert definition and creating a new one with the exact same metadata will result in new alerts in the portal. It's not advised to delete an alert definition and create a new one with the same content.
+
+## Delete all
+You can use the HTTP DELETE method sent to the relevant source to delete all resources.
+
+```
+DELETE https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise HTTP/1.1
+Authorization : Bearer
+```
+If successful, you should get a 204 NO CONTENT response.
+
+## Delete all IOCs connected to a given alert definition
+This action will delete all the IOCs associated with a given alert definition without deleting the alert definition itself.
+
+For example, deleting all of the IOCs associated with the alert definition with ID `1` deletes all those IOCs without deleting the alert definition itself.
+
+Send an HTTP POST to `https://TI.SecurityCenter.Windows.com/V1.0/AlertDefinitions(1)/Actions.DeleteIOCs`.
+
+Upon a successful request the response will be HTTP 204.
+
+>[!NOTE]
+> As with all OData actions, this action is sending an HTTP POST request not DELETE.
+
+
+## Windows Defender ATP optional query parameters
+The Windows Defender ATP threat intelligence API provides several optional query parameters that you can use to specify and control the amount of data returned in a response. The threat intelligence API supports the following query options:
+
+Name | Value | Description
+:---|:---|:--
+$select | string | Comma-separated list of properties to include in the response.
+$expand | string | Comma-separated list of relationships to expand and include in the response.
+$orderby | string | Comma-separated list of properties that are used to sort the order of items in the response collection.
+$filter | string | Filters the response based on a set of criteria.
+$top | int | The number of items to return in a result set.
+$skip | int | The number of items to skip in a result set.
+$count | boolean | A collection and the number of items in the collection.
+
+These parameters are compatible with the [OData V4 query language](http://docs.oasis-open.org/odata/odata/v4.0/errata03/os/complete/part2-url-conventions/odata-v4.0-errata03-os-part2-url-conventions-complete.html#_Toc453752356).
+
+
+## Code examples
+The following articles provide detailed code examples that demonstrate how to use the custom threat intelligence API in several programming languages:
+- PowerShell code examples
+- Python code examples
+
+
+## Related topics
+- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
index 990e0ac396..c2c75d2d52 100644
--- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
@@ -21,6 +21,8 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
The **Dashboard** displays a snapshot of:
- The latest active alerts on your network
@@ -33,7 +35,7 @@ You can explore and investigate alerts and machines to quickly determine if, whe
From the **Dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators.
-It also has clickable tiles that give visual cues on the overall health status of your organization. Each tile opens a detailed view of the corresponding overview.
+It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a detailed view of the corresponding overview.
## ATP alerts
You can view the overall number of active ATP alerts from the last 30 days in your network from the **ATP alerts** tile. Alerts are grouped into **New** and **In progress**.
@@ -42,30 +44,25 @@ You can view the overall number of active ATP alerts from the last 30 days in yo
Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**).
-For more information see, [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md).
+For more information see, [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md).
-The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. For more information see, [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md).
+The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. For more information see, [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md).
## Machines at risk
This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
-
+
Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
-## Status
-The **Status** tile informs you if the service is active or if there are issues and the unique number of machines (endpoints) reporting to the service over the past 30 days.
+## Users at risk
+The tile shows you a list of user accounts with the most active alerts. The total number of alerts for each user is shown in a circle next to the user account, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
-
+
-For more information on the service status, see [Check the Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md).
-
-## Machines reporting
-The **Machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily. Hover over individual bars on the graph to see the exact number of machines reporting in each day.
-
-
+Click the user account to see details about the user account. For more information see [Investigate a user entity in Windows Defender Advanced Threat Protection]
## Machines with active malware detections
The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender.
@@ -91,11 +88,37 @@ Clicking on any of these categories will navigate to the [Machines view](investi
> [!NOTE]
> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
-### Related topics
-- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+## Sensor health
+The **Sensor health** tile provides information on the individual endpoint’s ability to provide sensor data to the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines.
+
+
+
+There are two status indicators that provide information on the number of machines that are not reporting properly to the service:
+- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month.
+- **Misconfigured** – These machines might partially be reporting telemetry to the Windows Defender ATP service and might have configuration errors that need to be corrected.
+
+When you click any of the groups, you’ll be directed to machines view, filtered according to your choice. For more information, see [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md).
+
+## Service health
+The **Service health** tile informs you if the service is active or if there are issues.
+
+
+
+For more information on the service status, see [Check the Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md).
+
+## Daily machines reporting
+The **Daily machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily in the last 30 days. Hover over individual bars on the graph to see the exact number of machines reporting in each day.
+
+
+
+## Related topics
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
-- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a user account in Windows Defender ATP ](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
index 91bec22e77..9c17747345 100644
--- a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
title: Windows Defender compatibility
-description: Learn about how Windows Defender works with Windows Defender ATP.
+description: Learn about how Windows Defender works with Windows Defender ATP and how it functions when a third-party antimalware client is used.
keywords: windows defender compatibility, defender, windows defender atp
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..38074271e9
--- /dev/null
+++ b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,45 @@
+---
+title: Enable the custom threat intelligence application in Windows Defender ATP
+description: Enable the custom threat intelligence application in Windows Defender ATP so that you can create custom threat intelligence using REST API.
+keywords: enable custom threat intelligence application, custom ti application, application name, client id, authorization url, resource, client secret, access tokens
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Enable the custom threat intelligence application
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal.
+
+1. In the navigation pane, select **Preference Setup** > **Threat intel API**.
+
+2. Select **Enable threat intel API**. This activates the **Azure Active Directory application** setup sections with pre-populated values.
+
+3. Copy the individual values or select **Save details to file** to download a file that contains all the values.
+
+ >[!WARNING]
+ >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
+ >For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
+
+4. Select **Generate tokens** to get an access and refresh token.
+
+You’ll need to use the access token in the Authorization header when doing REST API calls.
+
+## Related topics
+- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+- [Create custom threat intelligence](custom-ti-api-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..897187ce25
--- /dev/null
+++ b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,80 @@
+---
+title: Fix unhealthy sensors in Windows Defender ATP
+description: Fix machine sensors that are reporting as misconfigured or inactive.
+keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communication, communication
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Fix unhealthy sensors in Windows Defender ATP
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a machine to be categorized as inactive or misconfigured.
+
+## Inactive machines
+
+An inactive machine is not necessarily flagged due to an issue. The following actions taken on a machine can cause a machine to be categorized as inactive:
+
+**Machine is not in use**
+If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the portal.
+
+**Machine was reinstalled or renamed**
+A reinstalled or renamed machine will generate a new machine entity in Windows Defender ATP portal. The previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally.
+
+**Machine was offboarded**
+If the machine was offboarded it will still appear in machines view. After 7 days, the machine health state should change to inactive.
+
+Do you expect a machine to be in ‘Active’ status? [Open a CSS ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
+
+## Misconfigured machines
+Misconfigured machines can further be classified to:
+ - Impaired communication
+ - No sensor data
+
+### Impaired communication
+This status indicates that there's limited communication between the machine and the service.
+
+The following suggested actions can help fix issues related to a misconfigured machine with impaired communication:
+
+- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)
+ The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
+
+- Verify client connectivity to Windows Defender ATP service URLs
+ Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
+
+If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
+
+### No sensor data
+A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report partial sensor data.
+Follow theses actions to correct known issues related to a misconfigured machine with status ‘Impaired communication’:
+
+- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)
+ The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
+
+- Verify client connectivity to Windows Defender ATP service URLs
+ Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
+
+- [Ensure the telemetry and diagnostics service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled)
+If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint.
+
+- [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy)
+If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled.
+
+If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
+
+## Related topic
+- [Check sensor health state in Windows Defender ATP](check-sensor-status-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..b8021ab337
--- /dev/null
+++ b/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,36 @@
+---
+title: Update general Windows Defender Advanced Threat Protection settings
+description: Update your general Windows Defender Advanced Threat Protection settings after onboarding.
+keywords: general settings, settings, update settings
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+# Update general Windows Defender ATP settings
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update some settings which you'll be able to do through the **Preferences setup** menu.
+
+1. In the navigation pane, select **Preferences setup** > **General**.
+2. Modify settings such as data retention policy or the industry that best describes your organization.
+
+ >[!NOTE]
+ >Other settings are not editable.
+3. Click **Save preferences**.
