Cloud topics for review

windows/keep-secure/WDAV-working/1.3.2 utilize-microsoft-cloud-protection-windows-defender-antivirus.md

@@ -1,37 +0,0 @@
----
-title: 
-description: 
-keywords: windows defender antivirus, antimalware, security, defender, 
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: 
----
-
-# H1
-
-
-**Applies to:**
-
-- Windows 10, version 1703
-
-**Audience**
-
-- Enterprise security administrators
-
-
-
-
-
-
-
-## Related topics
-
-- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
-
-
-

windows/keep-secure/WDAV-working/1.3.2.1 enable-configure-cloud-protection-windows-defender-antivirus.md

@@ -1,37 +0,0 @@
----
-title: 
-description: 
-keywords: windows defender antivirus, antimalware, security, defender, 
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: 
----
-
-# H1
-
-
-**Applies to:**
-
-- Windows 10, version 1703
-
-**Audience**
-
-- Enterprise security administrators
-
-
-
-
-
-
-
-## Related topics
-
-- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
-
-
-

windows/keep-secure/WDAV-working/1.3.2.2 configure-cloud-block-timeout-period-windows-defender-antivirus.md

@@ -1,37 +0,0 @@
----
-title: 
-description: 
-keywords: windows defender antivirus, antimalware, security, defender, 
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: 
----
-
-# H1
-
-
-**Applies to:**
-
-- Windows 10, version 1703
-
-**Audience**
-
-- Enterprise security administrators
-
-
-
-
-
-
-
-## Related topics
-
-- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
-
-
-

windows/keep-secure/WDAV-working/1.3.3.1 detect-block-potentially-unwanted-apps-windows-defender-antivirus (2).md

@@ -0,0 +1,120 @@
+---
+title: Detect and block Potentially Unwanted Application with Windows Defender
+description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
+keywords: pua, enable, detect pua, block pua, windows defender and pua
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: detect
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: dulcemv
+---
+
+# Detect and block Potentially Unwanted Application in Windows 10
+
+**Applies to:**
+
+- Windows 10
+
+You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
+
+Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
+
+Typical examples of PUA behavior include:
+*	Various types of software bundling
+*	Ad-injection into your browsers
+*	Driver and registry optimizers that detect issues, request payment to fix them, and persist
+
+These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
+
+Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
+
+##Enable PUA protection in System Center Configuration Manager and Intune
+
+The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
+
+###Configure PUA in System Center Configuration Manager
+
+For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
+
+If you are using these versions | See these topics
+:---|:---
+System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
+System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
+
+<br>
+###Use PUA audit mode in System Center Configuration Manager
+
+You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and you’d like to avoid any false positives.
+
+1. Open PowerShell as Administrator: <br>
+
+    a.  Click **Start**, type **powershell**, and press **Enter**.
+    
+    b.  Click **Windows PowerShell** to open the interface.
+    >[!NOTE]
+    >You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+2. Enter the PowerShell command:
+
+  ```text
+  set-mpPreference -puaprotection 2
+  ```
+> [!NOTE]
+> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.  
+
+
+###Configure PUA in Intune
+
+ PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
+
+
+###Use PUA audit mode in Intune
+
+ You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
+
+1. Open PowerShell as Administrator: <br>
+
+    a.  Click **Start**, type **powershell**, and press **Enter**.
+    
+    b.  Click **Windows PowerShell** to open the interface.
+    
+    >[!NOTE]
+    >You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+    
+2. Enter the PowerShell command:
+
+  ```text
+  set-mpPreference -puaprotection 1
+  ```
+
+##View PUA events
+
+PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
+
+1.  Open **Event Viewer**.
+2.  In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
+3.  Double-click on **Operational**.
+4.  In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
+
+You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
+
+
+##What PUA notifications look like
+
+When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
+
+
+To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
+
+##PUA threat naming convention
+
+When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
+
+##PUA blocking conditions
+
+PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
+*	The file is being scanned from the browser
+*	The file is in the %downloads% folder
+*	Or if the file in the %temp% folder

windows/keep-secure/WDAV-working/1.6.3 use-powershell-cmdlets-windows-defender-antivirus.md

