From 6b129e368cc8e97a8680dbbed15979b112de427b Mon Sep 17 00:00:00 2001
From: Ben Alfasi <bealfasi@microsoft.com>
Date: Thu, 21 Jan 2021 20:52:24 +0200
Subject: [PATCH 01/20] 1

---
 .../find-machine-info-by-ip.md                | 95 -------------------
 .../find-machines-by-tag.md                   | 82 ++++++++++++++++
 2 files changed, 82 insertions(+), 95 deletions(-)
 delete mode 100644 windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md

diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md
deleted file mode 100644
index b94742b61d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-title: Find device information by internal IP API
-description: Use this API to create calls related to finding a device entry around a specific timestamp by internal IP.
-keywords: ip, apis, graph api, supported apis, find device, device information
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
----
-
-# Find device information by internal IP API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-Find a device by internal IP.
-
->[!NOTE]
->The timestamp must be within the last 30 days.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-
-## HTTP request
-```
-GET /api/machines/find(timestamp={time},key={IP})
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and machine exists - 200 OK.
-If no machine found - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61')
-Content-type: application/json
-```
-
-**Response**
-
-Here is an example of the response.
-
-The response will return a list of all devices that reported this IP address within sixteen minutes prior and after the timestamp. 
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
-    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
-    "value": [
-        {
-            "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb",
-            "computerDnsName": "",
-            "firstSeen": "2017-07-06T01:25:04.9480498Z",
-            "osPlatform": "Windows10",
-…
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md
new file mode 100644
index 0000000000..d076dc226e
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md
@@ -0,0 +1,82 @@
+---
+title: Find devices by tag API
+description: Find all devices that contain specifc tag 
+keywords: apis, supported apis, get, device, find, find device, by tag, tag
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Find devices by tag API
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
+
+[!include[Improve request performance](../../includes/improve-request-performance.md)]
+
+
+## API description
+Find [Machines](machine.md) by [Tag](machine-tags.md).
+
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+
+## HTTP request
+```
+GET /api/machines/findbytag(tag='{tag}')
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+## Request body
+Empty
+
+## Response
+If successful - 200 OK with list of the machines in the response body.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.microsoft.com/api/machines/findbytag(tag='testTag')
+```

From ac2d63462d8d096c5e9fd0aeead6a1839214af29 Mon Sep 17 00:00:00 2001
From: Ben Alfasi <bealfasi@microsoft.com>
Date: Thu, 21 Jan 2021 21:48:12 +0200
Subject: [PATCH 02/20] 1

---
 .../find-machines-by-tag.md                   |   2 +-
 .../import-ti-indicators.md                   | 141 ++++++++++++++++++
 .../post-ti-indicator.md                      |   5 +-
 3 files changed, 145 insertions(+), 3 deletions(-)
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md

diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md
index d076dc226e..c077f850b8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md
@@ -79,4 +79,4 @@ Here is an example of the request.
 
 ```
 GET https://api.securitycenter.microsoft.com/api/machines/findbytag(tag='testTag')
-```
+```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md
new file mode 100644
index 0000000000..acc7328e9d
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md
@@ -0,0 +1,141 @@
+---
+title: Import Indicators API
+description: Learn how to use the Import batch of Indicator API in Microsoft Defender Advanced Threat Protection.
+keywords: apis, supported apis, submit, ti, indicator, update
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Import Indicators API
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
+
+[!include[Improve request performance](../../includes/improve-request-performance.md)]
+
+
+## API description
+Submits or Updates batch of [Indicator](ti-indicator.md) entities.
+<br>CIDR notation for IPs is not supported.
+
+## Limitations
+1. Rate limitations for this API are 30 calls per minute.
+2. There is a limit of 15,000 active [Indicators](ti-indicator.md) per tenant. 
+
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Ti.ReadWrite |	'Read and write Indicators'
+Application |	Ti.ReadWrite.All |	'Read and write All Indicators'
+Delegated (work or school account) |	Ti.ReadWrite |	'Read and write Indicators'
+
+
+## HTTP request
+```
+POST https://api.securitycenter.microsoft.com/api/indicators/import
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Indicators | List<[Indicator](ti-indicator.md)> | List of [Indicators](ti-indicator.md). **Required**
+
+
+## Response
+- If successful, this method returns 200 - OK response code with a list of import results per indicator, see example below.
+- If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+POST https://api.securitycenter.microsoft.com/api/indicators/import
+```
+```json
+{
+	"Indicators":
+	[
+		{
+            "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
+            "indicatorType": "FileSha1",
+            "title": "demo",
+            "application": "demo-test",
+            "expirationTime": "2021-12-12T00:00:00Z",
+            "action": "Alert",
+            "severity": "Informational",
+            "description": "demo2",
+            "recommendedActions": "nothing",
+            "rbacGroupNames": ["group1", "group2"]
+        },
+        {
+            "indicatorValue": "2233223322332233223322332233223322332233223322332233223322332222",
+            "indicatorType": "FileSha256",
+            "title": "demo2",
+            "application": "demo-test2",
+            "expirationTime": "2021-12-12T00:00:00Z",
+            "action": "Alert",
+            "severity": "Medium",
+            "description": "demo2",
+            "recommendedActions": "nothing",
+            "rbacGroupNames": []
+        }
+	]
+}
+```
+
+**Request**
+
+Here is an example of the request.
+
+```json
+{
+    "value": [
+        {
+            "id": "2841",
+            "indicator": "220e7d15b011d7fac48f2bd61114db1022197f7f",
+            "isFailed": false,
+            "failureReason": null
+        },
+        {
+            "id": "2842",
+            "indicator": "2233223322332233223322332233223322332233223322332233223322332222",
+            "isFailed": false,
+            "failureReason": null
+        }
+    ]
+}
+```
+
+## Related topic
+- [Manage indicators](manage-indicators.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
index ac9c3929ea..433f0a15eb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
@@ -32,7 +32,7 @@ ms.topic: article
 
 ## API description
 Submits or Updates new [Indicator](ti-indicator.md) entity.
-<br>CIDR notation for IPs is supported.
+<br>CIDR notation for IPs is not supported.
 
 ## Limitations
 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@@ -90,7 +90,8 @@ Here is an example of the request.
 
 ```
 POST https://api.securitycenter.microsoft.com/api/indicators
-Content-type: application/json
+```
+```json
 {
     "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
     "indicatorType": "FileSha1",

From 08ff136c0d20cf3c6c98780e6f136920d362f91d Mon Sep 17 00:00:00 2001
From: Ben Alfasi <bealfasi@microsoft.com>
Date: Thu, 21 Jan 2021 21:48:50 +0200
Subject: [PATCH 03/20] 2

---
 .../microsoft-defender-atp/import-ti-indicators.md            | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md
index acc7328e9d..822e0f9985 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md
@@ -114,9 +114,9 @@ POST https://api.securitycenter.microsoft.com/api/indicators/import
 }
 ```
 
-**Request**
+**Response**
 
-Here is an example of the request.
+Here is an example of the response.
 
 ```json
 {

From 8f1150a12f25a24568016709705f1c62e43855f1 Mon Sep 17 00:00:00 2001
From: Ben Alfasi <bealfasi@microsoft.com>
Date: Thu, 21 Jan 2021 22:10:40 +0200
Subject: [PATCH 04/20] 1

---
 windows/security/threat-protection/TOC.md                      | 2 ++
 .../threat-protection/microsoft-defender-atp/machine.md        | 1 +
 .../threat-protection/microsoft-defender-atp/ti-indicator.md   | 3 ++-
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 4fd85c48d2..af35c57f47 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -550,6 +550,7 @@
 ####### [Get security recommendations](microsoft-defender-atp/get-security-recommendations.md)
 ####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
 ####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
+####### [Find machines by tag](microsoft-defender-atp/find-machines-by-tag.md)
 ####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-machine.md)
 ####### [Set device value](microsoft-defender-atp/set-device-value.md)
 