+
+
+## Related topics
+- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md)
+- [Turn on the preview experience in Windows Defender ATP ](preview-settings-windows-defender-advanced-threat-protection.md)
+- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/images/alert-details.png b/windows/keep-secure/images/alert-details.png
index e2f5a387b0..ad520f97ee 100644
Binary files a/windows/keep-secure/images/alert-details.png and b/windows/keep-secure/images/alert-details.png differ
diff --git a/windows/keep-secure/images/alerts-q-bulk.png b/windows/keep-secure/images/alerts-q-bulk.png
new file mode 100644
index 0000000000..9aad1b64aa
Binary files /dev/null and b/windows/keep-secure/images/alerts-q-bulk.png differ
diff --git a/windows/keep-secure/images/alerts-queue-numbered.png b/windows/keep-secure/images/alerts-queue-numbered.png
new file mode 100644
index 0000000000..39c6a467aa
Binary files /dev/null and b/windows/keep-secure/images/alerts-queue-numbered.png differ
diff --git a/windows/keep-secure/images/atp-action-center-with-info.png b/windows/keep-secure/images/atp-action-center-with-info.png
new file mode 100644
index 0000000000..ff3c828a38
Binary files /dev/null and b/windows/keep-secure/images/atp-action-center-with-info.png differ
diff --git a/windows/keep-secure/images/atp-actor-report.png b/windows/keep-secure/images/atp-actor-report.png
new file mode 100644
index 0000000000..c7c4d60928
Binary files /dev/null and b/windows/keep-secure/images/atp-actor-report.png differ
diff --git a/windows/keep-secure/images/atp-add-intune-policy.png b/windows/keep-secure/images/atp-add-intune-policy.png
index 61a47e9f37..e8c914746a 100644
Binary files a/windows/keep-secure/images/atp-add-intune-policy.png and b/windows/keep-secure/images/atp-add-intune-policy.png differ
diff --git a/windows/keep-secure/images/atp-alert-process-tree.png b/windows/keep-secure/images/atp-alert-process-tree.png
new file mode 100644
index 0000000000..06daaa6ea7
Binary files /dev/null and b/windows/keep-secure/images/atp-alert-process-tree.png differ
diff --git a/windows/keep-secure/images/atp-alert-status.png b/windows/keep-secure/images/atp-alert-status.png
new file mode 100644
index 0000000000..b2380e0236
Binary files /dev/null and b/windows/keep-secure/images/atp-alert-status.png differ
diff --git a/windows/keep-secure/images/atp-alert-timeline.png b/windows/keep-secure/images/atp-alert-timeline.png
new file mode 100644
index 0000000000..467c7a321e
Binary files /dev/null and b/windows/keep-secure/images/atp-alert-timeline.png differ
diff --git a/windows/keep-secure/images/atp-alerts-group.png b/windows/keep-secure/images/atp-alerts-group.png
new file mode 100644
index 0000000000..e3bf3d41f0
Binary files /dev/null and b/windows/keep-secure/images/atp-alerts-group.png differ
diff --git a/windows/keep-secure/images/atp-alerts-q.png b/windows/keep-secure/images/atp-alerts-q.png
new file mode 100644
index 0000000000..1131ead044
Binary files /dev/null and b/windows/keep-secure/images/atp-alerts-q.png differ
diff --git a/windows/keep-secure/images/atp-alerts-related-to-file.png b/windows/keep-secure/images/atp-alerts-related-to-file.png
new file mode 100644
index 0000000000..ecfb56f1a8
Binary files /dev/null and b/windows/keep-secure/images/atp-alerts-related-to-file.png differ
diff --git a/windows/keep-secure/images/atp-blockfile.png b/windows/keep-secure/images/atp-blockfile.png
new file mode 100644
index 0000000000..9b446a53cc
Binary files /dev/null and b/windows/keep-secure/images/atp-blockfile.png differ
diff --git a/windows/keep-secure/images/atp-custom-ti-mapping.png b/windows/keep-secure/images/atp-custom-ti-mapping.png
new file mode 100644
index 0000000000..251c387646
Binary files /dev/null and b/windows/keep-secure/images/atp-custom-ti-mapping.png differ
diff --git a/windows/keep-secure/images/atp-export-machine-timeline-events.png b/windows/keep-secure/images/atp-export-machine-timeline-events.png
new file mode 100644
index 0000000000..99f214b11e
Binary files /dev/null and b/windows/keep-secure/images/atp-export-machine-timeline-events.png differ
diff --git a/windows/keep-secure/images/atp-file-action.png b/windows/keep-secure/images/atp-file-action.png
new file mode 100644
index 0000000000..106329f89e
Binary files /dev/null and b/windows/keep-secure/images/atp-file-action.png differ
diff --git a/windows/keep-secure/images/atp-file-in-org.png b/windows/keep-secure/images/atp-file-in-org.png
new file mode 100644
index 0000000000..12f980de0a
Binary files /dev/null and b/windows/keep-secure/images/atp-file-in-org.png differ
diff --git a/windows/keep-secure/images/atp-file-information.png b/windows/keep-secure/images/atp-file-information.png
new file mode 100644
index 0000000000..ea5619c545
Binary files /dev/null and b/windows/keep-secure/images/atp-file-information.png differ
diff --git a/windows/keep-secure/images/atp-incident-graph.png b/windows/keep-secure/images/atp-incident-graph.png
new file mode 100644
index 0000000000..2968bc4cbb
Binary files /dev/null and b/windows/keep-secure/images/atp-incident-graph.png differ
diff --git a/windows/keep-secure/images/atp-investigation-package-action-center.png b/windows/keep-secure/images/atp-investigation-package-action-center.png
new file mode 100644
index 0000000000..1f9129f05e
Binary files /dev/null and b/windows/keep-secure/images/atp-investigation-package-action-center.png differ
diff --git a/windows/keep-secure/images/atp-isolate-machine.png b/windows/keep-secure/images/atp-isolate-machine.png
new file mode 100644
index 0000000000..4905b60304
Binary files /dev/null and b/windows/keep-secure/images/atp-isolate-machine.png differ
diff --git a/windows/keep-secure/images/atp-machine-details-view.png b/windows/keep-secure/images/atp-machine-details-view.png
new file mode 100644
index 0000000000..e91eb539fa
Binary files /dev/null and b/windows/keep-secure/images/atp-machine-details-view.png differ
diff --git a/windows/keep-secure/images/atp-machine-details-view.png.pdf b/windows/keep-secure/images/atp-machine-details-view.png.pdf
new file mode 100644
index 0000000000..6f018827bb
Binary files /dev/null and b/windows/keep-secure/images/atp-machine-details-view.png.pdf differ
diff --git a/windows/keep-secure/images/atp-machine-health-details.png b/windows/keep-secure/images/atp-machine-health-details.png
new file mode 100644
index 0000000000..63431efa68
Binary files /dev/null and b/windows/keep-secure/images/atp-machine-health-details.png differ
diff --git a/windows/keep-secure/images/atp-machine-health.png b/windows/keep-secure/images/atp-machine-health.png
new file mode 100644
index 0000000000..ded3475bea
Binary files /dev/null and b/windows/keep-secure/images/atp-machine-health.png differ
diff --git a/windows/keep-secure/images/atp-machine-investigation-package.png b/windows/keep-secure/images/atp-machine-investigation-package.png
new file mode 100644
index 0000000000..2c32d9780d
Binary files /dev/null and b/windows/keep-secure/images/atp-machine-investigation-package.png differ
diff --git a/windows/keep-secure/images/atp-machine-isolation.png b/windows/keep-secure/images/atp-machine-isolation.png
new file mode 100644
index 0000000000..10b778ae73
Binary files /dev/null and b/windows/keep-secure/images/atp-machine-isolation.png differ
diff --git a/windows/keep-secure/images/atp-machine-timeline-details-panel.png b/windows/keep-secure/images/atp-machine-timeline-details-panel.png
new file mode 100644
index 0000000000..fbb2de4176
Binary files /dev/null and b/windows/keep-secure/images/atp-machine-timeline-details-panel.png differ
diff --git a/windows/keep-secure/images/atp-machine-timeline.png b/windows/keep-secure/images/atp-machine-timeline.png
new file mode 100644
index 0000000000..9ad30bceec
Binary files /dev/null and b/windows/keep-secure/images/atp-machine-timeline.png differ
diff --git a/windows/keep-secure/images/atp-machines-at-risk.png b/windows/keep-secure/images/atp-machines-at-risk.png
new file mode 100644
index 0000000000..e733606c0c
Binary files /dev/null and b/windows/keep-secure/images/atp-machines-at-risk.png differ
diff --git a/windows/keep-secure/images/atp-machines-view-list.png b/windows/keep-secure/images/atp-machines-view-list.png
new file mode 100644
index 0000000000..ac38039f3a
Binary files /dev/null and b/windows/keep-secure/images/atp-machines-view-list.png differ
diff --git a/windows/keep-secure/images/atp-main-portal.png b/windows/keep-secure/images/atp-main-portal.png
new file mode 100644
index 0000000000..2aa75b7dca
Binary files /dev/null and b/windows/keep-secure/images/atp-main-portal.png differ
diff --git a/windows/keep-secure/images/atp-mdm-onboarding-package.png b/windows/keep-secure/images/atp-mdm-onboarding-package.png
index 23b9c49490..6be87715e9 100644
Binary files a/windows/keep-secure/images/atp-mdm-onboarding-package.png and b/windows/keep-secure/images/atp-mdm-onboarding-package.png differ
diff --git a/windows/keep-secure/images/atp-no-network-connection.png b/windows/keep-secure/images/atp-no-network-connection.png
new file mode 100644
index 0000000000..ac6eb4b4f8
Binary files /dev/null and b/windows/keep-secure/images/atp-no-network-connection.png differ
diff --git a/windows/keep-secure/images/atp-notification-file.png b/windows/keep-secure/images/atp-notification-file.png
new file mode 100644
index 0000000000..703719d8a3
Binary files /dev/null and b/windows/keep-secure/images/atp-notification-file.png differ
diff --git a/windows/keep-secure/images/atp-notification-isolate.png b/windows/keep-secure/images/atp-notification-isolate.png
new file mode 100644
index 0000000000..e81dd276a4
Binary files /dev/null and b/windows/keep-secure/images/atp-notification-isolate.png differ
diff --git a/windows/keep-secure/images/atp-observed-in-organization.png b/windows/keep-secure/images/atp-observed-in-organization.png
new file mode 100644
index 0000000000..508822a2ad
Binary files /dev/null and b/windows/keep-secure/images/atp-observed-in-organization.png differ
diff --git a/windows/keep-secure/images/atp-observed-machines.png b/windows/keep-secure/images/atp-observed-machines.png
new file mode 100644
index 0000000000..845b97a82a
Binary files /dev/null and b/windows/keep-secure/images/atp-observed-machines.png differ
diff --git a/windows/keep-secure/images/atp-preferences-setup.png b/windows/keep-secure/images/atp-preferences-setup.png
new file mode 100644
index 0000000000..bf67591f66
Binary files /dev/null and b/windows/keep-secure/images/atp-preferences-setup.png differ
diff --git a/windows/keep-secure/images/atp-remove-blocked-file.png b/windows/keep-secure/images/atp-remove-blocked-file.png
new file mode 100644
index 0000000000..deed34e291
Binary files /dev/null and b/windows/keep-secure/images/atp-remove-blocked-file.png differ
diff --git a/windows/keep-secure/images/atp-sensor-filter.png b/windows/keep-secure/images/atp-sensor-filter.png
new file mode 100644
index 0000000000..76267fb27f
Binary files /dev/null and b/windows/keep-secure/images/atp-sensor-filter.png differ
diff --git a/windows/keep-secure/images/atp-sensor-health-filter-resized.png b/windows/keep-secure/images/atp-sensor-health-filter-resized.png
new file mode 100644
index 0000000000..0c0f7d0eec