@@ -12,7 +12,7 @@ localizationpriority: medium
 author: iaanw
 ---
 
-# Use PowerShell cmdlets to configure and run Windows Defender
+# Use PowerShell cmdlets to configure and run Windows Defender Antivirus
 
 **Applies to:**
 

windows/keep-secure/WDAV-working/configure-block-at-first-sight-windows-defender-antivirus.md

@@ -1,5 +1,5 @@
 ---
-title: Enable the Block at First Sight feature to detect malware within seconds
+title: Enable Block at First Sight to detect malware in seconds
 description: In Windows 10 the Block at First Sight feature determines and blocks new malware variants in seconds. You can enable the feature with Group Policy.
 keywords: scan, BAFS, malware, first seen, first sight, cloud, MAPS, defender
 search.product: eADQiWindows 10XVcnh
@@ -12,7 +12,11 @@ localizationpriority: medium
 author: iaanw
 ---
 
-# Block at First Sight
+
+
+
+
+# Configure the Block at First Sight feature
 
 **Applies to**
 
@@ -20,7 +24,7 @@ author: iaanw
 
 **Audience**
 
-- Network administrators
+- Enterprise security administrators
 
 
 
@@ -30,7 +34,10 @@ It is enabled by default when certain pre-requisite settings are also enabled. I
 
 ## How it works
 
-When a Windows Defender client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
+When a Windows Defender client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. The following video describes how this feature works.
+
+<iframe 
+src="http://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc62c59" width="768" height="432" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe> 
 
 > [!NOTE]
 > The Block at first sight feature only use the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the EXE file is checked via the cloud backend to determine if this is a previously undetected file.
@@ -48,7 +55,7 @@ In many cases this process can reduce the response time to new malware from hour
 Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work. Usually, these settings are already enabled in most default Windows Defender deployments in enterprise networks.
 
 > [!IMPORTANT]
-> There is no specific individual setting in System Center Configuration Manager to enable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly.
+> There is no specific individual setting in System Center Configuration Manager to enable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly. You can disable it individually, or if you disable the pre-requisite settings then it will be automatically disabled.
 
 ### Confirm Block at First Sight is enabled with Group Policy
 
@@ -58,7 +65,7 @@ Block at First Sight requires a number of Group Policy settings to be configured
 
 4.  Click **Policies** then **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender > MAPS** and configure the following Group Policies:
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** and configure the following Group Policies:
     
     1.  Double-click the **Join Microsoft MAPS** setting and ensure the option is set to **Enabled**. Click **OK**.
     
@@ -73,7 +80,7 @@ Block at First Sight requires a number of Group Policy settings to be configured
 
     1. Click **OK**.
 
-1.  In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender > Real-time Protection**:
+1.  In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender Antivirus > Real-time Protection**:
     
     1.  Double-click the **Scan all downloaded files and attachments** setting and ensure the option is set to **Enabled**. Click **OK**.
     
@@ -128,5 +135,6 @@ You may choose to disable the Block at First Sight feature if you want to retain
 ## Related topics
 
 - [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
 
 

windows/keep-secure/WDAV-working/configure-cloud-block-timeout-period-windows-defender-antivirus.md

@@ -0,0 +1,72 @@
+---
+title: Configure the cloud block timeout period
+description: You can configure how long Windows Defender Antivirus will block a file from running while waiting for a cloud determination
+keywords: windows defender antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: 
+---
+
+# Configure the cloud block timeout period
+
+
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+When Windows Defender Antivirus is suspicious of a file, it can prevent the file from running while it queries the [Windows Defender Antivirus cloud-protection service](utilize-microsoft-cloud-protection-windows-defender-antivirus.md).
+
+The default period that the file will be blocked for is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Windows Defendre Antivirus cloud.
+
+## Prerequisites to use the extended cloud block timeout
+
+The [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature and its prerequisites must be enabled before you can specifiy an extended timeout period. 
+    
+## Specify the extended timeout period
+
+You can use System Center Configuration Manager or Group Policy to specify an extended timeout for cloud checks.
+
+**Use Configuration Manager to specify an extended timeout period**
+
+>[!NOTE]
+>Not sure if this is being doc'd on SCCM side. Will check with Nathan. What about PowerShell cmdlets? Are there any that cover this?
+
+**Use Group Policy to specify an extended timeout period:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**
+    
+1.  Double-click the **Configure extended cloud check** setting and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination.  You can specify the additional time, in seconds, from 1 second to 60 seconds. 
+    
+1. Click **OK**.
+
+
+>[!IMPORTANT]
+>The [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature and its prerequisites must be enabled before you can specifiy an extended timeout period. 
+
+
+## Related topics
+
+- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
+- [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+- [Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+
+
+
+

windows/keep-secure/WDAV-working/configure-network-connections-windows-defender-antivirus.md