@@ -576,6 +577,7 @@
 ###### [Indicators]()
 ####### [Indicators methods and properties](microsoft-defender-atp/ti-indicator.md)
 ####### [Submit Indicator](microsoft-defender-atp/post-ti-indicator.md)
+####### [Import Indicators](microsoft-defender-atp/import-ti-indicators.md)
 ####### [List Indicators](microsoft-defender-atp/get-ti-indicators-collection.md)
 ####### [Delete Indicator](microsoft-defender-atp/delete-ti-indicator-by-id.md)
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index 53bdfe131c..f4952472cd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -44,6 +44,7 @@ Method|Return Type |Description
 [Get security recommendations](get-security-recommendations.md) | [recommendation](recommendation.md) collection | Retrieves a collection of security recommendations related to a given machine ID.
 [Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine.
 [Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP.
+[Find machines by tag](find-machines-by-tag.md) | [machine](machine.md) collection | Find machines by [Tag](machine-tags.md).
 [Get missing KBs](get-missing-kbs-machine.md) | KB collection | Get a list of missing KBs associated with the machine ID
 [Set device value](set-device-value.md)| [machine](machine.md) collection | Set the [value of a device](tvm-assign-device-value.md).
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
index 39a5774d5c..1b6bef4976 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
@@ -35,7 +35,8 @@ ms.topic: article
 Method|Return Type |Description
 :---|:---|:---
 [List Indicators](get-ti-indicators-collection.md) | [Indicator](ti-indicator.md) Collection | List [Indicator](ti-indicator.md) entities.
-[Submit Indicator](post-ti-indicator.md) | [Indicator](ti-indicator.md) | Submits [Indicator](ti-indicator.md) entity.
+[Submit Indicator](post-ti-indicator.md) | [Indicator](ti-indicator.md) | Submit or update [Indicator](ti-indicator.md) entity.
+[Import Indicators](import-ti-indicators.md) | [Indicator](ti-indicator.md) Collection | Submit or update [Indicators](ti-indicator.md) entities.
 [Delete Indicator](delete-ti-indicator-by-id.md) | No Content | Deletes [Indicator](ti-indicator.md) entity.
 
 

From 544c3c53ee7ae950290838dedfa6121e7da41a6d Mon Sep 17 00:00:00 2001
From: jcaparas <macapara@microsoft.com>
Date: Thu, 21 Jan 2021 12:35:36 -0800
Subject: [PATCH 05/20] Update .openpublishing.redirection.json

redirect for deleted file
---
 .openpublishing.redirection.json | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 0cf060785e..7bcd7f8d15 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -15110,6 +15110,11 @@
       "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip",
       "redirect_document_id": true
     },
+    {
+      "source_path": "windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md",
+      "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md",
       "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/use-apis",

From 63ed3c92e22d2030cf7eb4918c71a2bcf5947f23 Mon Sep 17 00:00:00 2001
From: Matthew Palko <mapalko@microsoft.com>
Date: Thu, 21 Jan 2021 16:52:46 -0800
Subject: [PATCH 06/20] Add troubleshooting for DC certs from 3rd party CAs

---
 .../hello-deployment-issues.md                | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index 4dece74866..96f5181b12 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -45,6 +45,39 @@ After the initial logon attempt, the user's Windows Hello for Business public ke
 
 To resolve this behavior, upgrade Windows Server 2016 and 2019 domain controllers to with the latest patches. For Windows Server 2016, this behavior is fixed in build 14393.4104 ([KB4593226](https://support.microsoft.com/help/4593226)) and later. For Windows Server 2019, this behavior is fixed in build 17763.1637 ([KB4592440](https://support.microsoft.com/help/4592440)).
 