Binary files /dev/null and b/windows/keep-secure/images/atp-sensor-health-filter-resized.png differ
diff --git a/windows/keep-secure/images/atp-sensor-health-filter-tile.png b/windows/keep-secure/images/atp-sensor-health-filter-tile.png
new file mode 100644
index 0000000000..8e2da99e51
Binary files /dev/null and b/windows/keep-secure/images/atp-sensor-health-filter-tile.png differ
diff --git a/windows/keep-secure/images/atp-sensor-health-filter.png b/windows/keep-secure/images/atp-sensor-health-filter.png
new file mode 100644
index 0000000000..b82d66a85a
Binary files /dev/null and b/windows/keep-secure/images/atp-sensor-health-filter.png differ
diff --git a/windows/keep-secure/images/atp-sensor-health-nonav.png b/windows/keep-secure/images/atp-sensor-health-nonav.png
new file mode 100644
index 0000000000..922f8c681b
Binary files /dev/null and b/windows/keep-secure/images/atp-sensor-health-nonav.png differ
diff --git a/windows/keep-secure/images/atp-sensor-health-tile.png b/windows/keep-secure/images/atp-sensor-health-tile.png
new file mode 100644
index 0000000000..067d26d957
Binary files /dev/null and b/windows/keep-secure/images/atp-sensor-health-tile.png differ
diff --git a/windows/keep-secure/images/atp-stop-quarantine-file.png b/windows/keep-secure/images/atp-stop-quarantine-file.png
new file mode 100644
index 0000000000..cb58fad705
Binary files /dev/null and b/windows/keep-secure/images/atp-stop-quarantine-file.png differ
diff --git a/windows/keep-secure/images/atp-stopnquarantine-file.png b/windows/keep-secure/images/atp-stopnquarantine-file.png
new file mode 100644
index 0000000000..a66341935b
Binary files /dev/null and b/windows/keep-secure/images/atp-stopnquarantine-file.png differ
diff --git a/windows/keep-secure/images/atp-suppression-rules.png b/windows/keep-secure/images/atp-suppression-rules.png
new file mode 100644
index 0000000000..4ee5270fd0
Binary files /dev/null and b/windows/keep-secure/images/atp-suppression-rules.png differ
diff --git a/windows/keep-secure/images/atp-thunderbolt-icon.png b/windows/keep-secure/images/atp-thunderbolt-icon.png
new file mode 100644
index 0000000000..d2c31bfab3
Binary files /dev/null and b/windows/keep-secure/images/atp-thunderbolt-icon.png differ
diff --git a/windows/keep-secure/images/atp-tile-sensor-health.png b/windows/keep-secure/images/atp-tile-sensor-health.png
new file mode 100644
index 0000000000..3aa0b451bc
Binary files /dev/null and b/windows/keep-secure/images/atp-tile-sensor-health.png differ
diff --git a/windows/keep-secure/images/atp-undo-isolation.png b/windows/keep-secure/images/atp-undo-isolation.png
new file mode 100644
index 0000000000..ea42abd060
Binary files /dev/null and b/windows/keep-secure/images/atp-undo-isolation.png differ
diff --git a/windows/keep-secure/images/atp-user-details-pane.png b/windows/keep-secure/images/atp-user-details-pane.png
new file mode 100644
index 0000000000..200437ab22
Binary files /dev/null and b/windows/keep-secure/images/atp-user-details-pane.png differ
diff --git a/windows/keep-secure/images/atp-user-details-view.png b/windows/keep-secure/images/atp-user-details-view.png
new file mode 100644
index 0000000000..b0732653d6
Binary files /dev/null and b/windows/keep-secure/images/atp-user-details-view.png differ
diff --git a/windows/keep-secure/images/atp-users-at-risk.png b/windows/keep-secure/images/atp-users-at-risk.png
new file mode 100644
index 0000000000..4e86dbb2f5
Binary files /dev/null and b/windows/keep-secure/images/atp-users-at-risk.png differ
diff --git a/windows/keep-secure/images/machines-active-threats-tile.png b/windows/keep-secure/images/machines-active-threats-tile.png
index 9f347dcf68..9825e05317 100644
Binary files a/windows/keep-secure/images/machines-active-threats-tile.png and b/windows/keep-secure/images/machines-active-threats-tile.png differ
diff --git a/windows/keep-secure/images/machines-reporting-tile.png b/windows/keep-secure/images/machines-reporting-tile.png
index 96989bd0cf..9825e05317 100644
Binary files a/windows/keep-secure/images/machines-reporting-tile.png and b/windows/keep-secure/images/machines-reporting-tile.png differ
diff --git a/windows/keep-secure/images/rules-legend.png b/windows/keep-secure/images/rules-legend.png
index a044d20621..dea7d1dc70 100644
Binary files a/windows/keep-secure/images/rules-legend.png and b/windows/keep-secure/images/rules-legend.png differ
diff --git a/windows/keep-secure/images/status-tile.png b/windows/keep-secure/images/status-tile.png
index 2ab17ccff1..78812e3248 100644
Binary files a/windows/keep-secure/images/status-tile.png and b/windows/keep-secure/images/status-tile.png differ
diff --git a/windows/keep-secure/images/submit-file.png b/windows/keep-secure/images/submit-file.png
index 63c350c9a9..9240eccabf 100644
Binary files a/windows/keep-secure/images/submit-file.png and b/windows/keep-secure/images/submit-file.png differ
diff --git a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
index ef95089b35..58805fa39c 100644
--- a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
@@ -21,68 +21,66 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-Alerts in Windows Defender ATP indicate possible security breaches on endpoints in your organization.
+You can click an alert in any of the [alert queues](alerts-queue-windows-defender-advanced-threat-protection.md) to begin an investigation. Selecting an alert brings up the **Alert management pane**, while clicking an alert brings you the alert details view where general information about the alert, some recommended actions, an alert process tree, an incident graph, and an alert timeline is shown.
-There are three alert severity levels, described in the following table.
+You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Machine timeline**. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the **Machine timeline**.
-Alert severity | Description
-:---|:---
-High (Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints.
-Medium (Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
-Low (Yellow) | Threats associated with prevalent malware and hack-tools that do not appear to indicate an advanced threat targeting the organization.
-
-Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints.
-
-Alerts are organized in three queues, by their workflow status:
-
-- **New**
-- **In progress**
-- **Resolved**
-
-To begin investigating, click on an alert in [any of the alert queues](alerts-queue-windows-defender-advanced-threat-protection.md).
-
-Details displayed about the alert include:
-- When the alert was last observed
-- Alert description
-- Recommended actions
-- The incident graph
-- The indicators that triggered the alert
-
-Alerts attributed to an adversary or actor display a colored tile with the actor name.
-
-Click on the actor's name to see a threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, tools, tactics, and processes (TTPs) as well as areas where it's active worldwide. You will also see a set of recommended actions to take.
-
-Some actor profiles include a link to download a more comprehensive threat intelligence report.
+Alerts attributed to an adversary or actor display a colored tile with the actor's name.
+Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs) and areas where they've been observed worldwide. You will also see a set of recommended actions to take.
+
+Some actor profiles include a link to download a more comprehensive threat intelligence report.
+
+
+
+The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading.
+
+## Alert process tree
+The **Alert process tree** takes alert triage and investigation to the next level, displaying the alert and related evidence and other events that occurred within the same execution context and time. This rich triage context of the alert and surrounding events is available on the alert page.
+
+
+
+The **Alert process tree** expands to display the execution path of the alert, its evidence, and related events that occurred in the minutes - before and after - the alert.
+
+The alert and related events or evidence have circles with thunderbolt icons inside them.
+
+>[!NOTE]
+>The alert process tree might not be available in some alerts.
+
+Clicking in the circle immediately to the left of the indicator displays the **Alert details** pane where you can take a deeper look at the details about the alert. It displays rich information about the selected process, file, IP address, and other details taken from the entity's page – while remaining on the alert page, so you never leave the current context of your investigation.
+
+
+
## Incident graph
-The incident graph provides a visual representation of where an alert was seen, events that triggered the alert, and which other machines are affected by the event. It provides an illustrated alert footprint on the original machine and expands to show the footprint of each alert event on other machines.
+The **Incident Graph** provides a visual representation of the organizational footprint of the alert and its evidence: where the evidence that triggered the alert was observed on other machines. It provides a graphical mapping from the original machine and evidence expanding to show other machines in the organization where the triggering evidence was also observed.
-You can click the circles on the incident graph to expand the nodes and view the associated events or files related to the alert.
+
-## Alert spotlight
-The alert spotlight feature helps ease investigations by highlighting alerts related to a specific machine and events. You can highlight an alert and its related events in the machine timeline to increase your focus during an investigation.
+The **Incident Graph** previously supported expansion by File and Process, and now supports expansion by additional criteria: known processes and Destination IP Address.
-You can click on the machine link from the alert view to see the alerts related to the machine.
+The Windows Defender ATP service keeps track of "known processes". Alerts related to known processes mostly include specific command lines, that combined are the basis for the alert. The **Incident Graph** supports expanding known processes with their command line to display other machines where the known process and the same command line were observed.
+The **Incident Graph** expansion by destination IP Address, shows the organizational footprint of communications with this IP Address without having to change context by navigating to the IP Address page.
- > [!NOTE]
- > This shortcut is not available from the Incident graph machine links.
+You can click the full circles on the incident graph to expand the nodes and view the expansion to other machines where the matching criteria were observed.
-Alerts related to the machine are displayed under the **Alerts related to this machine** section.
-Clicking on an alert row takes you the to the date in which the alert was flagged on **Machine timeline**. This eliminates the need to manually filter and drag the machine timeline marker to when the alert was seen on that machine.
+## Alert timeline
+The **Alert timeline** feature provides an addition view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier - without triggering an alert.
