Merge branch 'master' into tvm-updates

windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md

@@ -1,24 +1,29 @@
 ---
 title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal
-description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal
+description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: lomayor
-ms.date: 01/17/2018
+ms.date: 12/18/2020
 ms.reviewer: 
 manager: dansimp
 ---
 
 # Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal 
 
-Go to your Azure AD Blade, select the Mobility (MDM and MAM) and there should be the Microsoft Intune "App" Visible, select the Microsoft Intune and configure the Blade 
+> [!NOTE]
+> Microsoft Intune portal can be accessed at the following link: [https://endpoint.microsoft.com](https://endpoint.microsoft.com).   
+
+1. Go to your Azure AD Blade.
+2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
+3. Select **Microsoft Intune** and configure the blade. 
 
 ![How to get to the Blade](images/azure-mdm-intune.png) 
 
-Configure the Blade                                                                      
+Configure the blade                                                                      
 
 ![Configure the Blade](images/azure-intune-configure-scope.png) 
 
-Select all for allow all users to enroll a Device and make it Intune ready, or Some, then you can add a Group of Users. 
+You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users). 

windows/security/includes/microsoft-defender.md

@@ -1,14 +1,14 @@
 ---
-title: Microsoft Defender rebrand guidance
-description: A note in regard to the Microsoft Defender rebrand.
+title: Microsoft Defender important guidance
+description: A note in regard to important Microsoft Defender guidance.
 ms.date: 09/21/2020
 ms.reviewer: 
 manager: dansimp
-ms.author: daniha
-author: danihalfin
+ms.author: dansimp
+author: dansimp
 ms.prod: w10
 ms.topic: include
 ---
 
 > [!IMPORTANT]
-> Welcome to **Microsoft Defender for Endpoint**, the new name for **Microsoft Defender Advanced Threat Protection**. Read more about this and other updates [here](https://www.microsoft.com/security/blog/?p=91813).  We'll be updating names in products and in the docs in the near future.
+> [Learn how Microsoft is helping to protect customers from Solorigate, a recent sophisticated attack](https://aka.ms/solorigate).

windows/security/information-protection/tpm/tpm-fundamentals.md

@@ -151,5 +151,5 @@ The Windows TPM-based smart card, which is a virtual smart card, can be configur
 
 - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
 - [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/)
-- [TPM WMI providers](https://msdn.microsoft.com/library/aa376476.aspx)
-- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)
+- [TPM WMI providers](https://docs.microsoft.com/windows/win32/secprov/security-wmi-providers-reference)
+- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#tpm-hardware-configurations)

windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md

@@ -13,7 +13,7 @@ ms.author: deniseb
 ms.custom: nextgen
 ms.reviewer: pahuijbr
 manager: dansimp
-ms.date: 12/17/2020
+ms.date: 12/20/2020
 ---
 
 # Microsoft Defender Antivirus compatibility
@@ -93,8 +93,6 @@ If you uninstall the other product, and choose to use Microsoft Defender Antivir
 > [!WARNING]
 > You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
 
-> [!IMPORTANT]
-> If you are using [Microsoft Endpoint DLP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview), Microsoft Defender Antivirus real-time protection is enabled, even when Microsoft Defender Antivirus is running in passive mode. Microsoft Defender Antivirus won't conflict with third-party antivirus solutions installed on the endpoint. Endpoint DLP depends on real-time protection to operate.
 
 ## See also
 

windows/security/threat-protection/microsoft-defender-atp/android-intune.md

@@ -29,7 +29,7 @@ ms.topic: conceptual
 
 - [Defender for Endpoint](microsoft-defender-atp-android.md)
 
-This topic describes deploying Defender for Endpoint for Android on Intune
+Learn how to deploy Defender for Endpoint for Android on Intune
 Company Portal enrolled devices. For more information about Intune device enrollment, see  [Enroll your
 device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal).
 
@@ -44,13 +44,13 @@ device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-co
 **Deploy Defender for Endpoint for Android on Intune Company Portal - Device
 Administrator enrolled devices**
 
-This topic describes how to deploy Defender for Endpoint for Android on Intune Company Portal - Device Administrator enrolled devices. 
+Learn how to deploy Defender for Endpoint for Android on Intune Company Portal - Device Administrator enrolled devices. 
 
 ### Add as Android store app
 
 1. In [Microsoft Endpoint Manager admin
 center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
-**Android Apps** \> **Add \> Android store app** and click **Select**.
+**Android Apps** \> **Add \> Android store app** and choose **Select**.
 
     ![Image of Microsoft Endpoint Manager Admin Center](images/mda-addandroidstoreapp.png)
 
@@ -66,7 +66,7 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
 
    ![Image of Microsoft Endpoint Manager Admin Center](images/mda-addappinfo.png)
 
-3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Defender for Endpoint for Android app. Click **Select** and then **Next**.
+3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Defender for Endpoint for Android app. Choose **Select** and then **Next**.
 
     >[!NOTE]
     >The selected user group should consist of Intune enrolled users.
@@ -111,7 +111,7 @@ Defender for Endpoint for Android supports Android Enterprise enrolled devices.
 For more information on the enrollment options supported by Intune, see 
 [Enrollment Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll).
 
-**Currently, Personally-owned devices with work profile and Corporate-owned fully managed user device enrollments are supported for deployment.**
+**Currently, Personally owned devices with work profile and Corporate-owned fully managed user device enrollments are supported for deployment.**
 
 
 
@@ -141,7 +141,7 @@ select **Approve**.
     > ![A screenshot of a Managed Google Play](images/07e6d4119f265037e3b80a20a73b856f.png)
 
 
-4. You should now be presented with the permissions that Defender for Endpoint
+4. You'll be presented with the permissions that Defender for Endpoint
 obtains for it to work. Review them and then select **Approve**.
 