+## Azure AD Joined Device Access to On-Premises Resources Using Key Trust and Third-Party Certificate Authority (CA)
+
+Applies to:
+
+- Azure AD joined key trust deployments
+- Third-party certificate authority (CA) issuing domain controller certificates
+
+Windows Hello for Business uses smart card based authentication for many operations. Smart card has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from an Azure AD Joined device does require special configuration when using a third-party CA to issue domain controller certificates.
+
+For more information, read [Guidelines for enabling smart card logon with third-party certification authorities](
+https://support.microsoft.com/topic/a34a400a-51d5-f2a1-c8c0-7a6c9c49cb78).
+
+### Identifying On-premises Resource Access Issues with Third-Party CAs
+
+This issue can be identified using network traces or Kerberos logging from the client. In the network trace, the client will fail to place a TGS_REQ request when a user attempts to access a resource. On the client, this can be observed in Kerberos event logs:
+
+    The Kerberos client received a KDC certificate that does not have a matched domain name.
+    Expected Domain Name: ad.contoso.com
+    Error Code: 0xC000006D
+
+See [How to enable Kerberos event logging](https://docs.microsoft.com/troubleshoot/windows-server/identity/enable-kerberos-event-logging#enable-kerberos-event-logging-on-a-specific-computer) for information on enabling Kerberos logs on a client device.
+
+### Resolving On-premises Resource Access Issue with Third-Party CAs
+
+To resolve this issue, domain controller certificates need to be updated so the certificate subject contains directory path of the server object (distinguished name).
+Example Subject: CN=DC1 OU=Domain Controller, DC=ad, DC=contoso, DC=com
+
+Alternatively, you can set the subject alternative name (SAN) of the domain controller certificate to contain the server object's fully qualified domain name and the NETBIOS name of the domain.
+Example Subject Alternative Name:
+dns=dc1.ad.contoso.com
+dns=ad.contoso.com
+dns=ad
+
 ## Key Trust Authentication Broken for Windows Server 2019
 
 Applies to:

From 7314f0dc114c77be6ad51885a82d2bda31189ef8 Mon Sep 17 00:00:00 2001
From: Ben Alfasi <bealfasi@microsoft.com>
Date: Fri, 22 Jan 2021 11:43:37 +0200
Subject: [PATCH 07/20] 1

---
 .../find-machine-info-by-ip.md                | 96 -------------------
 1 file changed, 96 deletions(-)
 delete mode 100644 windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md

diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md
deleted file mode 100644
index b00bf9017d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-title: Find device information by internal IP API
-description: Use this API to create calls related to finding a device entry around a specific timestamp by internal IP.
-keywords: ip, apis, graph api, supported apis, find device, device information
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Find device information by internal IP API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
-
-[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-Find a device by internal IP.
-
->[!NOTE]
->The timestamp must be within the last 30 days.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-
-## HTTP request
-```
-GET /api/machines/find(timestamp={time},key={IP})
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and machine exists - 200 OK.
-If no machine found - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61')
-Content-type: application/json
-```
-
-**Response**
-
-Here is an example of the response.
-
-The response will return a list of all devices that reported this IP address within sixteen minutes prior and after the timestamp. 
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
-    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
-    "value": [
-        {
-            "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb",
-            "computerDnsName": "",
-            "firstSeen": "2017-07-06T01:25:04.9480498Z",
-            "osPlatform": "Windows10",
-…
-}
-```

From 36c2c65cd728ce4e98098f23554b8acf27f1a4da Mon Sep 17 00:00:00 2001
From: Matthew Palko <mapalko@microsoft.com>
Date: Fri, 22 Jan 2021 09:57:40 -0800
Subject: [PATCH 08/20] updating logging information for 3rd party CA SSO issue

---
 .../hello-for-business/hello-deployment-issues.md | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index 96f5181b12..2c22e05685 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -59,14 +59,23 @@ https://support.microsoft.com/topic/a34a400a-51d5-f2a1-c8c0-7a6c9c49cb78).
 