-You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and other events that occurred on the machine. Right-click on any alert from either section and select **Mark related events**. This highlights alerts and events that are related and helps differentiate between the other alerts listed in the timeline. Highlighted events are displayed in all filtering modes whether you choose to view the timeline by **Detections**, **Behaviours**, or **Verbose**.
+
-You can also remove the highlight by right-clicking a highlighted alert and selecting **Unmark related events**.
+Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization.
-
-### Related topics
+## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
-- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
-- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
index 4e52c15a2e..d0e04eabe5 100644
--- a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
@@ -45,9 +45,12 @@ The **Communication with URL in organization** section provides a chronological
## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
-- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
-- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
index 5d547bd269..e45a3d17d3 100644
--- a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
@@ -24,119 +24,41 @@ Investigate the details of a file associated with a specific alert, behavior, or
You can get information from the following sections in the file view:
-- File details
-- Deep analysis
-- File in organization
-- Observed in organization
+- File details, Malware detection, Prevalence worldwide
+- Deep analysis
+- Alerts related to this file
+- File in organization
+- Most recent observed machines with file
-The file details section shows attributes of the file such as its MD5 hash or number and its prevalence worldwide.
-The **Deep analysis** section provides the option of submitting a file for deep analysis to gain detailed visibility on observed suspicious behaviors, and associated artifacts. For more information on submitting files for deep analysis, see the **Deep analysis** topic.
+The file details, malware detection, and prevalence worldwide sections display various attributes about the file. You’ll see actions you can take on the file. For more information on how to take action on a file, see [Take response action on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md).
-The **File in organization** section provides details on the prevalence of the file and the name observed in the organization.
+You'll also see details such as the file’s MD5, the VirusTotal detection ratio and Windows Defender AV detection if available, and the file’s prevalence worldwide. You'll also be able to [submit a file for deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis).
-The **Observed in organization** section provides a chronological view on the events and associated alerts that were observed on the file.
+
-You'll see a list of machines associated with the file and a description of the action taken by the file.
+The **Alerts related to this file** section provides a list of alerts that are associated with the file. This list is a simplified version of the Alerts queue, and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
-**Investigate a file**
+
-1. Select the file you want to investigate. You can select a file from any of the following views or use the Search box:
- - Alerts - click the file links from the **Description** or **Details** in the Alert timeline
- - Machines view - click the file links in the **Description** or **Details** columns in the **Observed on machine** section
- - Search box - select **File** from the drop-down menu and enter the file name
-2. View the file details.
-3. Use the search filters to define the search criteria. You can also use the timeline search box to further filter displayed search results.
+The **File in organization** section provides details on the prevalence of the file, prevalence in email inboxes and the name observed in the organization.
-##Deep analysis
-Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
+
-The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
-Deep analysis currently supports extensive analysis of PE (portable executable) files (including _.exe_ and _.dll_ files).
+The **Most recent observed machines with the file** section allows you to specify a date range to see which machines have been observed with the file.
-Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the File view page, under a new **Deep analysis summary** section. The summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk.
+
-Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
+This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. For example, if you’re trying to identify the origin of a network communication to a certain IP Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
-## Submit files for analysis
-
-Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
-
-In the file's page, **Submit for deep analysis** is enabled when the file is available in the Windows Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
-
-> [!NOTE]
-> Only files from Windows 10 can be automatically collected.
-
-You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
-
-> [!NOTE]
-> Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP.
-
-When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications.
-
-**Submit files for deep analysis:**
-
-1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
- - Alerts - click the file links from the **Description** or **Details** in the Alert timeline
- - **Machines View** - click the file links from the **Description** or **Details** in the **Machine in organization** section
- - Search box - select **File** from the drop-down menu and enter the file name
-2. In the **Deep analysis** section of the file view, click **Submit**.
-
-
-
->**Note** Only portable executable (PE) files are supported, including _.exe_ and _.dll_ files
-
-A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
-
-> [!NOTE]
-> Depending on machine availability, sample collection time can vary. There is a 3-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.
-
-## View deep analysis report
-
-View the deep analysis report that Windows Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
-
-You can view the comprehensive report that provides details on:
-
-- Observed behaviors
-- Associated artifacts
-
-The details provided can help you investigate if there are indications of a potential attack.
-
-**View deep analysis reports:**
-
-1. Select the file you submitted for deep analysis.
-2. Click **See the report below**. Information on the analysis is displayed.
-
-
-
-## Troubleshooting deep analysis
-
-If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
-
-**Troubleshoot deep analysis:**
-
-1. Ensure the file is a PE. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
-2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
-3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
-4. Verify the policy setting enables sample collection and try to submit the file again.
-
- a. Change the following registry entry and values to change the policy on specific endpoints:
- ```
-HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
- Value = 0 - block sample collection
- Value = 1 - allow sample collection
-```
-5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
-6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
-
-> [!NOTE]
-> If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
-
-### Related topics
+## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
-- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
-- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
index 381ee7be12..1b792ae89e 100644
--- a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Investigate Windows Defender Advanced Threat Protection IP address
+title: Investigate an IP address associated with an alert
description: Use the investigation options to examine possible communication between machines and external IP addresses.
keywords: investigate, investigation, IP address, alert, windows defender atp, external IP
search.product: eADQiWindows 10XVcnh
@@ -24,7 +24,7 @@ Examine possible communication between your machines and external internet proto
Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines.
-You can information from the following sections in the IP address view:
+You can find information from the following sections in the IP address view:
- IP address details
- IP in organization
@@ -53,9 +53,12 @@ Clicking any of the machine names will take you to that machine's view, where yo
## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
-- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
-- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
index bc3e8df73d..69a0b102c6 100644
--- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -21,62 +21,7 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, and the number of active malware detections. This view allows you to identify machines with the highest risk at a glance, and keep track of all the machines that are reporting sensor data in your network.
-
-Use the Machines view in these two main scenarios:
-
-- **During onboarding**
- - During the onboarding process, the Machines view gradually gets populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they appear. Use the available features to sort and filer to see which endpoints have most recently reported sensor data, or download the complete endpoint list as a CSV file for offline analysis.
-- **Day-to-day work**
- - The **Machines view** enables you to identify machines that are most at risk in a glance. High-risk machines are those with the greatest number and highest-severity alerts. By sorting the machines by risk, you'll be able to identify the most vulnerable machines and take action on them.
-
-The Machines view contains the following columns:
-
-- **Machine name** - the name or GUID of the machine
-- **Domain** - the domain the machine belongs to
-- **Last seen** - when the machine last reported sensor data
-- **Internal IP** - the local internal Internet Protocol (IP) address of the machine
-- **Active Alerts** - the number of alerts reported by the machine by severity
-- **Active malware detections** - the number of active malware detections reported by the machine
-
-> [!NOTE]
-> The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
-
-Click any column header to sort the view in ascending or descending order.
-
-
-
-You can sort the **Machines view** by **Machine name**, **Last seen**, **IP**, **Active Alerts**, and **Active malware detections**. Scroll down the **Machines view** to see additional machines.
-
-The view contains two filters: time and threat category.
-
-You can filter the view by the following time periods:
-
-- 1 day
-- 3 days
-- 7 days
-- 30 days
-- 6 months
-
-> [!NOTE]
-> When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported sensor data within the last 24-hour period.
-
-The threat category filter lets you filter the view by the following categories:
-
-- Password stealer
-- Ransomware
-- Exploit
-- Threat
-- Low severity
-
-For more information on the description of each category see, [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#machines-with-active-malware-detections).
-
-You can also download a full list of all the machines in your organization, in CSV format. Click the **Manage Alert** menu icon  to download the entire list as a CSV file.
-
- **Note**: Exporting the list depends on the number of machines in your organization. It can take a significant amount of time to download, depending on how large your organization is.
-Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
-
-## Investigate a machine
+## Investigate machines
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach.
You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:
@@ -89,70 +34,90 @@ You can click on affected machines whenever you see them in the portal to open a
- Any IP address or domain details view
When you investigate a specific machine, you'll see:
+- Machine details, Logged on user, and Machine Reporting
+- Alerts related to this machine
+- Machine timeline
-- **Machine details**, **Machine IP Addresses**, and **Machine Reporting**
-- **Alerts related to this machine**
-- **Machine timeline**
+
-The machine details, IP, and reporting sections display some attributes of the machine such as its name, domain, OS, IP address, and how long it's been reporting sensor data to the Windows Defender ATP service.
+The machine details, total logged on users and machine reporting sections display various attributes about the machine. You’ll see details such as machine name, health status, actions you can take on the machine. For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md).
-The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date that the alert was detected, a short description of the alert, the alert's severity, the alert's threat category, and the alert's status in the queue.
+You'll also see other information such as domain, operating system (OS), total logged on users and who frequently and less frequently logged on, IP address, and how long it's been reporting sensor data to the Windows Defender ATP service.
+
+Clicking on the number of total logged on users in the Logged on user tile opens the Users Details pane that displays the following information for logged on users in the past 30 days:
+
+- Interactive and remote interactive logins
+- Network, batch, and system logins
+
+
+
+You'll also see details such as logon types for each user account, the user group, and when the account was logged in.
+
+ For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md).
+
+The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
+
+You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and other events that occurred on the machine by right-clicking on the alert and selecting **Select and mark events**. This highlights alerts and related events and helps distinguish from other alerts and events appearing in the timeline. Highlighted events are displayed in all filtering modes whether you choose to view the timeline by **Detections**, **Behaviors**, or **Verbose**.
The **Machine timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine.
-You'll see an aggregated view of alerts, a short description of the alert, details on the action taken, and which user ran the action. This helps you see significant activities or behaviors that occurred on a machine within your network in relation to a specific time frame. Several icons are used to identify various detections and their current state. For more information, see [Windows Defender ATP icons](portal-overview-windows-defender-advanced-threat-protection.md#windows-defender-atp-icons).
+This feature also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period.
-This feature also enables you to selectively drill down into a behavior or event that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period.
+
-You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-spotlight) feature to see the correlation between alerts and events on a specific machine.
