+
+| Service |
+Description |
+URL |
+
+
+|
+ Windows Defender Antivirus cloud-based protection service, also referred to as Microsoft Active Protection Service (MAPS)
+ |
+
+ Used by Windows Defender Antivirus to provide cloud-based protection
+ |
+
+*.wdcp.microsoft.com*
+*.wdcpalt.microsoft.com*
+ |
+
+
+|
+Microsoft Update Service (MU)
+ |
+
+Signature and product updates
+ |
+
+*.updates.microsoft.com
+ |
+
+
+|
+ Definition updates alternate download location (ADL)
+ |
+
+ Alternate location for Windows Defender Antivirus definition updates if the installed definitions fall out of date (7 or more days behind)
+ |
+
+*.download.microsoft.com
+ |
+
+
+|
+ Malware submission storage
+ |
+
+ Upload location for files submitted to Microsoft via the Submission form or automatic sample submission
+ |
+
+*.blob.core.windows.net
+ |
+
+
+|
+Certificate Revocation List (CRL)
+ |
+
+Used by Windows when creating the SSL connection to MAPS for updating the CRL
+ |
+
+http://www.microsoft.com/pkiops/crl/
+http://www.microsoft.com/pkiops/certs
+http://crl.microsoft.com/pki/crl/products
+http://www.microsoft.com/pki/certs
+
+ |
+
+
+|
+Symbol Store
+ |
+
+Used by Windows Defender Antivirus to restore certain critical files during remediation flows
+ |
+
+https://msdl.microsoft.com/download/symbols
+ |
+
+
+|
+Universal Telemetry Client
+ |
+
+Used by Windows to send client telemetry, Windows Defender Antivirus uses this for product quality monitoring purposes
+ |
+
+This update uses SSL (TCP Port 443) to download manifests and upload telemetry to Microsoft that uses the following DNS endpoints: - vortex-win.data.microsoft.com
- settings-win.data.microsoft.com
|
+
+
+
+
+## Validate connections between your network and the cloud
+
+After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender Antivirus cloud and are correctly reporting and receiving information to ensure you are fully protected.
+
+**Use the cmdline tool to enable cloud-delivered protection:**
+
+Use the following argument with the Windows Defender Antivirus command line utility (mpcmdrun.exe) to verify that your network can communicate with the Windows Defender Antivirus cloud:
+
+```DOS
+MpCmdRun - ValidateMapsConnection
+```
+
+See [Run a Windows Defender scan from the command line](run-scan-command-line-windows-defender-antivirus) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the mpcmdrun.exe utility.
+
+**Attempt to download a fake malware file from Microsoft:**
+
+You can download a sample file that Windows Defender Antivirus will detect and block if you are properly connected to the cloud.
+
+Download the file by visiting the following link:
+- http://aka.ms/ioavtest
+
+>[!NOTE]
+>This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.
+
+If you are properly connected, you will see a warning notification:
+
+
+
+You will also see a detection in the **Quarantine** section of the **History** tab in the Windows Defender Antivirus app:
+
+
+
+
+>[!IMPORTANT]
+>You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity.
+
+
+**Use PowerShell cmdlets to enable cloud-delivered protection:**
+
+>[!NOTE]
+ >Will there be a powershell cmdlet added for this? Or will it be revealed in [Get-MpComputerStatus](https://technet.microsoft.com/en-us/library/dn433289.aspx)?
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-windows-defender-antivirus) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+- [Run a Windows Defender scan from the command line](run-scan-command-line-windows-defender-antivirus) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md)
+- [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/)
+
+
diff --git a/windows/keep-secure/WDAV-working/enable-cloud-protection-windows-defender-antivirus.md b/windows/keep-secure/WDAV-working/enable-cloud-protection-windows-defender-antivirus.md
new file mode 100644
index 0000000000..6e3ac6c58b
--- /dev/null
+++ b/windows/keep-secure/WDAV-working/enable-cloud-protection-windows-defender-antivirus.md
@@ -0,0 +1,133 @@
+---
+title: Enable cloud-delivered antivirus protection in Windows Defender Antivirus (Windows 10)
+description: Enable cloud-delivered protection in Windows Defender Antivirus
+keywords: windows defender antivirus, antimalware, security, defender, cloud, block at first sight
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Enable cloud-delivered protection
+
+
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+
+
+>[!NOTE]
+>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
+
+
+
+You can enable or disable cloud-delivered protection with System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients through Windows Settings.
+
+See [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-based protection.
+
+>[!NOTE]
+>In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-based protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect.
+
+
+**Use Group Policy to enable cloud-delivered protection:**
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS**
+
+1. Double-click the **Join Microsoft MAPS** setting and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**.
+
+1. Click **OK**.
+
+1. Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following:
+
+ 1. **Send safe samples** (1)
+ 1. **Send all samples** (3)
+
+ > [!WARNING]
+ > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+
+1. Click **OK**.
+
+
+
+**Use Configuration Manager to enable cloud-delivered protection:**
+
+See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
+
+>[!NOTE] I can't see options for 2012, guessing it doesn't exist?