 ### Identifying On-premises Resource Access Issues with Third-Party CAs
 
-This issue can be identified using network traces or Kerberos logging from the client. In the network trace, the client will fail to place a TGS_REQ request when a user attempts to access a resource. On the client, this can be observed in Kerberos event logs:
+This issue can be identified using network traces or Kerberos logging from the client. In the network trace, the client will fail to place a TGS_REQ request when a user attempts to access a resource. On the client, this can be observed in the Kerberos operation event log under **Application and Services/Microsoft/Windows/Security-Kerberos/Operational**. These logs are default disabled. The failure event for this case will include the following information:
+
+    Log Name:      Microsoft-Windows-Kerberos/Operational
+    Source:        Microsoft-Windows-Security-Kerberos
+    Event ID:      107
+    GUID:          {98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1} 
+    Task Category: None
+    Level:         Error
+    Keywords:      
+    User:          SYSTEM
+    Description:
 
     The Kerberos client received a KDC certificate that does not have a matched domain name.
+    
     Expected Domain Name: ad.contoso.com
     Error Code: 0xC000006D
 
-See [How to enable Kerberos event logging](https://docs.microsoft.com/troubleshoot/windows-server/identity/enable-kerberos-event-logging#enable-kerberos-event-logging-on-a-specific-computer) for information on enabling Kerberos logs on a client device.
-
 ### Resolving On-premises Resource Access Issue with Third-Party CAs
 
 To resolve this issue, domain controller certificates need to be updated so the certificate subject contains directory path of the server object (distinguished name).

From cce30db3faa820a68826c9c532b23c8d07ae4659 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 22 Jan 2021 12:42:42 -0800
Subject: [PATCH 09/20] Update microsoft-defender-antivirus-compatibility.md

---
 ...microsoft-defender-antivirus-compatibility.md | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index bac2466090..c39700cab2 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -13,7 +13,7 @@ ms.author: deniseb
 ms.custom: nextgen
 ms.reviewer: tewchen, pahuijbr, shwjha
 manager: dansimp
-ms.date: 01/11/2021
+ms.date: 01/22/2021
 ms.technology: mde
 ---
 
@@ -34,7 +34,7 @@ Microsoft Defender Antivirus is automatically enabled and installed on endpoints
 
 ## Antivirus and Microsoft Defender for Endpoint
 
-The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender for Endpoint.
+The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender for Endpoint. 
 
 
 | Windows version   | Antimalware protection  | Microsoft Defender for Endpoint enrollment | Microsoft Defender Antivirus state     |
@@ -76,20 +76,22 @@ See [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antiviru
 
 ## Functionality and features available in each state
 
-The table in this section summarizes the functionality and features that are available in each state. 
+The table in this section summarizes the functionality and features that are available in each state. The table is designed to be informational only. It is intended to describe the features & capabilities that are actively working or not, according to whether Microsoft Defender Antivirus is in active mode, in passive mode, or is disabled/uninstalled. 
 
 > [!IMPORTANT]
-> The following table is informational, and it is designed to describe the features & capabilities that are turned on or off according to whether Microsoft Defender Antivirus is in Active mode, in Passive mode, or disabled/uninstalled. Do not turn off capabilities, such as real-time protection, if you are using Microsoft Defender Antivirus in passive mode or are using EDR in block mode. 
+> Do not turn off capabilities, such as real-time protection, cloud-delivered protection, or limited periodic scanning, if you are using Microsoft Defender Antivirus in passive mode or you are using EDR in block mode. 
 
 |State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) |
 |--|--|--|--|--|--|
 |Active mode <br/><br/>  |Yes |No |Yes |Yes |Yes |
-|Passive mode  |No |No |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes |
+|Passive mode  |No |No* |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes |
 |[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md)  |No |No |Yes |Yes |Yes |
 |Automatic disabled mode  |No |Yes |No |No |No |
 
-- In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
-- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
+\* When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is turned on and is in passive mode.
+
+- In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
+- In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
 - When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items.
 - When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution.
 