+Windows Defender ATP monitors and captures questionable behavior on Windows 10 machines and displays the process tree flow in the **Machine timeline**. This gives you better context of the behavior which can contribute to understanding the correlation between events, files, and IP addresses in relation to the machine.
-
+### Search for specific alerts
+Use the search bar to look for specific alerts or files associated with the machine:
-Use the search bar to look for specific alerts or files associated with the machine.
+- **Value** – Type in any search keyword to filter the timeline with the attribute you’re searching for.
+- **Informational level** – Click the drop-down button to filter by the following levels:
+ - **Detections mode**: displays Windows ATP Alerts and detections
+ - **Behaviors mode**: displays "detections" and selected events of interest
+ - **Verbose mode**: displays "behaviors" (including "detections"), and all reported events
+- **User** – Click the drop-down button to filter the machine timeline by the following user associated events:
+ - Logon users
+ - System
+ - Network
+ - Local service
-You can also filter by:
-
-- Detections mode: displays Windows ATP Alerts and detections
-- Behaviors mode: displays "detections" and selected events of interest
-- Verbose mode: displays "behaviors" (including "detections"), and all reported events
-- Logged on users, System, Network, or Local service
+### Filter events from a specific date
Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the events of the current day.
Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that date and older.
The slider is helpful when you're investigating a particular alert on a machine. You can navigate from the **Alerts view** and click on the machine associated with the alert to jump to the specific date when the alert was observed, enabling you to investigate the events that took place around the alert.
-From the **Machine view**, you can also navigate to the file, IP, or URL view and the timeline associated with an alert is retained, helping you view the investigation from different angles and retain the context of the event time line.
+### Export machine timeline events
+You can also export detailed event data from the machine timeline to conduct offline analysis. You can choose to export the machine timeline for the current date or specify a date range. You can export up to seven days of data and specify the specific time between the two dates.
+
+
+
+### Navigate between pages
+Use the events per page drop-down to choose the number of alerts you’d like to see on the page. You can choose to display 20, 50, or 100 events per page. You can also move between pages by clicking **Older** or **Newer**.
+
+From the **Machines view**, you can also navigate to the file, IP, or URL view and the timeline associated with an alert is retained, helping you view the investigation from different angles and retain the context of the event time line.
From the list of events that are displayed in the timeline, you can examine the behaviors or events in to help identify indicators of interests such as files and IP addresses to help determine the scope of a breach. You can then use the information to respond to events and keep your system secure.
-Windows Defender ATP monitors and captures questionable behavior on Windows 10 machines and displays the process tree flow in the **Machine timeline**. This gives you better context of the behavior which can contribute to understanding the correlation between events, files, and IP addresses in relation to the machine.
-
-
-
-**Investigate a machine:**
-
-1. Select the machine that you want to investigate. You can select or search a machine from any of the following views:
- - **Dashboard** - click the machine name from the **Top machines with active alerts** section
- - **Alerts queue** - click the machine name beside the machine icon
- - **Machines view** - click the heading of the machine name
- - **Search box** - select **Machine** from the drop-down menu and enter the machine name
-2. Information about the specific machine is displayed.
+
-**Use the machine timeline**
+You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline) feature to see the correlation between alerts and events on a specific machine.
-1. Use the sort and filter feature to narrow down the search results.
-2. Use the timeline search box to filter specific indicators that appear in the machine timeline.
-3. Click the expand icon  in the timeline row or click anywhere on the row to see additional information about the alert, behavior, or event.
+Expand an event to view associated processes related to the event. Click on the circle next to any process or IP address in the process tree to investigating further into the identified processes. This action brings up the **Details pane** which includes execution context of processes, network communications and a summary of metadata on the file or IP address.
+This enhances the ‘in-context’ information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context.
-### Related topics
+## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
-- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
+- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..276cb49632
--- /dev/null
+++ b/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,75 @@
+---
+title: Investigate user account in Windows Defender Advanced Threat Protection
+description: Investigate a user account in Windows Defender Advanced Threat Protection for potential compromised credentials or pivot on the associated user account during an investigation.
+keywords: investigate, account, user, user entity, alert, windows defender atp
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+# Investigate a user account in Windows Defender ATP
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+## Investigate user account entities
+Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account.
+
+You can find user account information in the following views:
+- Dashboard
+- Alert queue
+- Machine details page
+
+A clickable user account link is available in these views, that will take you to the user account details page where more details about the user account are shown.
+
+When you investigate a user account entity, you'll see:
+- User account details and Logged on machines
+- Alerts related to this user
+- Observed in organization (machines logged on to)
+
+
+
+The user account entity details and logged on machines section display various attributes about the user account. You'll see details such as when the user was first and last seen and the total number of machines the user logged on to. You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine.
+
+The **Alerts related to this user** section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert.
+
+The **Observed in organization** section allows you to specify a date range to see a list of machines where this user was observed logged on to, and the most frequent and least frequent logged on user account on each of these machines.
+
+The machine health state is displayed in the machine icon and color as well as in a description text. Clicking on the icon displays additional details regarding machine health.
+
+
+
+## Search for specific user accounts
+
+1. Select **User** from the **Search bar** drop-down menu.
+2. Enter the user account in the **Search** field.
+3. Click the search icon or press **Enter**.
+
+A list of users matching the query text is displayed. You'll see the user account's domain and name, when the user account was last seen, and the total number of machines it was observed logged on to in the last 30 days.
+
+You can filter the results by the following time periods:
+- 1 day
+- 3 days
+- 7 days
+- 30 days
+- 6 months
+
+## Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..76dd0c900d
--- /dev/null
+++ b/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,97 @@
+---
+title: View and organize the Windows Defender ATP machines view
+description: Learn about the available features that you can use from the Machines view such as sorting, filtering, and exporting the machine list which can enhance investigations.
+keywords: sort, filter, export, csv, machine name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# View and organize the Windows Defender ATP Machines view
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+The **Machines view** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network.
+
+Use the Machines view in these main scenarios:
+
+- **During onboarding**
+ During the onboarding process, the **Machines view** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis.
+- **Day-to-day work**
+ The **Machines view** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them.
+
+## Sort, filter, and download the list of machines from the Machines view
+You can sort the **Machines view** by clicking on any column header to sort the view in ascending or descending order.
+
+Filter the **Machines view** by time period, **Active malware categories**, or **Sensor health state** to focus on certain sets of machines, according to the desired criteria.
+
+You can also download the entire list in CSV format using the **Export to CSV** feature.
+
+
+
+You can use the following filters to limit the list of machines displayed during an investigation:
+
+**Time period**
+- 1 day
+- 3 days
+- 7 days
+- 30 days
+- 6 months
+
+**Malware category**
+Filter the list to view specific machines grouped together by the following malware categories:
+ - **Ransomware** – Ransomware use common methods to encrypt files using keys that are known only to attackers. As a result, victims are unable to access the contents of the encrypted files. Most ransomware display or drop a ransom note—an image or an HTML file that contains information about how to obtain the attacker-supplied decryption tool for a fee.
+ - **Credential theft** – Spying tools, whether commercially available or solely used for unauthorized purposes, include general purpose spyware, monitoring software, hacking programs, and password stealers.
+ These tools collect credentials and other information from browser records, key presses, email and instant messages, voice and video conversations, and screenshots. They are used in cyberattacks to establish control and steal information.
+ - **Exploit** – Exploits take advantage of unsecure code in operating system components and applications. Exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine. Exploits are found in both commodity malware and malware used in targeted attacks.
+ - **General malware** – Malware are malicious programs that perform unwanted actions, including actions that can disrupt, cause direct damage, and facilitate intrusion and data theft. Some malware can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyberattacks.
+ - **Unwanted software** – Unwanted software is a category of applications that install and perform undesirable activity without adequate user consent. These applications are not necessarily malicious, but their behaviors often negatively impact the computing experience, even appearing to invade user privacy. Many of these applications display advertising, modify browser settings, and install bundled software.
+
+**Sensor health state**
+Filter the list to view specific machines grouped together by the following machine health states:
+
+- **Active** – Machines that are actively reporting sensor data to the service.
+- **Misconfigured** – Machines that have impaired communication with service or are unable to send sensor data. For more information on how to address issues on misconfigured machines see, [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
+- **Inactive** – Machines that have completely stopped sending signals for more than 7 days.
+
+## Export machine list to CSV
+You can download a full list of all the machines in your organization, in CSV format. Click the **Manage** menu icon  to download the entire list as a CSV file.
+
+**Note**: Exporting the list depends on the number of machines in your organization. It might take a significant amount of time to download, depending on how large your organization is.
+Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
+
+## Sort the Machines view
+You can sort the **Machines view** by the following columns:
+
+- **Machine name** - Name or GUID of the machine
+- **Last seen** - Date and time when the machine last reported sensor data
+- **Internal IP** - Local internal Internet Protocol (IP) address of the machine
+- **Health State** – Indicates if the machine is misconfigured or is not sending sensor data
+- **Active Alerts** - Number of alerts reported by the machine by severity
+- **Active malware detections** - Number of active malware detections reported by the machine
+
+> [!NOTE]
+> The **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](windows-defender-in-windows-10.md) as the active real-time protection antimalware product.
+
+
+## Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
index d707f81431..4f1523a324 100644
--- a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
@@ -21,22 +21,13 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-Windows Defender ATP notifies you of detected, possible attacks or breaches through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu.
+Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu.
-For more information on how to investigate alerts see, [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-windows-defender-advanced-threat-protection-alerts).
+You can manage alerts by selecting an alert in the **Alerts queue** or the **Alerts related to this machine** section of the machine details view.
-Click the **Manage Alert** menu icon  on the top of the alert to access the Manage Alert menu and manage alerts.
+Selecting an alert in either of those places brings up the **Alert management pane**.
-
-
-The **Manage alert** icon appears on the alert's heading in the **New**, **In Progress**, or **Resolved** queues, and on the details page for individual alerts.