     ![A screenshot of Defender for Endpoint preview app approval](images/206b3d954f06cc58b3466fb7a0bd9f74.png)
@@ -218,7 +218,7 @@ Defender ATP should be visible in the apps list.
 
      1. In the **Review + Create** page that comes up next, review all the information and then select **Create**. <br>
     
-        The app configuration policy for Defender for Endpoint auto-granting the storage permission is now assigned to the selected user group.
+        The app configuration policy for Defender for Endpoint autogranting the storage permission is now assigned to the selected user group.
 
         > [!div class="mx-imgBorder"]
         > ![Image of create app configuration policy](images/android-review-create.png)
@@ -245,10 +245,10 @@ assignment.
 
 ### Auto Setup of Always-on VPN 
 Defender for Endpoint supports Device configuration policies for managed devices via Intune. This capability can be leveraged to **Auto setup of Always-on VPN** on Android Enterprise enrolled devices, so the end user does not need to set up VPN service while onboarding.
-1.	On **Devices** Page go to **Configuration Profiles** > **Create Profile** > **Platform** > **Android Enterprise**
+1.	On **Devices**, select **Configuration Profiles** > **Create Profile** > **Platform** > **Android Enterprise**
 Select **Device restrictions** under one of the following, based on your device enrollment type 
 - **Fully Managed, Dedicated, and Corporate-Owned Work Profile**
-- **Personally-Owned Work Profile**
+- **Personally owned Work Profile**
 
 Select **Create**.
  
@@ -292,7 +292,7 @@ displayed here.
     > ![Image of device installation status](images/900c0197aa59f9b7abd762ab2b32e80c.png)
 
 
-2. On the device, you can validate the onboarding status by going to the **work profile**. Confirm that Defender for Endpoint is available and that you are enrolled to the **Personally-owned devices with work profile**.  If you are enrolled to a **Corporate-owned, fully managed user device**, you will have a single profile on the device where you can confirm that Defender for Endpoint is available.
+2. On the device, you can validate the onboarding status by going to the **work profile**. Confirm that Defender for Endpoint is available and that you are enrolled to the **Personally owned devices with work profile**.  If you are enrolled to a **Corporate-owned, fully managed user device**, you will have a single profile on the device where you can confirm that Defender for Endpoint is available.
 
     ![Image of app in mobile device](images/c2e647fc8fa31c4f2349c76f2497bc0e.png)
 

windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md

@@ -46,7 +46,7 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a
 
 ```
 	let 
-		AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti'",
+		AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti' | limit 20",
 
 		HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries",
 

windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md

@@ -33,9 +33,10 @@ In order to open a support case, you will need to login to your Microsoft Defend
 
 Environment | Portal URL
 :---|:---
-GCC-M | [https://gcc.securitycenter.windows.us](https://gcc.securitycenter.windows.us)
-GCC-H | [https://securitycenter.windows.us](https://securitycenter.windows.us)
-DoD | [https://securitycenter.windows.us](https://securitycenter.windows.us)
+GCC-M on Commercial | [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com)
+GCC-M | [https://gcc.securitycenter.microsoft.us](https://gcc.securitycenter.microsoft.us)
+GCC-H | [https://securitycenter.microsoft.us](https://securitycenter.microsoft.us)
+DoD | [https://securitycenter.microsoft.us](https://securitycenter.microsoft.us)
 
 If you are unable to login to the portal, you can also open a support case using the [phone](https://docs.microsoft.com/microsoft-365/admin/contact-support-for-business-products?view=o365-worldwide&tabs=phone&preserve-view=true).
 

windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md

@@ -11,7 +11,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 audience: ITPro
-ms.date: 12/10/2020
+ms.date: 12/17/2020
 ms.reviewer: v-maave
 manager: dansimp
 ms.custom: asr
@@ -21,7 +21,6 @@ ms.custom: asr
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
-
 **Applies to:**
 
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
@@ -30,6 +29,9 @@ ms.custom: asr
 
 Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices). 
 
+> [!NOTE]
+> Scripting engines are not trusted and you cannot allow them access to controlled protected folders.  For example, PowerShell is not trusted by controlled folder access, even if you add it as an application you trust or allow with [certificate and file indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates). 
+
 Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
 
 ## How does controlled folder access work?

windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md

@@ -8,10 +8,11 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.localizationpriority: medium
 audience: ITPro
-author: levinec
-ms.author: ellevin
-ms.reviewer: 
+author: denisebmsft
+ms.author: deniseb
+ms.reviewer: jcedola, dbodorin, vladiso, nixanm, anvascon
 manager: dansimp
+ms.date: 12/16/2020
 ---
 
 # Customize controlled folder access
@@ -21,53 +22,47 @@ manager: dansimp
 
 **Applies to:**
 
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
 Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients.
 
-This article describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).
+This article describes how to customize controlled folder access capabilities, and includes the following sections:
 
-* [Add additional folders to be protected](#protect-additional-folders)
-* [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders)
+- [Protect additional folders](#protect-additional-folders)
+- [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders)
+- [Allow signed executable files to access protected folders](#allow-signed-executable-files-to-access-protected-folders)
+- [Customize the notification](#customize-the-notification)
 
-> [!WARNING]
-> Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files.
->
-> This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender.md) to fully assess the feature's impact.
+> [!IMPORTANT]
+> Controlled folder access monitors apps for activities that are detected as malicious. Sometimes, legitimate apps are blocked from making changes to your files. If controlled folder access impacts your organization's productivity, you might consider running this feature in [audit mode](audit-windows-defender.md) to fully assess the impact.
 
 ## Protect additional folders
 
+Controlled folder access applies to a number of system folders and default locations, including folders such as **Documents**, **Pictures**, and **Movies**. You can add additional folders to be protected, but you cannot remove the default folders in the default list.
 
-Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, and Movies.
+Adding other folders to controlled folder access can be helpful for cases when you don't store files in the default Windows libraries, or you've changed the default location of your libraries.
 
-You can add additional folders to be protected, but you cannot remove the default folders in the default list.
+You can also specify network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
 
-
-Adding other folders to controlled folder access can be useful. Some use-cases include if you don't store files in the default Windows libraries, or you've changed the location of the libraries away from the defaults.
-
-You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
-
-You can use the Windows Security app or Group Policy to add and remove additional protected folders.
+You can use the Windows Security app, Group Policy, PowerShell cmdlets, or mobile device management configuration service providers to add and remove additional protected folders.
 
 ### Use the Windows Security app to protect additional folders
 
-1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Security**.
 
+2. Select **Virus & threat protection**, and then scroll down to the **Ransomware protection** section.
 
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then scroll down to the **Ransomware protection** section.
+3. Select **Manage ransomware protection** to open the **Ransomware protection** pane.
 
-3. Click the **Manage ransomware protection** link to open the **Ransomware protection** pane.
+4. Under the **Controlled folder access** section, select **Protected folders**.
 
-4. Under the **Controlled folder access** section, click the **Protected folders** link.
-
-5. Click **Yes** on the **User Access Control** prompt. The **Protected folders** pane displays.
-
-4. Click **Add a protected folder** and follow the prompts to add folders.
+5. Choose **Yes** on the **User Access Control** prompt. The **Protected folders** pane displays.
 
+4. Select **Add a protected folder** and follow the prompts to add folders.
 
 ### Use Group Policy to protect additional folders
 
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)?preserve=true), right-click the Group Policy Object you want to configure, and then and select **Edit**.
 
 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
 
@@ -78,13 +73,13 @@ You can use the Windows Security app or Group Policy to add and remove additiona
 ### Use PowerShell to protect additional folders
 
 1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
+
 2. Enter the following cmdlet:
 
     ```PowerShell
     Add-MpPreference -ControlledFolderAccessProtectedFolders "<the folder to be protected>"
     ```
-
-Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Security app.
+3. Repeat step 2 until you have added all the folders you want to protect. Folders that are added are visible in the Windows Security app.
 
    ![Screenshot of a PowerShell window with the cmdlet above entered](../images/cfa-allow-folder-ps.png)
 
@@ -100,8 +95,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m