From 81f83025b6d15dadd7fb8ab916da68c82fa61ed4 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 22 Jan 2021 12:44:33 -0800
Subject: [PATCH 10/20] Update microsoft-defender-antivirus-compatibility.md

---
 .../microsoft-defender-antivirus-compatibility.md           | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index c39700cab2..8c855a644e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -88,7 +88,7 @@ The table in this section summarizes the functionality and features that are ava
 |[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md)  |No |No |Yes |Yes |Yes |
 |Automatic disabled mode  |No |Yes |No |No |No |
 
-\* When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is turned on and is in passive mode.
+\* When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
 
 - In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
 - In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
@@ -106,13 +106,13 @@ The table in this section summarizes the functionality and features that are ava
    If you uninstall the non-Microsoft antivirus product, and use Microsoft Defender Antivirus to provide protection to your devices, Microsoft Defender Antivirus will return to its normal active mode automatically.
 
 > [!WARNING]
-> Do not disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+> Do not disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This recommendation includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
 
 
 ## See also
 
 - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md)
+- [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server-2016.md)
 - [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md)
 - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
 - [Learn about Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)

From d4e8437e7a5181c54ba7f8709188f6ed805b459d Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 22 Jan 2021 12:47:24 -0800
Subject: [PATCH 11/20] Update microsoft-defender-antivirus-compatibility.md

---
 .../microsoft-defender-antivirus-compatibility.md           | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index 8c855a644e..6407748cb0 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -1,7 +1,7 @@
 ---
 title: Microsoft Defender Antivirus compatibility with other security products
-description: Get an overview of what to expect from Microsoft Defender Antivirus with other security products and the operating systems you are using.
-keywords: windows defender, next-generation, atp, advanced threat protection, compatibility, passive mode
+description: What to expect from Microsoft Defender Antivirus with other security products and the operating systems you are using.
+keywords: windows defender, next-generation, antivirus, compatibility, passive mode
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: m365-security
@@ -40,7 +40,7 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh
 | Windows version   | Antimalware protection  | Microsoft Defender for Endpoint enrollment | Microsoft Defender Antivirus state     |
 |------|------|-------|-------|
 | Windows 10  | A third-party product that is not offered or developed by Microsoft | Yes  | Passive mode  |
-| Windows 10  | A third-party product that is not offered or developed by Microsoft | No   | Automatic disabled mode     |
+| Windows 10  | A third-party product that is not offered or developed by Microsoft | No   | Automatically disabled mode     |
 | Windows 10  | Microsoft Defender Antivirus | Yes  | Active mode | 
 | Windows 10  | Microsoft Defender Antivirus | No   | Active mode |
 | Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes  | Active mode<sup>[[1](#fn1)]</sup> |

From 9d3b79c092795b58c610ccb6db325a0b277b0688 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 22 Jan 2021 12:50:13 -0800
Subject: [PATCH 12/20] Update microsoft-defender-antivirus-compatibility.md

---
 .../microsoft-defender-antivirus-compatibility.md               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index 6407748cb0..6bea08e495 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -84,7 +84,7 @@ The table in this section summarizes the functionality and features that are ava
 |State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) |
 |--|--|--|--|--|--|
 |Active mode <br/><br/>  |Yes |No |Yes |Yes |Yes |
-|Passive mode  |No |No* |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes |
+|Passive mode  |No* |No |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes |
 |[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md)  |No |No |Yes |Yes |Yes |
 |Automatic disabled mode  |No |Yes |No |No |No |
 

From e3c367848245ca9557b88173045e4e48905b0919 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 22 Jan 2021 12:51:01 -0800
Subject: [PATCH 13/20] Update microsoft-defender-antivirus-compatibility.md

---
 .../microsoft-defender-antivirus-compatibility.md    | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index 6bea08e495..eda61a27e0 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -90,13 +90,17 @@ The table in this section summarizes the functionality and features that are ava
 
 \* When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
 
-- In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
-- In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
-- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items.
-- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution.
 
 ## Keep the following points in mind
 
+- In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
+
+- In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
+
+- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items.
+
+- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution.
+
 - If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
 
 - When Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the protection offered by a non-Microsoft antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. Automatic re-enabling helps to ensure that antivirus protection is maintained on your devices. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.