@@ -0,0 +1,186 @@
+---
+title: Configure and test Windows Defender Antivirus network connections
+description: Configure and test your connection to the Windows Defender Antivirus cloud
+keywords: windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure and validate network connections for Windows Defender Antivirus
+
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
+This topic lists the connections that must be allowed, including firewall rules, and provides instructions for validating your connection. This will help ensure you receive the best protection from our cloud-based protection services.
+See the Enterprise Mobility and Security blog post [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) for some details about network connectivity.
+
+## Allow connections to the Windows Defender Antivirus cloud
+
+The Windows Defender Antivirus cloud provides fast, strong protection for your endpoints. Enabling the cloud-based protection service is optional, however it is highly recommend as it provides very important protection against malware on your endpoints and across your network.
+
+>[!NOTE] 
+>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
+
+See the [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) topic for details on enabling the service with Group Policy, System Center Configuration Manager, Microsoft Intune, and PowerShell.
+
+After you've enabled the cloud, you may need to configure your network or firewall to allow connections between your endpoints and the Windows Defender Antivirus cloud service.
+
+The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them:
+
+<table  style="vertical-align:top">
+<tr style="vertical-align:top">
+<th >Service</th>
+<th>Description</th>
+<th>URL</th>
+</tr>
+<tr style="vertical-align:top">
+<td>
+ Windows Defender Antivirus cloud-based protection service, also referred to as Microsoft Active Protection Service (MAPS)
+</td>
+<td>
+ Used by Windows Defender Antivirus to provide cloud-based protection
+</td>
+<td>
+*.wdcp.microsoft.com*<br />
+*.wdcpalt.microsoft.com*
+</td>
+</tr>
+<tr style="vertical-align:top">
+<td>
+Microsoft Update Service (MU)
+</td>
+<td>
+Signature and product updates
+</td>
+<td>
+*.updates.microsoft.com
+</td>
+</tr>
+<tr style="vertical-align:top">
+<td>
+ Definition updates alternate download location (ADL)
+</td>
+<td>
+ Alternate location for Windows Defender Antivirus definition updates if the installed definitions fall out of date (7 or more days behind)
+</td>
+<td>
+*.download.microsoft.com
+</td>
+</tr>
+<tr style="vertical-align:top">
+<td>
+ Malware submission storage 
+</td>
+<td>
+ Upload location for files submitted to Microsoft via the <a href="https://www.microsoft.com/en-us/security/portal/submission/submit.aspx">Submission form</a> or automatic sample submission
+</td>
+<td>
+*.blob.core.windows.net
+</td>
+</tr>
+<tr style="vertical-align:top">
+<td>
+Certificate Revocation List (CRL)
+</td>
+<td>
+Used by Windows when creating the SSL connection to MAPS for updating the CRL
+</td>
+<td>
+http://www.microsoft.com/pkiops/crl/<br />
+http://www.microsoft.com/pkiops/certs<br />
+http://crl.microsoft.com/pki/crl/products<br />
+http://www.microsoft.com/pki/certs
+</ul>
+</td>
+</tr>
+<tr style="vertical-align:top">
+<td>
+Symbol Store 
+</td>
+<td>
+Used by Windows Defender Antivirus to restore certain critical files during remediation flows
+</td>
+<td>
+https://msdl.microsoft.com/download/symbols
+</td>
+</tr>
+<tr style="vertical-align:top">
+<td>
+Universal Telemetry Client
+</td>
+<td>
+Used by Windows to send client telemetry, Windows Defender Antivirus uses this for product quality monitoring purposes
+</td>
+<td>
+This update uses SSL (TCP Port 443) to download manifests and upload telemetry to Microsoft that uses the following DNS endpoints:  <ul><li>vortex-win.data.microsoft.com</li><li>settings-win.data.microsoft.com</li></ul></td>
+</tr>
+</table>
+
+
+## Validate connections between your network and the cloud
+
+After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender Antivirus cloud and are correctly reporting and receiving information to ensure you are fully protected.
+
+**Use the cmdline tool to enable cloud-delivered protection:**
+
+Use the following argument with the Windows Defender Antivirus command line utility (mpcmdrun.exe) to verify that your network can communicate with the Windows Defender Antivirus cloud:
+
+```DOS
+MpCmdRun - ValidateMapsConnection 
+```
+
+See [Run a Windows Defender scan from the command line](run-scan-command-line-windows-defender-antivirus)  and [Command line arguments](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the mpcmdrun.exe utility.
+
+**Attempt to download a fake malware file from Microsoft:**
+
+You can download a sample file that Windows Defender Antivirus will detect and block if you are properly connected to the cloud.
+
+Download the file by visiting the following link:
+- http://aka.ms/ioavtest
+
+>[!NOTE] 
+>This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.
+
+If you are properly connected, you will see a warning notification:
+
+![Windows Defender Antivirus notification informing the user that malware was found](images/defender/malware-detected.png)
+
+You will also see a detection in the **Quarantine** section of the **History** tab in the Windows Defender Antivirus app:
+
+![Screenshot of the quarantine section in the Windows Defender Antivirus app](images/defender/quarantine.png)
+
+
+>[!IMPORTANT]
+>You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will  need to verify your proxy servers and any network filtering tools manually to ensure connectivity.
+
+
+**Use PowerShell cmdlets to enable cloud-delivered protection:**
+
+>[!NOTE] 
+ >Will there be a powershell cmdlet added for this? Or will it be revealed in [Get-MpComputerStatus](https://technet.microsoft.com/en-us/library/dn433289.aspx)?
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-windows-defender-antivirus)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+- [Run a Windows Defender scan from the command line](run-scan-command-line-windows-defender-antivirus)  and [Command line arguments](command-line-arguments-windows-defender-antivirus.md)
+- [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) 
+
+