 You can specify if certain apps are always considered safe and give write access to files in protected folders. Allowing apps can be useful if a particular app you know and trust is being blocked by the controlled folder access feature.
 
 > [!IMPORTANT]
-> By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
-> You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
+> By default, Windows adds apps that are considered friendly to the allowed list. Such apps that are added automatically are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
 
 When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders. If the app (with the same name) is in a different location, it will not be added to the allow list and may be blocked by controlled folder access.
 
@@ -109,9 +103,9 @@ An allowed application or service only has write access to a controlled folder a
 
 ### Use the Windows Defender Security app to allow specific apps
 
-1. Open the Windows Security by selecting the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by searching the start menu for **Security**.
 
-2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**.
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Manage ransomware protection**.
 
 3. Under the **Controlled folder access** section, select **Allow an app through Controlled folder access**
 
@@ -121,7 +115,7 @@ An allowed application or service only has write access to a controlled folder a
 
 ### Use Group Policy to allow specific apps
 
-1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
+1. On your Group Policy management device, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)?preserve=true), right-click the Group Policy Object you want to configure and select **Edit**.
 
 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
 
@@ -155,12 +149,16 @@ An allowed application or service only has write access to a controlled folder a
 
 Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders.
 
+## Allow signed executable files to access protected folders
+
+Microsoft Defender for Endpoint certificate and file indicators can allow signed executable files to access protected folders. For implementation details, see [Create indicators based on certificates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates).
+
 ## Customize the notification
 
-For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center).
+For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Configure alert notifications in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications).
 
-## Related topics
+## See also
 
-* [Protect important folders with controlled folder access](controlled-folders.md)
-* [Enable controlled folder access](enable-controlled-folders.md)
-* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+- [Protect important folders with controlled folder access](controlled-folders.md)
+- [Enable controlled folder access](enable-controlled-folders.md)
+- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)

windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md

@@ -37,7 +37,7 @@ Each section corresponds to a separate article in this solution.
 ![Image of deployment phases with details from table](images/deployment-guide-phases.png)
 
 
-![Summary of deployment phases: prepare, setup, onboard](/windows/media/phase-diagrams/deployment-phases.png)
+![Summary of deployment phases: prepare, setup, onboard](images/phase-diagrams/deployment-phases.png)
 
 |Phase | Description | 
 |:-------|:-----|

windows/security/threat-protection/microsoft-defender-atp/live-response.md

@@ -293,6 +293,7 @@ Each command is tracked with full details such as:
 
 - Live response sessions are limited to 10 live response sessions at a time.
 - Large-scale command execution is not supported.
+- Live response session inactive timeout value is 5 minutes. 
 - A user can only initiate one session at a time.
 - A device can only be in one session at a time.
 - The following file size limits apply:

windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md

@@ -35,7 +35,7 @@ If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microso
 
 When you switch from McAfee to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
 
-![Migration phases - prepare setup onboard](/windows/media/phase-diagrams/migration-phases.png)
+![Migration phases - prepare setup onboard](images/phase-diagrams/migration-phases.png)
 
 
 |Phase |Description |

windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md

@@ -28,7 +28,7 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
-|[![Phase 1: Prepare](/windows/media/phase-diagrams/prepare.png)](mcafee-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |[![Phase 2: Set up](/windows/media/phase-diagrams/setup.png)](mcafee-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |![Phase 3: Onboard](/windows/media/phase-diagrams/onboard.png)<br/>Phase 3: Onboard |
+|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](mcafee-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |[![Phase 2: Set up](images/phase-diagrams/setup.png)](mcafee-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |![Phase 3: Onboard](images/phase-diagrams/onboard.png)<br/>Phase 3: Onboard |
 |--|--|--|
 || |*You are here!* |
 

windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md

@@ -29,7 +29,7 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
-|![Phase 1: Prepare](/windows/media/phase-diagrams/prepare.png)<br/>Phase 1: Prepare |[![Phase 2: Set up](/windows/media/phase-diagrams/setup.png)](mcafee-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |[![Phase 3: Onboard](/windows/media/phase-diagrams/onboard.png)](mcafee-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
+|![Phase 1: Prepare](images/phase-diagrams/prepare.png)<br/>Phase 1: Prepare |[![Phase 2: Set up](images/phase-diagrams/setup.png)](mcafee-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](mcafee-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
 |--|--|--|
 |*You are here!*| | |
 

windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md

@@ -29,7 +29,7 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
-|[![Phase 1: Prepare](/windows/media/phase-diagrams/prepare.png)](mcafee-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |![Phase 2: Set up](/windows/media/phase-diagrams/setup.png)<br/>Phase 2: Set up |[![Phase 3: Onboard](/windows/media/phase-diagrams/onboard.png)](mcafee-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
+|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](mcafee-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |![Phase 2: Set up](images/phase-diagrams/setup.png)<br/>Phase 2: Set up |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](mcafee-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
 |--|--|--|
 ||*You are here!* | |
 

windows/security/threat-protection/microsoft-defender-atp/onboarding.md

@@ -29,7 +29,7 @@ ms.topic: article
 
 Deploying Defender for Endpoint is a three-phase process:
 
-| [![deployment phase - prepare](/windows/media/phase-diagrams/prepare.png)](prepare-deployment.md)<br>[Phase 1: Prepare](prepare-deployment.md) | [![deployment phase - setup](/windows/media/phase-diagrams/setup.png)](production-deployment.md)<br>[Phase 2: Setup](production-deployment.md) | ![deployment phase - onboard](/windows/media/phase-diagrams/onboard.png)<br>Phase 3: Onboard |
+| [![deployment phase - prepare](images/phase-diagrams/prepare.png)](prepare-deployment.md)<br>[Phase 1: Prepare](prepare-deployment.md) | [![deployment phase - setup](images/phase-diagrams/setup.png)](production-deployment.md)<br>[Phase 2: Setup](production-deployment.md) | ![deployment phase - onboard](images/phase-diagrams/onboard.png)<br>Phase 3: Onboard |