-
-You can use the **Manage Alert** menu to:
-
-- Change the status of an alert
-- Resolve an alert
-- Suppress alerts so they won't show up in the **Alerts queue** from this point onwards
-- View the history and comments of an alert
+
## Change the status of an alert
@@ -46,21 +37,18 @@ For example, a team leader can review all **New** alerts, and decide to assign t
Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a machine that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert.
-**Change an alert's status:**
+## Alert classification
+You can specify if an alert is a true alert or a false alert.
-1. Click the **Manage Alert** menu icon  on the heading of the alert.
-2. Choose the new status for the alert (the current status is highlighted in bold and appears on the alert).
+## Assign alerts
+If an alert is no yet assigned, you can select **Assign to me** to assign the alert to yourself.
-## Resolve an alert
+## Add comments and view the history of an alert
+You can add comments and view historical events about an alert to see previous changes made to the alert.
-You can resolve an alert by changing the status of the alert to **Resolved**. This causes the **Resolve conclusion** window to appear, where you can indicate why the alert was resolved and enter any additional comments.
-
-
-
-The comments and change of status are recorded in the Comments and history window.
-
-
+Whenever a change or comment is made to an alert, it is recorded in the **Comments and history** section.
+Added comments instantly appear on the pane.
## Suppress alerts
@@ -85,8 +73,9 @@ The context of the rule lets you tailor the queue to ensure that only alerts you
**Suppress an alert and create a suppression rule:**
-1. Click the **Manage Alert** menu icon  on the heading of an existing alert.
-2. Choose the context for suppressing the alert.
+1. Select the alert you'd like to suppress. This brings up the **Alert management** pane.
+2. Scroll down to the **Supression rules** section.
+3. Choose the context for suppressing the alert.
> [!NOTE]
> You cannot create a custom or blank suppression rule. You must start from an existing alert.
@@ -96,12 +85,11 @@ The context of the rule lets you tailor the queue to ensure that only alerts you
1. Click the settings icon  on the main menu bar at the top of the Windows Defender ATP screen.
2. Click **Suppression rules**.
- 
-
-> [!NOTE]
-> You can also click **See rules** in the confirmation window that appears when you suppress an alert.
+ 
The list of suppression rules shows all the rules that users in your organization have created.
+
+
Each rule shows:
- (1) The title of the alert that is suppressed
@@ -109,39 +97,15 @@ Each rule shows:
- (3) The date when the alert was suppressed
- (4) An option to delete the suppression rule, which will cause alerts with this title to be displayed in the queue from this point onwards.
-
-## View the history and comments of an alert
-You can use the **Manage Alert** menu icon  to see a list of previous changes and comments made to the alert and to add new comments. You can also use the menu to open multiple alerts in different tabs so you can compare several alerts at the same time.
-
-Whenever a change or comment is made to an alert, it is recorded in the **Comments and history** window.
-
-**See the history of an alert and its comments:**
-
-1. Click the **Manage Alert** menu icon  on the heading of the alert.
-2. Click **Comments and history** to view related comments and history on the alert.
-
-Comments are indicated by a message box icon () and include the username of the commenter and the time the comment was made.
-
-**Add a new comment:**
-
-1. Type your comment into the field.
-2. Click **Post Comment**.
-
-The comment will appear instantly.
-
-You will also be prompted to enter a comment if you change the status of an alert to **Resolved**.
-
-Changes are indicated by a clock icon (), and are automatically recorded when:
-
-- The alert is created
-- The status of the alert is changed
-
-### Related topics
+## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
-- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
-- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
+- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
index 7125de6f76..b8c5694f12 100644
--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Minimum requirements for Windows Defender Advanced Threat Protection
+title: Minimum requirements for Windows Defender ATP
description: Minimum network and data storage configuration, endpoint hardware and software requirements, and deployment channel requirements for Windows Defender ATP.
keywords: minimum requirements, Windows Defender Advanced Threat Protection minimum requirements, network and data storage, endpoint, endpoint configuration, deployment channel
search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
index 8c9f2086ff..ac785c854a 100644
--- a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
@@ -30,13 +30,12 @@ You can use the [Windows Defender ATP portal](https://securitycenter.windows.com
## Windows Defender ATP portal
When you open the portal, you’ll see the main areas of the application:
-- (1) Settings
+
+ 
+
+- (1) Search, Feedback, Settings, Help and support
- (2) Navigation pane
- (3) Main portal
-- (4) Search bar
-
-
- 
> [!NOTE]
> Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
@@ -45,15 +44,15 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
-(1) Settings | Provides access to configuration settings such as time zone, alert suppression rules, and license information.
-(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Enpoint Management**.
+(1) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text. **Feedback** -Access the feedback button to provide comments about the portal. **Settings** - Gives you access to the configuration settings where you can set time zones, alert suppression rules, and license information. **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support.
+(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Service health**, **Preferences setup**, and **Enpoint Management**.
**Dashboard** | Provides clickable tiles that open detailed information on various alerts that have been detected in your organization.
**Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts.
**Machines view**| Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
-**Preferences setup**| Shows the settings you selected and lets you update your industry preferences and retention policy period.
-**Enpoint Management**| Allows you to download the onboarding configuration package.
+**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service status is healthy or if there are current issues.
+**Preferences setup**| Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, and enable or turn off advanced features.
+**Endpoint Management**| Allows you to download the onboarding configuration package. It provides access to endpoint offboarding.
(3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines view.
-(4) Search | Search for machines, files, external IP Addresses, or domains across endpoints. The drop-down combo box allows you to select the entity type.
## Windows Defender ATP icons
The following table provides information on the icons used all throughout the portal:
@@ -65,7 +64,8 @@ Icon | Description
| Active threat – Threats actively executing at the time of detection.
| Remediated – Threat removed from the machine
| Not remediated – Threat not removed from the machine.
+ | Indicates events that triggered an alert in the **Alert process tree**.
-### Related topic
+## Related topic
[Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..b06391c16d
--- /dev/null
+++ b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,113 @@
+---
+title: PowerShell code examples for the custom threat intelligence API
+description: Use PowerShell code to create custom threat intelligence using REST API.
+keywords: powershell, code examples, threat intelligence, custom threat intelligence, rest api, api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# PowerShell code examples for the custom threat intelligence API
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+This article provides PowerShell code examples for using the custom threat intelligence API.
+
+These code examples demonstrate the following tasks:
+- [Obtain an Azure AD access token](#obtain-an-azure-ad-access-token)
+- [Create headers](#create-headers)
+- [Create calls to the custom threat intelligence API](#create-calls-to-the-custom-threat-intelligence-api)
+- [Create a new alert definition](#create-a-new-alert-definition)
+- [Create a new indicator of compromise](#create-a-new-indicator-of-compromise)
+
+## Obtain an Azure AD access token
+The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token.
+
+Replace the *tenant\_id*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal:
+
+```
+
+$tenantId = '{Your Tenant ID}
+$clientId = '{Your Client ID}'
+$clientSecret = '{Your Client Secret}'
+
+$authUrl = "https://login.windows.net/{0}/oauth2/token" -f $tenantId
+
+$tokenPayload = @{
+ "resource"='https://graph.windows.net'
+ "client_id" = $clientId
+ "client_secret" = $clientSecret
+ "grant_type"='client_credentials'}
+
+$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
+$token = $response.access_token
+
+```
+
+## Create headers
+The following example demonstrates how to create headers used for the requests with the API.
+
+```
+$headers = @{}
+$headers.Add("Content-Type", "application/json")
+$headers.Add("Accept", "application/json")
+$headers.Add("Authorization", "Bearer {0}" -f $token)
+
+```
+
+## Create calls to the custom threat intelligence API
+The following example demonstrates how to view all alert definition entities by creating a call to the API.
+
+```
+$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
+$alertDefinitions =
+ (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
+```
+
+If this is the first time to use the API, the response is empty.
+
+## Create a new alert definition
+The following example shows how to create a new alert definition.
+
+```
+$alertDefinitionPayload = @{
+ "Name"= "The Alert's Name"
+ "Severity"= "Low"
+ "InternalDescription"= "An internal description of the Alert"
+ "Title"= "The Title"
+ "UxDescription"= "Description of the alerts"
+ "RecommendedAction"= "The alert's recommended action"
+ "Category"= "Trojan"
+ "Enabled"= "true"}
+
+
+$alertDefinition =
+ Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
+```
+
+## Create a new indicator of compromise
+The following example shows how to use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.
+
+```
+$iocPayload = @{
+ "Type"="Sha1"
+ "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
+ "DetectionFunction"="Equals"
+ "Enabled"="true"
+ "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
+
+
+$ioc = Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
+```
diff --git a/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..5d51de963a
--- /dev/null
+++ b/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,32 @@
+---
+title: Configure Windows Defender Advanced Threat Protection preferences settings
+description: Use the preferences setup to configure and update your preferences settings such as enabling advanced features, preview experience, email notifications, or custom threat intelligence.
+keywords: preferences settings, settings, advanced features, preview experience, email notifications, custom threat intelligence
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+# Configure Windows Defender ATP preferences settings
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Use the **Preferences setup** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
+
+## In this section
+
+Topic | Description
+:---|:---
+[Update general settings](general-settings-windows-defender-advanced-threat-protection.md) | Modify your general settings that were previously defined as part of the onboarding process.
+[Enable advanced features](advanced-features-windows-defender-advacned-threat-protection.md)| Enable features such as **Block file** and other features that require integration with other products.
+[Enable the preview experience](preview-settings-windows-defender-advanced-threat-protection.md) | Allows you to turn on preview features so you can try upcoming features.
+[Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) | Enables you to configure and identify a group of individuals who will immediately be informed of new alerts through email notifications.
diff --git a/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..9304e0ab7e
--- /dev/null
+++ b/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,31 @@
+---
+title: Turn on the preview experience in Windows Defender Advanced Threat Protection
+description: Turn on the preview experience in Windows Defender Advanced Threat Protection to try upcoming features.
+keywords: advanced features, preferences setup, block file
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+# Turn on the preview experience in Windows Defender ATP
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Turn on the preview experience setting to be among the first to try upcoming features.