windows/keep-secure/WDAV-working/enable-cloud-protection-windows-defender-antivirus.md

@@ -0,0 +1,133 @@
+---
+title: Enable cloud-delivered antivirus protection in Windows Defender Antivirus (Windows 10)
+description: Enable cloud-delivered protection in Windows Defender Antivirus
+keywords: windows defender antivirus, antimalware, security, defender, cloud, block at first sight
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Enable cloud-delivered protection
+
+
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+
+
+>[!NOTE] 
+>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
+
+
+
+You can enable or disable cloud-delivered protection with System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients through Windows Settings.
+
+See  [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-based protection.
+
+>[!NOTE]
+>In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-based protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect.
+
+
+**Use Group Policy to enable cloud-delivered protection:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > MAPS**
+    
+1.  Double-click the **Join Microsoft MAPS** setting and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**.
+    
+1. Click **OK**.
+
+1.  Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following:
+    
+    1. **Send safe samples** (1)
+    1. **Send all samples** (3)
+
+        > [!WARNING]
+        > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+
+1. Click **OK**.
+
+
+
+**Use Configuration Manager to enable cloud-delivered protection:**
+
+See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
+
+>[!NOTE] I can't see options for 2012, guessing it doesn't exist?
+
+
+**Use PowerShell cmdlets to enable cloud-delivered protection:**
+
+Use the following cmdlets to enable cloud-delivered protection:
+
+```PowerShell
+Set-MpPreference -MAPSReporting Advanced
+Set-MpPreference -SubmitSamplesConsent 3
+```
+>[!NOTE]
+>You can also set -SubmitSamplesConsent to 1. Setting it to 0 will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-windows-defender-antivirus)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Intune to enable cloud-delivered protection**
+
+1.  Open the [Microsoft Intune administration console](https://manage.microsoft.com/), and navigate to the associated policy you want to configure.
+2.  Under the **Endpoint Protection** setting, scroll down to the **Endpoint Protection Service** section set the **Submit files automatically when further analysis is required** setting to either of the following:
+    1. **Send samples automatically**
+    1. **Send all samples automatically**
+
+        > [!WARNING]
+        > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+5. Scoll down to the **Microsoft Active Protection Service** section and set the following settings:
+    Name | Set to
+    :--|:--
+    **Join Microsoft Active Protection Service** | **Yes**
+    **Membership level** | **Advanced**
+    **Receive dynamic definitions based on Microsoft Active Protection Service reports** | **Yes**
+3.  Save and [deploy the policy as usual](https://docs.microsoft.com/en-us/intune/deploy-use/common-windows-pc-management-tasks-with-the-microsoft-intune-computer-client).
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) for more details.
+
+**Enable cloud-delivered protection on individual clients with Windows Settings**
+> [!NOTE]
+> If the **Configure local setting override for reporting Microsoft MAPS** GP setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
+
+1. Open Windows Defender settings in one of these ways:
+
+    a. Open the Windows Defender Antivirus app and click **Settings**.
+    
+    b. On the main Windows Settings page, click **Update & Security** and then **Windows Defender Antivirus**.
+
+2.	Switch **Cloud-based Protection** to **On**.
+3.  Switch **Automatic sample submission** to **On**.
+
+>[!NOTE]
+>If automatic sample submission has been configured with GP then the setting will be greyed-out and unavailble.
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+- [Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
+- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-windows-defender-antivirus.md)
+- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)]
+- [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx)
+-  [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)