 | ----- | ----- | ----- |
 | | |*You are here!*|
 

windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md

@@ -33,7 +33,7 @@ ms.topic: article
 
 Deploying Defender for Endpoint is a three-phase process:
 
-| ![deployment phase - prepare](/windows/media/phase-diagrams/prepare.png)<br>Phase 1: Prepare | [![deployment phase - setup](/windows/media/phase-diagrams/setup.png)](production-deployment.md)<br>[Phase 2: Setup](production-deployment.md) | [![deployment phase - onboard](/windows/media/phase-diagrams/onboard.png)](onboarding.md)<br>[Phase 3: Onboard](onboarding.md) |
+| ![deployment phase - prepare](images/phase-diagrams/prepare.png)<br>Phase 1: Prepare | [![deployment phase - setup](images/phase-diagrams/setup.png)](production-deployment.md)<br>[Phase 2: Setup](production-deployment.md) | [![deployment phase - onboard](images/phase-diagrams/onboard.png)](onboarding.md)<br>[Phase 3: Onboard](onboarding.md) |
 | ----- | ----- | ----- |
 |*You are here!* | ||
 

windows/security/threat-protection/microsoft-defender-atp/production-deployment.md

@@ -31,7 +31,7 @@ ms.topic: article
 
 Deploying Defender for Endpoint is a three-phase process:
 
-| [![deployment phase - prepare](/windows/media/phase-diagrams/prepare.png)](prepare-deployment.md)<br>[Phase 1: Prepare](prepare-deployment.md) | ![deployment phase - setup](/windows/media/phase-diagrams/setup.png)<br>Phase 2: Setup | [![deployment phase - onboard](/windows/media/phase-diagrams/onboard.png)](onboarding.md)<br>[Phase 3: Onboard](onboarding.md) |
+| [![deployment phase - prepare](images/phase-diagrams/prepare.png)](prepare-deployment.md)<br>[Phase 1: Prepare](prepare-deployment.md) | ![deployment phase - setup](images/phase-diagrams/setup.png)<br>Phase 2: Setup | [![deployment phase - onboard](images/phase-diagrams/onboard.png)](onboarding.md)<br>[Phase 3: Onboard](onboarding.md) |
 | ----- | ----- | ----- |
 | | *You are here!*||
 

windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md

@@ -35,7 +35,7 @@ If you are planning to switch from a non-Microsoft endpoint protection solution
 
 When you switch to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
 
-![Migration phases - prepare, setup, onboard](/windows/media/phase-diagrams/migration-phases.png)
+![Migration phases - prepare, setup, onboard](images/phase-diagrams/migration-phases.png)
 
 |Phase |Description |
 |--|--|

windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md

@@ -25,7 +25,7 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
 
 # Switch to Microsoft Defender for Endpoint - Phase 3: Onboard
 
-|[![Phase 1: Prepare](/windows/media/phase-diagrams/prepare.png)](switch-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |[![Phase 2: Set up](/windows/media/phase-diagrams/setup.png)](switch-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](switch-to-microsoft-defender-setup.md) |![Phase 3: Onboard](/windows/media/phase-diagrams/onboard.png)<br/>Phase 3: Onboard |
+|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](switch-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |[![Phase 2: Set up](images/phase-diagrams/setup.png)](switch-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](switch-to-microsoft-defender-setup.md) |![Phase 3: Onboard](images/phase-diagrams/onboard.png)<br/>Phase 3: Onboard |
 |--|--|--|
 || |*You are here!* |
 

windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md

@@ -25,7 +25,7 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
 
 # Switch to Microsoft Defender for Endpoint - Phase 1: Prepare
 
-|![Phase 1: Prepare](/windows/media/phase-diagrams/prepare.png)<br/>Phase 1: Prepare |[![Phase 2: Set up](/windows/media/phase-diagrams/setup.png)](switch-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](switch-to-microsoft-defender-setup.md) |[![Phase 3: Onboard](/windows/media/phase-diagrams/onboard.png)](switch-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
+|![Phase 1: Prepare](images/phase-diagrams/prepare.png)<br/>Phase 1: Prepare |[![Phase 2: Set up](images/phase-diagrams/setup.png)](switch-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](switch-to-microsoft-defender-setup.md) |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](switch-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
 |--|--|--|
 |*You are here!*| | |
 

windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md

@@ -25,7 +25,7 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
 
 # Switch to Microsoft Defender for Endpoint - Phase 2: Setup
 
-|[![Phase 1: Prepare](/windows/media/phase-diagrams/prepare.png)](switch-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |![Phase 2: Set up](/windows/media/phase-diagrams/setup.png)<br/>Phase 2: Set up |[![Phase 3: Onboard](/windows/media/phase-diagrams/onboard.png)](switch-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
+|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](switch-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |![Phase 2: Set up](images/phase-diagrams/setup.png)<br/>Phase 2: Set up |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](switch-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
 |--|--|--|
 ||*You are here!* | |
 
@@ -231,6 +231,7 @@ To use CMPivot to get your file hash, follow these steps:
    File(c:\\windows\\notepad.exe)
    | project Hash
    ```
+   
    > [!NOTE]
    > In the query above, replace *notepad.exe* with the your third-party security product process name. 
 

windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md

@@ -35,7 +35,7 @@ If you are planning to switch from Symantec Endpoint Protection (Symantec) to [M
 
 When you switch from Symantec to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
 
-![Migration phases - prepare, setup, onboard](/windows/media/phase-diagrams/migration-phases.png)
+![Migration phases - prepare, setup, onboard](images/phase-diagrams/migration-phases.png)
 
 |Phase |Description |
 |--|--|

windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md

@@ -28,7 +28,7 @@ ms.reviewer: depicker, yongrhee, chriggs
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
-|[![Phase 1: Prepare](/windows/media/phase-diagrams/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)<br/>[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |[![Phase 2: Set up](/windows/media/phase-diagrams/setup.png)](symantec-to-microsoft-defender-atp-setup.md)<br/>[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |![Phase 3: Onboard](/windows/media/phase-diagrams/onboard.png)<br/>Phase 3: Onboard |
+|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)<br/>[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |[![Phase 2: Set up](images/phase-diagrams/setup.png)](symantec-to-microsoft-defender-atp-setup.md)<br/>[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |![Phase 3: Onboard](images/phase-diagrams/onboard.png)<br/>Phase 3: Onboard |
 |--|--|--|
 || |*You are here!* |
 

windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md

@@ -28,7 +28,7 @@ ms.reviewer: depicker, yongrhee, chriggs
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
-|![Phase 1: Prepare](/windows/media/phase-diagrams/prepare.png)<br/>Phase 1: Prepare |[![Phase 2: Set up](/windows/media/phase-diagrams/setup.png)](symantec-to-microsoft-defender-atp-setup.md)<br/>[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |[![Phase 3: Onboard](/windows/media/phase-diagrams/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)<br/>[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