+
+1. In the navigation pane, select **Preferences setup** > **Preview experience**.
+2. Toggle the setting between **On** and **Off** and select **Save preferences**.
+
+## Related topics
+- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
+- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md)
+- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..a85f157968
--- /dev/null
+++ b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,51 @@
+---
+title: Windows Defender ATP preview features
+description: Learn how to access Windows Defender Advanced Threat Protection preview features.
+keywords: preview, preview experience, Windows Defender Advanced Threat Protection, features, updates
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Windows Defender ATP preview features
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities.
+
+Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
+
+You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
+
+For more information, see [Turn on the preview experience](preview-settings-windows-defender-advanced-threat-protection.md).
+
+## Preview features
+The following features are included in the preview release:
+
+- [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) - Take action on machine related alerts to quickly respond to detected attacks by isolating machines or collecting an investigation package.
+ - [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
+ - [Undo machine isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation)
+ - [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
+
+- [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md) - Take action on file related alerts to quickly respond to detected attacks by stopping and quarantining files or blocking a file.
+ - [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
+ - [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
+ - [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+
+- [Check sensor status](check-sensor-status-windows-defender-advanced-threat-protection.md) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix sensor issues if you identify problematic machines.
+ - [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+
+>[!NOTE]
+> All response features require machines to be on the latest Windows 10 Insider Preview build and above.
diff --git a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..4b482cc066
--- /dev/null
+++ b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,121 @@
+---
+title: Python code examples for the custom threat intelligence API
+description: Use Python code to create custom threat intelligence using REST API.
+keywords: python, code examples, threat intelligence, custom threat intelligence, rest api, api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Python code examples for the custom threat intelligence API
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+## Before you begin
+You must [install](http://docs.python-requests.org/en/master/user/install/#install) the "[requests](http://docs.python-requests.org/en/master/)" python library.
+
+These code examples demonstrate the following tasks:
+- [Obtain an Azure AD access token](#obtain-an-azure-ad-access-token)
+- [Create request session object](#create-a-request's-session-object)
+- [Create calls to the custom threat intelligence API](#create-calls-to-the-custom-threat-intelligence-api)
+- [Create a new alert definition](#create-a-new-alert-definition)
+- [Create a new indicator of compromise](#create-a-new-indicator-of-compromise)
+
+## Obtain an Azure AD access token
+The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token.
+
+Replace the *tenant\_id*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal:
+
+```
+
+import json
+import requests
+from pprint import pprint
+
+tenant_id="{your tenant ID}"
+client_id="{your client ID"
+client_secret="{your client secret}"
+
+full_auth_url = r"https://login.windows.net/{0}/oauth2/token".format(tenant_id)
+
+payload = {"resource": "https://graph.windows.net",
+ "client_id": client_id,
+ "client_secret": client_secret,
+ "grant_type": "client_credentials"}
+
+
+response = requests.post(full_auth_url, payload)
+token = json.loads(response.text)["access_token"]
+```
+
+## Create request session object
+Add HTTP headers to the session object, including the Authorization header with the token that was obtained.
+
+```
+with requests.Session() as session:
+ session.headers = {
+ 'Authorization': 'Bearer {}'.format(token),
+ 'Content-Type': 'application/json',
+ 'Accept': 'application/json'}
+```
+
+## Create calls to the custom threat intelligence API
+The following example shows how to view all of the alert definition entities by creating a call to the API.
+
+>[!NOTE]
+> All code is still within the ```with``` statement with the same indention level.
+
+```json
+
+response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
+pprint(json.loads(response.text))
+```
+
+If this is the first time to use the API, the response is empty.
+
+## Create a new alert definition
+The following example shows how to create a new alert definition.
+
+```
+
+alert_definition = {"Name": "The Alert's Name",
+ "Severity": "Low",
+ "InternalDescription": "An internal description of the Alert",
+ "Title": "The Title",
+ "UxDescription": "Description of the alerts",
+ "RecommendedAction": "The alert's recommended action",
+ "Category": "Trojan",
+ "Enabled": True}
+
+response = session.post(
+ "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
+ json=alert_definition)
+```
+
+## Create a new indicator of compromise
+The following example shows how to use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.
+
+```
+alert_definition_id = json.loads(response.text)["Id"]
+ ioc = {'Type': "Sha1",
+ 'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
+ 'DetectionFunction': "Equals",
+ 'Enabled': True,
+ "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
+
+ response = session.post(
+ "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
+ json=ioc)
+```
diff --git a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..4cd712c7a8
--- /dev/null
+++ b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,231 @@
+---
+title: Take response actions on a file in Windows Defender Advanced Threat Protection
+description: Take response actions on file related alerts by stopping and quarantining a file or blocking a file and checking activity details.
+keywords: respond, stop and quarantine, block file, deep analysis
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Take response actions on a file
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre–released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+You can take action on file related alerts to quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center.
+
+>[!NOTE]
+> These response actions are only available for machines on Windows 10, version 1703.
+
+You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file.
+
+## Stop and quarantine files in your network
+You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed.
+
+The **Stop & Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
+
+The action takes effect on machines with the latest Windows 10 Insider Preview build where the file was observed in the last 30 days.
+
+### Stop and quarantine files
+1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
+
+ – **Alerts** - click the corresponding links from the Description or Details in the Alert timeline
+ – **Search box** - select File from the drop–down menu and enter the file name
+
+2. Open the **Actions menu** and select **Stop & Quarantine File**.
+ 
+
+3. Type a comment (optional), and select **Yes** to take action on the file. The comment will be saved in the Action center for reference.
+
+ The Action center shows the submission information:
+ 
+
+ – **Submission time** - Shows when the action was submitted.
+ – **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
+ – **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.
+ – **Success** - Shows the number of machines where the file has been stopped and quarantined.
+ – **Failed** - Shows the number of machines where the action failed and details about the failure.
+
+4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed.
+
+**Notification on machine user**:
+When the file is being removed from an endpoint, the following notification is shown:
+
+
+
+In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
+
+>[!NOTE]
+>The **Action** button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal of critical system files and files used by important applications.
+
+
+
+For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended.
+
+### Remove file from quarantine
+You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run the following command on each machine where the file was quarantined.
+
+1. Open an elevated command–line prompt on the endpoint:
+
+ a. Go to **Start** and type cmd.
+
+ b. Right–click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command, and press **Enter**:
+ ```
+ “%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All
+ ```
+ >[!NOTE]
+ >Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days.
+
+## Block files in your network
+You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
+
+>[!NOTE]
+>This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](configure-windows-defender-in-windows-10.md).
+This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. The coverage will be extended over time. The action takes effect on machines with the latest Windows 10 Insider Preview build.
+
+### Enable the block file feature
+1. In the navigation pane, select **Preference Setup** > **Advanced features** > **Block file**.
+
+2. Toggle the setting between **On** and **Off** and select **Save preferences**.
+
+ 
+
+3. Type a comment (optional) and select **Yes** to take action on the file.
+The Action center shows the submission information:
+
+ 
+
+ – **Submission time** - Shows when the action was submitted.
+ – **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
+ – **Status** - Indicates whether the file was added to or removed from the blacklist.
+
+When the file is blocked, there will be a new event in the machine timeline.
+
+**Notification on machine user**:
+When a file is being blocked on the endpoint, the following notification is displayed to inform the user that the file was blocked:
+
+
+
+>[!NOTE]
+>The **Action** button is turned off for files signed by Microsoft to prevent negative impact on machines in your organization caused by the removal of files that might be related to the operating system.
+
+
+
+For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended.
+
+### Remove file from blocked list
+1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
+
+ – **Alerts** - Click the file links from the Description or Details in the Alert timeline
+ – **Machines view** - Click the file links in the Description or Details columns in the Observed on machine section
+ – **Search box** - Select File from the drop–down menu and enter the file name
+
+2. Open the **Actions** menu and select **Remove file from blocked list**.
+
+ 
+
+3. Type a comment and select **Yes** to take action on the file. The file will be allowed to run in the organization.
+
+
+## Check activity details in Action center
+The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
+
+
+
+## Deep analysis
+Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
+
+The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
+Deep analysis currently supports extensive analysis of portable executable (PE) files (including _.exe_ and _.dll_ files).
+
+Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the File view page, under a new **Deep analysis summary** section. The summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk.
+
+Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
+
+### Submit files for analysis
+
+Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
+
+In the file's page, **Submit for deep analysis** is enabled when the file is available in the Windows Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
+
+> [!NOTE]
+> Only files from Windows 10 can be automatically collected.
+
+You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
+
+> [!NOTE]
+> Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP.
+
+When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications.
+
+**Submit files for deep analysis:**
+
+1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
+ – Alerts - click the file links from the **Description** or **Details** in the Alert timeline
+ – **Machines View** - click the file links from the **Description** or **Details** in the **Machine in organization** section
+ – Search box - select **File** from the drop–down menu and enter the file name
+2. In the **Deep analysis** section of the file view, click **Submit**.
+
+
+
+>**Note** Only PE files are supported, including _.exe_ and _.dll_ files
+
+A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
+
+> [!NOTE]
+> Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–submit files for deep analysis to get fresh data on the file.
+
+### View deep analysis reports
+
+View the deep analysis report that Windows Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
+
+You can view the comprehensive report that provides details on:
+
+– Observed behaviors
+– Associated artifacts
+
+The details provided can help you investigate if there are indications of a potential attack.
+
+
+1. Select the file you submitted for deep analysis.
+2. Click **See the report below**. Information on the analysis is displayed.
+
+
+
+### Troubleshooting deep analysis
+
+If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
+
+
+1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
+2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
+3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
+4. Verify the policy setting enables sample collection and try to submit the file again.
+
+ a. Change the following registry entry and values to change the policy on specific endpoints:
+ ```
+HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
+ Value = 0 – block sample collection
+ Value = 1 – allow sample collection
+```
+5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
+6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
+
+> [!NOTE]
+> If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
+
+## Related topics
+– [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..e4ffc6abe9
--- /dev/null
+++ b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,131 @@
+---
+title: Take response actions on a machine in Windows Defender Advanced Threat Protection
+description: Take response actions on a machine by isolating machines, collecting an investigation package, and checking activity details.
