Merge branch 'master' into MDBranchPhase2bPoliciesSet2

education/docfx.json

@@ -7,7 +7,8 @@
           "**/**.yml"
         ],
         "exclude": [
-          "**/obj/**"
+          "**/obj/**",
+          "**/includes/**"
         ]
       }
     ],
@@ -19,7 +20,8 @@
           "**/*.svg"
         ],
         "exclude": [
-          "**/obj/**"
+          "**/obj/**",
+          "**/includes/**"
         ]
       }
     ],

windows/client-management/mdm/change-history-for-mdm-documentation.md

@@ -21,6 +21,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
 |New or updated article | Description|
 |--- | ---|
 | [Policy CSP](policy-configuration-service-provider.md) | Added the following new policy:<br>- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) |
+| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:<br>-Properties/SleepMode |
 
 ## October 2020
 

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -27,6 +27,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 |New or updated article|Description|
 |-----|-----|
 | [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 20H2:<br>- [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)<br>- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)<br>- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)<br>- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)<br>- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)<br>- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)<br>- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)<br>- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) |
+| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:<br>-Properties/SleepMode |
 | [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:<br>- Settings/AllowWindowsDefenderApplicationGuard |
 
 ## What’s new in MDM for Windows 10, version 2004

windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -1659,7 +1659,7 @@ You can turn off **Enhanced Notifications** as follows:
 
   -or-
 
-- Create a new REG_SZ registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** to a value of **1**.
+- Create a new REG_DWORD registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** and enter the decimal value **1**.
 
 
 ### <a href="" id="bkmk-defender-smartscreen"></a>24.1 Windows Defender SmartScreen

windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md

@@ -50,18 +50,30 @@ This page explains how to create an AAD application, get an access token to Micr
 
 ## Create an app
 
-1. Log on to [Azure](https://portal.azure.com) with user that has **Global Administrator** role.
+1. Log on to [Azure](https://portal.azure.com) with a user account that has the **Global Administrator** role.
 
 2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**. 
 
    ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app2.png)
 
-3. In the registration from, enter the following information then select **Register**.
+3. When the **Register an application** page appears, enter your application's registration information:
 
-   ![Image of Create application window](images/nativeapp-create2.png)
+   - **Name** - Enter a meaningful application name that will be displayed to users of the app.
+   - **Supported account types** - Select which accounts you would like your application to support.
 
-   - **Name:** -Your application name-
-   - **Application type:** Public client
+       | Supported account types | Description |
+       |-------------------------|-------------|
+       | **Accounts in this organizational directory only** | Select this option if you're building a line-of-business (LOB) application. This option is not available if you're not registering the application in a directory.<br><br>This option maps to Azure AD only single-tenant.<br><br>This is the default option unless you're registering the app outside of a directory. In cases where the app is registered outside of a directory, the default is Azure AD multi-tenant and personal Microsoft accounts. |
+       | **Accounts in any organizational directory** | Select this option if you would like to target all business and educational customers.<br><br>This option maps to an Azure AD only multi-tenant.<br><br>If you registered the app as Azure AD only single-tenant, you can update it to be Azure AD multi-tenant and back to single-tenant through the **Authentication** blade. |
+       | **Accounts in any organizational directory and personal Microsoft accounts** | Select this option to target the widest set of customers.<br><br>This option maps to Azure AD multi-tenant and personal Microsoft accounts.<br><br>If you registered the app as Azure AD multi-tenant and personal Microsoft accounts, you cannot change this in the UI. Instead, you must use the application manifest editor to change the supported account types. |
+
+   - **Redirect URI (optional)** - Select the type of app you're building, **Web** or **Public client (mobile & desktop)**, and then enter the redirect URI (or reply URL) for your application.
+       - For web applications, provide the base URL of your app. For example, `http://localhost:31544` might be the URL for a web app running on your local machine. Users would use this URL to sign in to a web client application.
+       - For public client applications, provide the URI used by Azure AD to return token responses. Enter a value specific to your application, such as `myapp://auth`.
+
+     To see specific examples for web applications or native applications, check out our [quickstarts](/azure/active-directory/develop/#quickstarts).
+
+     When finished, select **Register**.
 