+
+
+**Use PowerShell cmdlets to enable cloud-delivered protection:**
+
+Use the following cmdlets to enable cloud-delivered protection:
+
+```PowerShell
+Set-MpPreference -MAPSReporting Advanced
+Set-MpPreference -SubmitSamplesConsent 3
+```
+>[!NOTE]
+>You can also set -SubmitSamplesConsent to 1. Setting it to 0 will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-windows-defender-antivirus) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Intune to enable cloud-delivered protection**
+
+1. Open the [Microsoft Intune administration console](https://manage.microsoft.com/), and navigate to the associated policy you want to configure.
+2. Under the **Endpoint Protection** setting, scroll down to the **Endpoint Protection Service** section set the **Submit files automatically when further analysis is required** setting to either of the following:
+ 1. **Send samples automatically**
+ 1. **Send all samples automatically**
+
+ > [!WARNING]
+ > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+5. Scoll down to the **Microsoft Active Protection Service** section and set the following settings:
+ Name | Set to
+ :--|:--
+ **Join Microsoft Active Protection Service** | **Yes**
+ **Membership level** | **Advanced**
+ **Receive dynamic definitions based on Microsoft Active Protection Service reports** | **Yes**
+3. Save and [deploy the policy as usual](https://docs.microsoft.com/en-us/intune/deploy-use/common-windows-pc-management-tasks-with-the-microsoft-intune-computer-client).
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) for more details.
+
+**Enable cloud-delivered protection on individual clients with Windows Settings**
+> [!NOTE]
+> If the **Configure local setting override for reporting Microsoft MAPS** GP setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
+
+1. Open Windows Defender settings in one of these ways:
+
+ a. Open the Windows Defender Antivirus app and click **Settings**.
+
+ b. On the main Windows Settings page, click **Update & Security** and then **Windows Defender Antivirus**.
+
+2. Switch **Cloud-based Protection** to **On**.
+3. Switch **Automatic sample submission** to **On**.
+
+>[!NOTE]
+>If automatic sample submission has been configured with GP then the setting will be greyed-out and unavailble.
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+- [Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
+- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-windows-defender-antivirus.md)
+- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)]
+- [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx)
+- [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
\ No newline at end of file
diff --git a/windows/keep-secure/WDAV-working/images/defender/client.png b/windows/keep-secure/WDAV-working/images/defender/client.png
new file mode 100644
index 0000000000..4f2118206e
Binary files /dev/null and b/windows/keep-secure/WDAV-working/images/defender/client.png differ
diff --git a/windows/keep-secure/WDAV-working/images/defender/detection-source.png b/windows/keep-secure/WDAV-working/images/defender/detection-source.png
new file mode 100644
index 0000000000..7d471dc22d
Binary files /dev/null and b/windows/keep-secure/WDAV-working/images/defender/detection-source.png differ
diff --git a/windows/keep-secure/WDAV-working/images/defender/download-wdo.png b/windows/keep-secure/WDAV-working/images/defender/download-wdo.png
new file mode 100644
index 0000000000..50d2fc3152
Binary files /dev/null and b/windows/keep-secure/WDAV-working/images/defender/download-wdo.png differ
diff --git a/windows/keep-secure/WDAV-working/images/defender/enhanced-notifications.png b/windows/keep-secure/WDAV-working/images/defender/enhanced-notifications.png
new file mode 100644
index 0000000000..8317458416
Binary files /dev/null and b/windows/keep-secure/WDAV-working/images/defender/enhanced-notifications.png differ
diff --git a/windows/keep-secure/WDAV-working/images/defender/gp.png b/windows/keep-secure/WDAV-working/images/defender/gp.png
new file mode 100644
index 0000000000..8b57c7b45c
Binary files /dev/null and b/windows/keep-secure/WDAV-working/images/defender/gp.png differ
diff --git a/windows/keep-secure/WDAV-working/images/defender/malware-detected.png b/windows/keep-secure/WDAV-working/images/defender/malware-detected.png
new file mode 100644
index 0000000000..91fce5a44b
Binary files /dev/null and b/windows/keep-secure/WDAV-working/images/defender/malware-detected.png differ
diff --git a/windows/keep-secure/WDAV-working/images/defender/notification.png b/windows/keep-secure/WDAV-working/images/defender/notification.png
new file mode 100644
index 0000000000..cad9f162e9
Binary files /dev/null and b/windows/keep-secure/WDAV-working/images/defender/notification.png differ
diff --git a/windows/keep-secure/WDAV-working/images/defender/quarantine.png b/windows/keep-secure/WDAV-working/images/defender/quarantine.png
new file mode 100644
index 0000000000..6a908aedec
Binary files /dev/null and b/windows/keep-secure/WDAV-working/images/defender/quarantine.png differ
diff --git a/windows/keep-secure/WDAV-working/images/defender/sccm-wdo.png b/windows/keep-secure/WDAV-working/images/defender/sccm-wdo.png
new file mode 100644
index 0000000000..8f504b94e1
Binary files /dev/null and b/windows/keep-secure/WDAV-working/images/defender/sccm-wdo.png differ
diff --git a/windows/keep-secure/WDAV-working/images/defender/settings-wdo.png b/windows/keep-secure/WDAV-working/images/defender/settings-wdo.png
new file mode 100644
index 0000000000..23412856b0
Binary files /dev/null and b/windows/keep-secure/WDAV-working/images/defender/settings-wdo.png differ
diff --git a/windows/keep-secure/WDAV-working/images/defender/ux-config-key.png b/windows/keep-secure/WDAV-working/images/defender/ux-config-key.png