From e44ab03b1935f888964e832040823e6c46a6e5ee Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 22 Jan 2021 13:01:43 -0800
Subject: [PATCH 14/20] Update microsoft-defender-antivirus-compatibility.md

---
 ...icrosoft-defender-antivirus-compatibility.md | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index eda61a27e0..f83f0d7c2b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -81,14 +81,17 @@ The table in this section summarizes the functionality and features that are ava
 > [!IMPORTANT]
 > Do not turn off capabilities, such as real-time protection, cloud-delivered protection, or limited periodic scanning, if you are using Microsoft Defender Antivirus in passive mode or you are using EDR in block mode. 
 
-|State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) |
-|--|--|--|--|--|--|
-|Active mode <br/><br/>  |Yes |No |Yes |Yes |Yes |
-|Passive mode  |No* |No |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes |
-|[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md)  |No |No |Yes |Yes |Yes |
-|Automatic disabled mode  |No |Yes |No |No |No |
+| |Active mode |Passive mode |EDR in block mode |Disabled/uninstalled |
+|:---|:---|:---|:---|:---|
+| [Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | Yes | No <sup>[[3](#fn3)]<sup> | No | No |
+| [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | No | No | No | Yes |
+| [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | Yes | Yes | Yes | No |
+|  [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | Sometimes <sup>[[4](#fn4)]<sup> | Yes | No |
+| [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | Yes | Yes | Yes | No |
 
-\* When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
+(<a id="fn3">2</a>) When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
+
+(<a id="fn4">4</a>) When Microsoft Defender Antivirus is in passive mode, threat remediation features are active only during scheduled or on-demand scans.
 
 
 ## Keep the following points in mind

From eade25b1aa6e279284484dbd59a956909da2bef0 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 22 Jan 2021 13:05:38 -0800
Subject: [PATCH 15/20] Update microsoft-defender-antivirus-compatibility.md

---
 .../microsoft-defender-antivirus-compatibility.md               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index f83f0d7c2b..d9c129f8d8 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -89,7 +89,7 @@ The table in this section summarizes the functionality and features that are ava
 |  [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | Sometimes <sup>[[4](#fn4)]<sup> | Yes | No |
 | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | Yes | Yes | Yes | No |
 
-(<a id="fn3">2</a>) When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
+(<a id="fn3">3</a>) When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
 
 (<a id="fn4">4</a>) When Microsoft Defender Antivirus is in passive mode, threat remediation features are active only during scheduled or on-demand scans.
 

From 69ccbd231161f4b00dfa6d945a6bca2f9cad1e56 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 22 Jan 2021 13:06:07 -0800
Subject: [PATCH 16/20] Update microsoft-defender-antivirus-compatibility.md

---
 .../microsoft-defender-antivirus-compatibility.md               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index d9c129f8d8..4786157c84 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -81,7 +81,7 @@ The table in this section summarizes the functionality and features that are ava
 > [!IMPORTANT]
 > Do not turn off capabilities, such as real-time protection, cloud-delivered protection, or limited periodic scanning, if you are using Microsoft Defender Antivirus in passive mode or you are using EDR in block mode. 
 
-| |Active mode |Passive mode |EDR in block mode |Disabled/uninstalled |
+|Protection |Active mode |Passive mode |EDR in block mode |Disabled/uninstalled |
 |:---|:---|:---|:---|:---|
 | [Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | Yes | No <sup>[[3](#fn3)]<sup> | No | No |
 | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | No | No | No | Yes |

From a82b066840ebfe0dd73fd90f77299510156229d9 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 22 Jan 2021 13:06:42 -0800
Subject: [PATCH 17/20] Update microsoft-defender-antivirus-compatibility.md

---
 .../microsoft-defender-antivirus-compatibility.md               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index 4786157c84..431f0cce09 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -86,7 +86,7 @@ The table in this section summarizes the functionality and features that are ava
 | [Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | Yes | No <sup>[[3](#fn3)]<sup> | No | No |
 | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | No | No | No | Yes |
 | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | Yes | Yes | Yes | No |
-|  [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | Sometimes <sup>[[4](#fn4)]<sup> | Yes | No |
+|  [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | See note <sup>[[4](#fn4)]<sup> | Yes | No |
 | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | Yes | Yes | Yes | No |
 
 (<a id="fn3">3</a>) When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.