+keywords: respond, isolate, isolate machine, collect investigation package, action center
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Take response actions on a machine
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+You can take action on machine related alerts to quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center.
+
+>[!NOTE]
+> These response actions are only available for machines on Windows 10, version 1703.
+
+## Isolate machines from the network
+Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement.
+
+This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine.
+
+>[!NOTE]
+>You’ll be able to reconnect the machine back to the network at any time.
+
+1. Select the machine that you want to isolate. You can select or search for a machine from any of the following views:
+
+ - **Dashboard** - Select the machine name from the Top machines with active alerts section.
+ - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+ - **Machines view** - Select the machine name from the list of machines.
+ - **Search box** - Select Machine from the drop-down menu and enter the machine name.
+
+2. Open the **Actions** menu and select **Isolate machine**.
+
+ 
+
+3. Type a comment (optional) and select **Yes** to take action on the machine.
+ >[!NOTE]
+ >The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network.
+
+ The Action center shows the submission information:
+ 
+
+ - **Submission time** - Shows when the isolation action was submitted.
+ - **Submitting user** - Shows who submitted the action on the machine. You can view the comments provided by the user by selecting the information icon.
+ - **Status** - Indicates any pending actions or the results of completed actions.
+
+When the isolation configuration is applied, there will be a new event in the machine timeline.
+
+**Notification on machine user**:
+When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network:
+
+
+
+## Undo machine isolation
+Depending on the severity of the attack and the state of the machine you can choose to release the machine isolation after you have verified that the compromised machine has been remediated.
+
+1. Select a machine that was previously isolated.
+
+2. Open the **Actions** menu and select **Undo machine isolation**.
+
+ 
+
+3. Type a comment (optional) and select **Yes** to take action on the file. The machine will be reconnected to the network.
+
+## Collect investigation package from machines
+As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker.
+
+You can download the package (Zip file) and investigate the events that occurred on a machine.
+
+The package contains the following folders:
+
+Folder | Description
+:---|:---
+Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine. NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.”
+Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509).
+Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections. - ActiveNetworkConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack. - Dnscache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. - Ipconfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.
+Prefetch files | Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. - Prefetch folder – Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder.
+Processes | Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state.
+Scheduled tasks | Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically.
+Security event log | Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. NOTE: Open the event log file using Event viewer.
+Services | Contains the services.txt file which lists services and their states.
+Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. Contains files for SMBInboundSessions and SMBOutboundSession. NOTE: If the file contains the following message: “ERROR: The system was unable to find the specified registry key or value.”, it means that there were no SMB sessions of this type (inbound or outbound).
+Temp Directories | Contains a set of text files that lists the files located in %Temp% for every user in the system. This can help to track suspicious files that an attacker may have dropped on the system. NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system.
+Users and Groups | Provides a list of files that each represent a group and its members.
+CollectionSummaryReport.xls | This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors.
+
+1. Select the machine that you want to investigate. You can select or search for a machine from any of the following views:
+
+ - **Dashboard** - Select the machine name from the Top machines with active alerts section.
+ - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+ - **Machines view** - Select the heading of the machine name from the machines view.
+ - **Search box** - Select Machine from the drop-down menu and enter the machine name.
+
+2. Open the **Actions** menu and select **Collect investigation package**.
+
+ The Action center shows the submission information:
+ 
+
+ - **Submission time** - Shows when the action was submitted.
+ - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
+ - **Status** - Indicates if the package was successfully collected from the network. When the collection is complete, you can download the package.
+
+3. Select **Package available** to download the package.
+ When the package is available a new event will be added to the machine timeline.
+ You can download the package from the machine page, or the Action center.
+
+ 
+
+ You can also search for historical packages in the machine timeline.
+
+## Check activity details in Action center
+The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view if a machine was isolated and if an investigation package is available from a machine. All related details are also shown, for example, submission time, submitting user, and if the action succeeded or failed.
+
+
+
+## Related topics
+- [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md b/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..3fdf40354f
--- /dev/null
+++ b/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,47 @@
+---
+title: Take response actions on files and machines in Windows Defender Advanced Threat Protection
+description: Take response actions on files and machines by stopping and quarantining files, blocking a file, isolating machines, or collecting an investigation package.
+keywords: respond, stop and quarantine, block file, deep analysis, isolate machine, collect investigation package, action center
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Take response actions in Windows Defender ATP
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization.
+
+>[!NOTE]
+> These response actions are only available for machines on Windows 10, version 1703.
+
+## In this section
+Topic | Description
+:---|:---
+[Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)| Isolate machines or collect an investigation package.
+[Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)| Stop and quarantine files or block a file from your network.
+
+## Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
index a5df900c1d..caaafb618e 100644
--- a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
@@ -50,8 +50,8 @@ Setting the time zone also changes the times for all Windows Defender ATP views.
To set the time zone:
1. Click the **Settings** menu .
-2. Select the **Timezone:UTC** indicator.
-3. The time zone indicator changes to **Timezone:Local**. Click it again to change back to **Timezone:UTC**.
+2. Select the **Timezone UTC** indicator.
+3. Select **Timezone Local** or **-8:00**.
## Suppression rules
The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. For more information see, [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts).
diff --git a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..32dc72d7fd
--- /dev/null
+++ b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,53 @@
+---
+title: Understand threat intelligence concepts in Windows Defender ATP
+description: Understand the concepts around threat intelligence in Windows Defender Advanced Threat Protection so that you can effectively create custom intelligence for your organization.
+keywords: threat intelligence, alert definitions, indicators of compromise, ioc
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Understand threat indicators
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when to call an observed behavior as suspicious.
+
+With Windows Defender ATP, you can create custom threat alerts that can help you keep track of possible attack activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track.
+
+Before creating custom threat alerts, it's important to know the concepts behind alert definitions and indicators of compromise (IOCs) and the relationship between them.
+
+## Alert definitions
+Alert definitions are contextual attributes that can be used collectively to identify early clues on a possible cybersecurity attack. These indicators are typically a combination of activities, characteristics, and actions taken by an attacker to successfully achieve the objective of an attack. Monitoring these combinations of attributes is critical in gaining a vantage point against attacks and possibly interfering with the chain of events before an attacker's objective is reached.
+
+## Indicators of compromise (IOC)
+IOCs are individually-known malicious events that indicate that a network or machine has already been breached. Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also important during forensic investigations. Although it might not provide the ability to intervene with an attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks.
+
+## Relationship between alert definitions and IOCs
+In the context of Windows Defender ATP, alert definitions are containers for IOCs and defines the alert, including the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other options. For more information on available metadata options, see [Threat Intelligence API metadata](custom-ti-api-windows-defender-advanced-threat-protection.md#threat-intelligence-api-metadata).
+
+Each IOC defines the concrete detection logic based on its type and value as well as its action, which determines how it is matched. It is bound to a specific alert definition that defines how a detection is displayed as an alert on the Windows Defender ATP console.
+
+Here is an example of an IOC:
+ - Type: Sha1
+ - Value: 92cfceb39d57d914ed8b14d0e37643de0797ae56
+ - Action: Equals
+
+IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it.
+
+## Related topic
+- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Create custom threat indicators using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..5448e0e2f5
--- /dev/null
+++ b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,46 @@
+---
+title: Troubleshoot custom threat intelligence issues in Windows Defender ATP
+description: Troubleshoot issues that might arise when using the custom threat intelligence feature in Windows Defender ATP.
+keywords: troubleshoot, custom threat intelligence, custom ti, rest api, api, alert definitions, indicators of compromise
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Troubleshoot custom threat intelligence issues
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+You might need to troubleshoot issues while using the custom threat intelligence feature.
+
+This page provides detailed steps to troubleshoot issues you might encounter while using the feature.
+
+
+## Learn how to get a new client secret
+If your client secret expires or if you've misplaced the copy provided when you were enabling the custom threat intelligence application, you'll need to get a new secret.
+
+1. Login to the [Azure management portal](https://ms.portal.azure.com).
+
+2. Select **Active Directory**.
+
+3. Select your tenant.
+
+4. Click **Application**, then select your custom threat intelligence application.
+
+5. Select **Keys** section, then provide a key description and specify the key validity duration.
+
+6. Click **Save**. The key value is displayed.
+
+7. Copy the value and save it in a safe place.
diff --git a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
index 2f238a4d6d..23bb45e5bf 100644
--- a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
@@ -41,8 +41,11 @@ Topic | Description
[View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
[View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) | You can sort and filter alerts across your network, and drill down on individual alert queues such as new, in progress, or resolved queues.
[Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization.
-[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
[Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses.
[Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
+[View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list.
+[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
+[Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)| Investigate user accounts with the most active alerts.
[Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert.
+[Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take action on a machine or file to quickly respond to detected attacks.
diff --git a/windows/manage/start-layout-xml-desktop.md b/windows/manage/start-layout-xml-desktop.md
index 1a48aaad33..c86fc0cfe6 100644
--- a/windows/manage/start-layout-xml-desktop.md
+++ b/windows/manage/start-layout-xml-desktop.md
@@ -26,6 +26,9 @@ On Windows 10 for desktop editions, the customized Start works by:
- 2 groups that are 6 columns wide, or equivalent to the width of 3 medium tiles.
- 2 medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row.
- No limit to the number of apps that can be pinned. There is a theoretical limit of 24 tiles per group (4 small tiles per medium square x 3 columns x 2 rows).
+
+>[!NOTE]
+>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx).
## LayoutModification XML
diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md
index 85a835748e..b588216cb5 100644
--- a/windows/manage/windows-10-start-layout-options-and-policies.md
+++ b/windows/manage/windows-10-start-layout-options-and-policies.md
@@ -23,6 +23,8 @@ Organizations might want to deploy a customized Start and taskbar configuration
>[!NOTE]
>Taskbar configuration is available starting in Windows 10, version 1607.
+>
+>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx).
## Start options
](images/ua-cg-15.png){kind=link}