+|![Phase 1: Prepare](images/phase-diagrams/prepare.png)<br/>Phase 1: Prepare |[![Phase 2: Set up](images/phase-diagrams/setup.png)](symantec-to-microsoft-defender-atp-setup.md)<br/>[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)<br/>[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
 |--|--|--|
 |*You are here!*| | |
 

windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md

@@ -28,7 +28,7 @@ ms.reviewer: depicker, yongrhee, chriggs
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
-|[![Phase 1: Prepare](/windows/media/phase-diagrams/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)<br/>[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |![Phase 2: Set up](/windows/media/phase-diagrams/setup.png)<br/>Phase 2: Set up |[![Phase 3: Onboard](/windows/media/phase-diagrams/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)<br/>[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
+|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)<br/>[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |![Phase 2: Set up](images/phase-diagrams/setup.png)<br/>Phase 2: Set up |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)<br/>[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
 |--|--|--|
 ||*You are here!* | |
 
@@ -64,9 +64,10 @@ Now that you're moving from Symantec to Microsoft Defender for Endpoint, you'll
 
 1. As a local administrator on the endpoint or device, open Windows PowerShell.
 
-2. Run the following PowerShell cmdlets: <br/>
+2. Run the following PowerShell cmdlets:
+
    `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features` <br/>
-   `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender` <br/>
+   `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
 
    > [!NOTE]
    > When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
@@ -174,10 +175,12 @@ To add exclusions to Microsoft Defender for Endpoint, you create [indicators](ht
 3.  On the **File hashes** tab, choose **Add indicator**.
 
 3. On the **Indicator** tab, specify the following settings:
+
    - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
    - Under **Expires on (UTC)**, choose **Never**.
 
 4. On the **Action** tab, specify the following settings:
+
    - **Response Action**: **Allow**
    - Title and description
 
@@ -207,9 +210,11 @@ To use CMPivot to get your file hash, follow these steps:
    File(c:\\windows\\notepad.exe)
    | project Hash
    ```
+   
    > [!NOTE]
    > In the query above, replace *notepad.exe* with the your third-party security product process name. 
    
+
 ## Set up your device groups, device collections, and organizational units
 
 | Collection type | What to do |

windows/security/threat-protection/windows-firewall/TOC.md

@@ -165,6 +165,8 @@
 
 ## [Troubleshooting]()
 ### [Troubleshooting UWP app connectivity issues in Windows Firewall](troubleshooting-uwp-firewall.md)
+### [Filter origin audit log improvements](filter-origin-documentation.md)
+### [Quarantine behavior](quarantine.md)
 ### [Firewall settings lost on upgrade](firewall-settings-lost-on-upgrade.md)
 
 
@@ -179,3 +181,4 @@
 
 
 
+

windows/security/threat-protection/windows-firewall/filter-origin-documentation.md

@@ -0,0 +1,171 @@
+---
+title: Filter origin audit log improvements
+description: Filter origin documentation audit log improvements
+ms.reviewer: 
+ms.author: v-bshilpa
+ms.prod: w10
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: normal
+author: Benny-54
+manager: dansimp
+ms.collection: 
+- m365-security-compliance
+- m365-initiative-windows-security
+ms.topic: troubleshooting
+---
+
+# Filter origin audit log improvements
+
+Debugging packet drops is a continuous issue to Windows customers. In the past, customers had limited information about packet drops.
+
+Typically, when investigating packet drop events, a customer would use the field `Filter Run-Time ID` from Windows Filtering Platform (WFP) audits 5157 or 5152. 
+
+![Event properties](images/event-properties-5157.png)
+
+The filter ID uniquely identifies the filter that caused the packet drop. The filter ID can be searched in the WFP state dump output to trace back to the Firewall rule where the filter originated from. 
+
+However, the filter ID is not a reliable source for tracing back to the filter or the rule, as the filter ID can change for many reasons despite the rule not changing at all. This makes the diagnosis process error-prone and difficult.
+
+For customers to debug packet drop events correctly and efficiently, they would need more context about the blocking filter such as its origin.
+
+The blocking filters can be categorized under these filter origins:
+
+1. Firewall rules
+
+2. Firewall default block filters
+
+    a.	AppContainer loopback
+    
+    b.	Boottime default
+    
+    c.	Quarantine default
+    
+    d.	Query user default
+    
+    e.	Stealth
+    
+    f.	Universal Windows Platform (UWP) default
+    
+    g.	Windows Service Hardening (WSH) default
+
+The next section describes the improvements made to audits 5157 and 5152, and how the above filter origins are used in these events. These improvements were added in Iron release.
+ 
+ ## Improved firewall audit 
+ 
+The two new fields added to the audit 5157 and 5152 events are `Filter Origin` and `Interface Index`.
+ 
+The `Filter Origin` field helps identify the cause of the drop. Packet drops from firewall are explicitly dropped by default block filters created by the Windows Firewall service or a firewall rule that may be created by users, policies, services, apps, etc.
+
+`Filter Origin` specifies either the rule ID (a unique identifier of a Firewall rule) or the name of one of the default block filters.
+
+The `Interface Index` field specifies the network interface in which the packet was dropped. This field helps to identify which interface was quarantined, if the `Filter Origin` is a `Quarantine Default`.
+
+To enable a specific audit event, run the corresponding command in an administrator command prompt:
+
+|**Audit #**|**Enable command**|**Link**|
+|:-----|:-----|:-----|
+|**5157**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5157(F): The Windows Filtering Platform has blocked a connection.](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157)|
+|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5152)|
+
+## Example flow of debugging packet drops with filter origin 
+
+As the audit surfaces `Filter Origin` and `Interface Index`, the network admin can determine the root cause of the network packet drop and the interface it happened on.
+
+![Event audit](images/event-audit-5157.png)
+
+The next sections are divided by `Filter Origin` type, the value is either a rule name or the name of one of the default block filters. If the filter origin is one of the default block filters, skip to the section, **Firewall default block filters**. Otherwise, continue to the section **Firewall rules**.
+
+## Firewall rules
+
+Run the following PowerShell command to generate the rule information using `Filter Origin`. 
+
+```Powershell
+Get-NetFirewallRule -Name “<Filter Origin>”
+Get-NetFirewallRule -Name " {A549B7CF-0542-4B67-93F9-EEBCDD584377} "
+```
+
+![Firewall rule](images/firewallrule.png)
+
+After identifying the rule that caused the drop, the network admin can now modify/disable the rule to allow the traffic they want through command prompt or using the Windows Defender UI. The network admin can find the rule in the UI with the rule’s `DisplayName`.