From 707451815b8aadc582daed8fde478e077e2c0f68 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 22 Jan 2021 13:08:02 -0800
Subject: [PATCH 18/20] Update microsoft-defender-antivirus-compatibility.md

---
 .../microsoft-defender-antivirus-compatibility.md               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index 431f0cce09..eec4d1ce3b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -81,7 +81,7 @@ The table in this section summarizes the functionality and features that are ava
 > [!IMPORTANT]
 > Do not turn off capabilities, such as real-time protection, cloud-delivered protection, or limited periodic scanning, if you are using Microsoft Defender Antivirus in passive mode or you are using EDR in block mode. 
 
-|Protection |Active mode |Passive mode |EDR in block mode |Disabled/uninstalled |
+|Protection |Active mode |Passive mode |EDR in block mode |Disabled or uninstalled |
 |:---|:---|:---|:---|:---|
 | [Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | Yes | No <sup>[[3](#fn3)]<sup> | No | No |
 | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | No | No | No | Yes |

From 62bdf47af2aaa078aef65dd8d7f8286ca2e24bc6 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 22 Jan 2021 13:23:59 -0800
Subject: [PATCH 19/20] Update microsoft-defender-antivirus-compatibility.md

---
 .../microsoft-defender-antivirus-compatibility.md               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index eec4d1ce3b..91f14d18e0 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -89,7 +89,7 @@ The table in this section summarizes the functionality and features that are ava
 |  [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | See note <sup>[[4](#fn4)]<sup> | Yes | No |
 | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | Yes | Yes | Yes | No |
 
-(<a id="fn3">3</a>) When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
+(<a id="fn3">3</a>) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode. However, if [Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) (Endpoint DLP) is configured and in effect, protective actions are enforced. Endpoint DLP works with real-time protection and behavior monitoring. 
 
 (<a id="fn4">4</a>) When Microsoft Defender Antivirus is in passive mode, threat remediation features are active only during scheduled or on-demand scans.
 

From f00f02304d0c69739960d08e511e56e7e405140d Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 22 Jan 2021 13:35:40 -0800
Subject: [PATCH 20/20] Update microsoft-defender-antivirus-compatibility.md

---
 .../microsoft-defender-antivirus-compatibility.md         | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index 91f14d18e0..7a74769372 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -43,14 +43,14 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh
 | Windows 10  | A third-party product that is not offered or developed by Microsoft | No   | Automatically disabled mode     |
 | Windows 10  | Microsoft Defender Antivirus | Yes  | Active mode | 
 | Windows 10  | Microsoft Defender Antivirus | No   | Active mode |
-| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes  | Active mode<sup>[[1](#fn1)]</sup> |
-| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No  | Must be set to passive mode (manually)<sup>[[1](#fn1)]<sup>  |
+| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes  | Active mode <sup>[[1](#fn1)]</sup> |
+| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No  | Must be set to passive mode (manually) <sup>[[1](#fn1)]<sup>  |
 | Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus  | Yes |         Active mode  |
 | Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | No  | Active mode |
 | Windows Server 2016 | Microsoft Defender Antivirus | Yes | Active mode |
 | Windows Server 2016 | Microsoft Defender Antivirus | No | Active mode |
-| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Must be disabled (manually)<sup>[[2](#fn2)]<sup> |
-| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually)<sup>[[2](#fn2)]<sup> |
+| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Must be disabled (manually) <sup>[[2](#fn2)]<sup> |
+| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually) <sup>[[2](#fn2)]<sup> |
 
 (<a id="fn1">1</a>)  On Windows Server, version 1803 or newer, or Windows Server 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server.