new file mode 100644
index 0000000000..3e2d966342
Binary files /dev/null and b/windows/keep-secure/WDAV-working/images/defender/ux-config-key.png differ
diff --git a/windows/keep-secure/WDAV-working/images/defender/ux-uilockdown-key.png b/windows/keep-secure/WDAV-working/images/defender/ux-uilockdown-key.png
new file mode 100644
index 0000000000..86d1b4b249
Binary files /dev/null and b/windows/keep-secure/WDAV-working/images/defender/ux-uilockdown-key.png differ
diff --git a/windows/keep-secure/WDAV-working/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/keep-secure/WDAV-working/specify-cloud-protection-level-windows-defender-antivirus.md
new file mode 100644
index 0000000000..c563f4b3fa
--- /dev/null
+++ b/windows/keep-secure/WDAV-working/specify-cloud-protection-level-windows-defender-antivirus.md
@@ -0,0 +1,69 @@
+---
+title: Specify cloud protection level in Windows Defender Antivirus
+description: Set the aggressiveness of cloud-delivered protection in Windows Defender Antivirus
+keywords: windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Specify the cloud-delivered protection level
+
+
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager.
+
+>[!NOTE]
+>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
+
+See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for a comparison of the availble levels.
+
+
+>[!NOTE]
+>This lists four settings, and the GP only has two settings, but not description (it says go to the documentation site).
+
+**Use Group Policy to specify the level of cloud-delivered protection:**
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**.
+
+1. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
+ 1. **Default Windows Defender Antivirus blocking level**.
+ 2. **High blocking level**.
+
+1. Click **OK**.
+
+
+**Use Configuration Manager to specify the level of cloud-delivered protection:**
+
+See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
+
+>[!NOTE] I can't see options for 2012 [here](https://technet.microsoft.com/en-us/library/hh508785.aspx#BKMK_List), guessing it doesn't exist?
+
+
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+-[How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
+
+
diff --git a/windows/keep-secure/WDAV-working/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/keep-secure/WDAV-working/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
new file mode 100644
index 0000000000..48caa6f17d
--- /dev/null
+++ b/windows/keep-secure/WDAV-working/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -0,0 +1,56 @@
+---
+title:
+description:
+keywords: windows defender antivirus, antimalware, security, defender,
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author:
+---
+
+# Utilize Microsoft cloud-provided protection in Windows Defender Antivirus
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+Cloud-delivered protection for Windows Defender Antivirus, also referred to as Microsoft Advanced Protection Service (MAPS), provides you with strong, fast protection in addition to our standard real-time protection.
+
+>[!NOTE]
+>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
+
+Enabling cloud-delivered protection helps detect and block new malware even if the malware has never been seen before without needing to wait for a traditionally delivered definition update to block it. Definition updates can take hours to prepare and deliver; our cloud service can deliver updated protection in seconds.
+
+Cloud-delivered protecton is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies.
+
+The following table describes the differences in cloud-based protection between recent versions of Windows and System Center Configuration Manager.
+
+
+Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | Configuration manager 2012 | Configuration manager (current branch) | Microsoft Intune
+---|---|---|---|---|
+Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service
+Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version
+Block at first sight availability | No | Yes | Yes | Not configurable | Configurable | No
+Cloud block timeout period | No | No | Configurable | Not configurable | Configurable | No
+
+# In this section
+
+ Topic | Description
+---|---
+[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with System Center Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
+[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and System Center Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
+[Configure and validate network connections for Windows Defender Antivirus](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
+[Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for a traditional signature. You can enable and configure it with System Center Configuration Manager and Group Policy.
+[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-based protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy.
+
+
+
+
diff --git a/windows/keep-secure/WDAV-working/1.3.2.3-00 windows-defender-block-at-first-sight.md b/windows/keep-secure/WDAV-working/windows-defender-block-at-first-sight.md
similarity index 100%
rename from windows/keep-secure/WDAV-working/1.3.2.3-00 windows-defender-block-at-first-sight.md
rename to windows/keep-secure/WDAV-working/windows-defender-block-at-first-sight.md
diff --git a/windows/keep-secure/images/defender/malware-detected.png b/windows/keep-secure/images/defender/malware-detected.png
new file mode 100644
index 0000000000..91fce5a44b
Binary files /dev/null and b/windows/keep-secure/images/defender/malware-detected.png differ
diff --git a/windows/keep-secure/images/defender/quarantine.png b/windows/keep-secure/images/defender/quarantine.png
new file mode 100644
index 0000000000..6a908aedec
Binary files /dev/null and b/windows/keep-secure/images/defender/quarantine.png differ