+
+>[!NOTE]
+> Firewall rules from Mobile Device Management (MDM) store cannot be searched using the Windows Defender UI. Additionally, the above method will not work when the `Filter Origin` is one of the default block filters, as they do not correspond to any firewall rules.
+
+## Firewall default block filters
+
+**AppContainer loopback**
+
+Network drop events from the AppContainer loopback block filter origin occur when localhost loopback is not enabled properly for the Universal Windows Platform (UWP) app.
+
+To enable localhost loopback in a local debugging environment, see [Communicating with localhost](https://docs.microsoft.com/windows/iot-core/develop-your-app/loopback).
+
+To enable localhost loopback for a published app that requires loopback access to communicate with another UWP or packaged win32 app, see [uap4:LoopbackAccessRules](https://docs.microsoft.com/uwp/schemas/appxpackage/uapmanifestschema/element-uap4-loopbackaccessrules).
+
+**Boottime default**
+
+Network drop events from the boottime default block filter origin occur when the computer is booting up and the firewall service is not yet running. Services will need to create a boottime allow filter to allow the traffic. It should be noted that it is not possible to add boottime filters through firewall rules.
+
+**Quarantine default**
+
+Network drops from the quarantine default block filter occur when the interface is temporarily quarantined by Firewall service. The firewall service quarantines an interface when it detects a change on the network, and based on several other factors, the firewall service may put the interface in quarantine as a safeguard. When an interface is in quarantine, the quarantine default block filter will block any new non-loopback inbound connections. 
+
+Run the following PowerShell command to generate more information about the interface:
+
+```Powershell
+Get-NetIPInterface –InterfaceIndex <Interface Index>
+Get-NetIPInterface –InterfaceIndex 5
+```
+
+![Quarantine default block filter](images/quarantine-default-block-filter.png)
+
+To learn more about the quarantine feature, see [Quarantine behavior](quarantine.md).
+
+>[!NOTE]
+> Quarantine-related packet drops are often transient and signify nothing more than a network change on the interface.
+
+**Query user default**
+
+Network packet drops from query user default block filters occur when there is no explicit rule created to allow an inbound connection for the packet. When an application binds to a socket but does not have a corresponding inbound rule to allow packets on that port, Windows generates a pop up for the user to allow or deny the app to receive packets on the available network categories. If the user clicks to deny the connection in this popup, subsequent inbound packets to the app will be dropped. To resolve the drops: 
+
+1. Create an inbound firewall rule to allow the packet for this application. This will allow the packet to bypass any query user default block filters.
+
+2. Delete any block query user rules that may have been auto generated by the firewall service.
+
+To generate a list of all the query user block rules, you can run the following PowerShell command:
+
+```Powershell
+Get-NetFirewallRule | Where {$_.Name -like "*Query User*"}
+```
+
+![Query user default block filter](images/query-user-default-block-filters.png)
+
+The query user pop-up feature is enabled by default. 
+
+To disable the query user pop-up, you can run the following in administrative command prompt:
+
+```Console
+Netsh set allprofiles inboundusernotification disable
+```
+Or in PowerShell:
+
+```Powershell
+Set-NetFirewallProfile -NotifyOnListen False
+```
+
+**Stealth**
+
+Network drops from stealth filters are typically made to prevent port scanning.
+
+To disable stealth-mode, see [Disable stealth mode in Windows](https://docs.microsoft.com/troubleshoot/windows-server/networking/disable-stealth-mode).
+
+**UWP default**
+
+Network drops from Universal Windows Platform (UWP) default inbound/outbound block filters are often caused by the UWP app not being configured correctly (that is, the UWP app is missing the correct capability tokens or loopback is not enabled) or the private range is configured incorrectly. 
+
+For more information on how to debug drops caused by UWP default block filters, see [Troubleshooting UWP App Connectivity Issues](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall).
+
+**WSH default**
+
+Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected.
+

windows/security/threat-protection/windows-firewall/quarantine.md

@@ -0,0 +1,213 @@
+---
+title: Quarantine behavior
+description: Quarantine behavior is explained in detail.
+ms.author: v-bshilpa
+author: Benny-54
+manager: dansimp
+ms.assetid: 
+ms.reviewer: 
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: normal
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 11/17/2020
+---
+
+# Quarantine behavior
+
+One of the security challenges that network admins face is configuring a machine properly after a network change. 
+
+Network changes can happen frequently. Additionally, the operations required to recategorize the network after a change and apply the correct security policies on a machine are non-trivial and may require considerable CPU time. This is especially true for machines that are part of the domain. In the past, the delay in applying security policies during network recategorization has been successfully exploited for vulnerabilities.
+
+To counter this potential exploitation, Windows Firewall will quarantine an interface until the system has successfully recategorized the network and Windows Filtering Platform (WFP) has the correct filters applied for the updated interface configuration. During quarantine, all new inbound connections without exceptions are blocked to the machine.
+
+While the quarantine feature has long been a part of Windows Firewall, the feature behavior has often caused confusion for customers unaware of quarantine and its motivations.
+
+Ultimately, the goal of this document is to describe the quarantine feature at a high level and help network admins understand why the application traffic is sometimes blocked by quarantine.
+
+## Quarantine filters
+
+The quarantine feature creates filters that can be split into three categories:
+
+- Quarantine default inbound block filter
+- Quarantine default exception filters
+- Interface un-quarantine filters
+
+These filters are added in the FWPM_SUBLAYER_MPSSVC_QUARANTINE sublayer and these layers are:
+
+1.	FWPM_LAYER_ALE_AUTH_CONNECT_V4
+
+2.	FWPM_LAYER_ALE_AUTH_CONNECT_V6
+
+3.	FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
+
+4.	FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6
+
+>[!NOTE]
+> Any firewall rules added by the customers will not affect the filters in the quarantine sublayer as filters from Firewall rules are added in the FWPM_SUBLAYER_MPSSVC_WF sublayer. In other words, customers cannot add their own exception filters to prevent packets from being evaluated by quarantine filters.
+
+For more information about WFP layers and sublayers, see [WFP Operation](https://docs.microsoft.com/windows/win32/fwp/basic-operation).
+
+### Quarantine default inbound block filter
+
+The quarantine default inbound block filter effectively blocks any new non-loopback inbound connections if the packet is not explicitly permitted by another filter in the quarantine sublayer.