windows/keep-secure/WDAV-working/specify-cloud-protection-level-windows-defender-antivirus.md

@@ -0,0 +1,69 @@
+---
+title: Specify cloud protection level in Windows Defender Antivirus
+description: Set the aggressiveness of cloud-delivered protection in Windows Defender Antivirus
+keywords: windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Specify the cloud-delivered protection level
+
+
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager.
+
+>[!NOTE] 
+>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
+
+See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for a comparison of the availble levels. 
+
+
+>[!NOTE]
+>This lists four settings, and the GP only has two settings, but not description (it says go to the documentation site).
+
+**Use Group Policy to specify the level of cloud-delivered protection:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**.
+    
+1.  Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
+    1.  **Default Windows Defender Antivirus blocking level**.
+    2.  **High blocking level**.
+    
+1. Click **OK**.
+
+
+**Use Configuration Manager to specify the level of cloud-delivered protection:**
+
+See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
+
+>[!NOTE] I can't see options for 2012 [here](https://technet.microsoft.com/en-us/library/hh508785.aspx#BKMK_List), guessing it doesn't exist?
+
+
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+-[How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
+
+

windows/keep-secure/WDAV-working/utilize-microsoft-cloud-protection-windows-defender-antivirus.md

@@ -0,0 +1,56 @@
+---
+title: 
+description: 
+keywords: windows defender antivirus, antimalware, security, defender, 
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: 
+---
+
+# Utilize Microsoft cloud-provided protection in Windows Defender Antivirus
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+Cloud-delivered protection for Windows Defender Antivirus, also referred to as Microsoft Advanced Protection Service (MAPS), provides you with strong, fast protection in addition to our standard real-time protection.
+
+>[!NOTE] 
+>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
+
+Enabling cloud-delivered protection helps detect and block new malware – even if the malware has never been seen before – without needing to wait for a traditionally delivered definition update to block it. Definition updates can take hours to prepare and deliver; our cloud service can deliver updated protection in seconds. 
+
+Cloud-delivered protecton is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies.
+
+The following table describes the differences in cloud-based protection between recent versions of Windows and System Center Configuration Manager.
+
+
+Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | Configuration manager 2012 | Configuration manager (current branch) | Microsoft Intune
+---|---|---|---|---|
+Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service
+Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version
+Block at first sight availability | No | Yes | Yes | Not configurable | Configurable | No
+Cloud block timeout period | No | No | Configurable | Not configurable | Configurable | No
+ 
+# In this section
+
+ Topic | Description 
+---|---
+[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with System Center Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
+[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and System Center Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
+[Configure and validate network connections for Windows Defender Antivirus](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
+[Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for a traditional signature. You can enable and configure it with System Center Configuration Manager and Group Policy.
+[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-based protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy.
+
+
+
+