+
+### Quarantine default exception filters
+
+When the interface is in quarantine state, the quarantine default exception filters will permit new inbound connections given that they meet the conditions of an exception filter. One example of the exception filters is the quarantine default inbound loopback exception filter. This exception filter allows all loopback packets when the interface is in quarantine state.
+
+### Interface un-quarantine filter
+
+The interface un-quarantine filters allow all non-loopback packets if the interface is successfully categorized.
+
+## Quarantine flow
+
+The following describes the general flow of quarantine: 
+
+1.	There is some change on the current network interface.
+
+2.	The interface un-quarantine filters will no longer permit new inbound connections. The interface is now in quarantine state.
+
+3.	All non-loopback inbound connections are either permitted by quarantine default exception filters or dropped by the quarantine default inbound block filter.
+
+4.	The WFP filters applicable to the old interface state are removed.
+
+5. The WFP filters applicable to the new interface state are added, which include the un-quarantine filters for this interface. These filters are updated to match the interface's current state.
+
+6.	The interface has now exited quarantine state as the interface un-quarantine filters permit any new non-loopback packets.
+
+## Quarantine diagnostics
+
+There are two methods of identifying packet drops from the quarantine default inbound block filter.
+
+Given that the network connectivity issue is reproducible, diagnostic traces can be collected by running the following in an administrative command prompt: 
+
+```console
+Netsh wfp cap start
+<Reproduce network connectivity issue>
+Netsh wfp cap stop
+```
+
+These commands generate a wfpdiag.cab. Inside the .cab exists a wfpdiag.xml, which contains drop `netEvents` and filters that existed during that reproduction.
+
+Inside the wfpdiag.xml, search for `netEvents` that have `FWPM_NET_EVENT_TYPE_CLASSIFY_DROP` as the `netEvent` type. To find the relevant drop events, search for the drop events with matching destination IP address, package SID, or application ID name. 
+
+The characters in the application ID name will be separated by periods:
+
+```XML
+ <asString> 		\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.w.i.n.d.o.w.s.\\.s.y.s.t.e.m.3.2.\\.s.v.c.h.o.s.t...e.x.e... </asString> 
+```
+
+The `netEvent` will have more information about the packet that was dropped including information about its capabilities, the filter that dropped the packet, and much more.
+
+If the filter that dropped that packet was by the quarantine default inbound block filter, then the drop `netEvent` will have `filterOrigin` as `Quarantine Default`.
+
+The following is a sample `netEvent` with `filterOrigin` as `Quarantine Default`.
+
+```XML
+<netEvent>
+    <header>
+        <timeStamp>2020-10-07T01:03:56.281Z</timeStamp>
+        <flags numItems="9">
+            <item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
+            <item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
+            <item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
+            <item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
+            <item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
+            <item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
+            <item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
+            <item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
+            <item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
+        </flags>
+        <ipVersion>FWP_IP_VERSION_V4</ipVersion>
+        <ipProtocol>17</ipProtocol>
+        <localAddrV4>255.255.255.255</localAddrV4>
+        <remoteAddrV4>10.195.33.252</remoteAddrV4>
+        <localPort>21</localPort>
+        <remotePort>61706</remotePort>
+        <scopeId>0</scopeId>
+        <appId>
+            <data>5c00640065006d00330032005c0073007600630068006f00730074002e006500780065000000</data>
+            <asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e...</asString>
+        </appId>
+        <userId>S-1-5-19</userId>
+        <addressFamily>FWP_AF_INET</addressFamily>
+        <packageSid>S-1-0-0</packageSid>
+        <enterpriseId/>
+        <policyFlags>0</policyFlags>
+        <effectiveName/>
+    </header>
+    <type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
+    <classifyDrop>
+        <filterId>66241</filterId>
+        <layerId>44</layerId>
+        <reauthReason>0</reauthReason>
+        <originalProfile>0</originalProfile>
+        <currentProfile>0</currentProfile>
+        <msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
+        <isLoopback>false</isLoopback>
+        <vSwitchId/>
+        <vSwitchSourcePort>0</vSwitchSourcePort>
+        <vSwitchDestinationPort>0</vSwitchDestinationPort>
+    </classifyDrop>
+    <internalFields>
+        <internalFlags numItems="1">
+            <item>FWPM_NET_EVENT_INTERNAL_FLAG_FILTER_ORIGIN_SET</item>
+        </internalFlags>
+        <capabilities/>
+        <fqbnVersion>0</fqbnVersion>
+        <fqbnName/>
+        <terminatingFiltersInfo numItems="3">
+            <item>
+                <filterId>66241</filterId>
+                <subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_QUARANTINE</subLayer>
+                <actionType>FWP_ACTION_BLOCK</actionType>
+            </item>
+            <item>
+                <filterId>74045</filterId>
+                <subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
+                <actionType>FWP_ACTION_BLOCK</actionType>
+            </item>
+            <item>
+                <filterId>73602</filterId>
+                <subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
+                <actionType>FWP_ACTION_BLOCK</actionType>
+            </item>
+        </terminatingFiltersInfo>
+        <filterOrigin>Quarantine Default</filterOrigin>
+         <interfaceIndex>5</interfaceIndex>
+    </internalFields>
+</netEvent>
+
+```
+
+Alternatively, If the Filtering Platform Connection failure auditing is enabled, the drop event will be logged in Windows Event Viewer.
+
+To enable Filtering Platform Connection audits, run the following command in an administrative command prompt:
+
+```console
+Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable
+```
+
+Sample drop audit with `filterOrigin` as `Quarantine Default`.
+
+![Quarantine default](images/quarantine-default1.png)
+
+Once the drop’s filter origin has been identified as the quarantine default inbound block filter, the interface should be further investigated. To find the relevant interface, use the `InterfaceIndex` value from the `netEvent` or event audit in the following PowerShell command to generate more information about the interface:
+
+```Powershell
+Get-NetIPInterface –InterfaceIndex <Interface Index>
+Get-NetIPInterface –InterfaceIndex 5
+```
+
+![Quarantine Interfaceindex](images/quarantine-interfaceindex1.png)
+
+Using the interface name, event viewer can be searched for any interface related changes. 
+
+To enable more networking audit events, see [Enable IPsec and Windows Firewall Audit Events](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754714(v=ws.10)?redirectedfrom=MSDN).
+
+Packet drops from the quarantine default inbound block filter are often transient and do not signify anything more than a network change on the interface.