 4. Allow your Application to access Microsoft Defender for Endpoint and assign it 'Read alerts' permission:
 

windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md

@@ -58,6 +58,9 @@ Wildcard | Description | Example | Matches | Does not match
 \* |	Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder) | `/var/*/*.log` | `/var/log/system.log` | `/var/log/nested/system.log`
 ? | Matches any single character | `file?.log` | `file1.log`<br/>`file2.log` | `file123.log`
 
+>[!NOTE]
+>The product attempts to resolve firmlinks when evaluating exclusions. Firmlink resolution does not work when the exclusion contains wildcards or the target file (on the `Data` volume) does not exist.
+
 ## How to configure the list of exclusions
 
 ### From the management console

windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md

@@ -23,6 +23,9 @@ ms.topic: conceptual
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
+> [!IMPORTANT]
+> On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [this page](mac-sysext-policies.md).
+
 > [!IMPORTANT]
 > Extensive testing of MDE (Microsoft Defender for Endpoint) with new system extensions on macOS 11 (Big Sur) revealed an intermittent issue that impacts macOS devices with specific graphic cards models. In rare cases on impacted macOS devices calls into macOS system extensions were seen resulting in kernel panic. Microsoft is actively working with Apple engineering to clarify profile of impacted devices and to address this macOS issue. In the meantime, if you encounter such a kernel panic, please submit a feedback report to Apple through the Feedback Assistant app.
 

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md

@@ -65,6 +65,9 @@ There are several methods and deployment tools that you can use to install and c
 
 The three most recent major releases of macOS are supported.
 
+> [!IMPORTANT]
+> On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [this page](mac-sysext-policies.md).
+
 > [!IMPORTANT]
 > Extensive testing of MDE (Microsoft Defender for Endpoint) with new system extensions on macOS 11 (Big Sur) revealed an intermittent issue that impacts macOS devices with specific graphic cards models. In rare cases on impacted macOS devices calls into macOS system extensions were seen resulting in kernel panic. Microsoft is actively working with Apple engineering to clarify profile of impacted devices and to address this macOS issue. In the meantime, if you encounter such a kernel panic, please submit a feedback report to Apple through the Feedback Assistant app.
 

windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md

@@ -29,65 +29,112 @@ ms.topic: conceptual
 
 >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
 
-Sometimes, you may not be able to take the remediation steps suggested by a security recommendation. If that is the case, threat and vulnerability management gives you an avenue to create an exception.
+As an alternative to a remediation request when a recommendation is not relevant at the moment, you can create exceptions for recommendations. If your organization has device groups, you will be able to scope the exception to specific device groups. Exceptions can either be created for selected device groups, or for all device groups past and present.  
 
-When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and no longer shows up in the security recommendations list.
+When an exception is created for a recommendation, the recommendation will not be active until the end of the exception duration. The recommendation state will change to **Full exception** or **Partial exception** (by device group).
+
+## Permissions
+
+Only users with “exceptions handling” permissions can manage exceptions (including creating or canceling). [Learn more about RBAC roles](user-roles.md).
+
+![View of exception handling permission.](images/tvm-exception-permissions.png)
 
 ## Create an exception
 
-1. Go to the threat and vulnerability management navigation menu in the Microsoft Defender Security Center, and select [**Security recommendations**](tvm-security-recommendation.md).
+Select a security recommendation you would like create an exception for, and then select **Exception options** and fill out the form.  
 
-2. Select a security recommendation you would like to create an exception for, and then **Exception options**.
-![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-option.png)
+![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-options.png)
 
-3. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
+### Exception by device group
+
+Apply the exception to all current device groups or choose specific device groups. Future device groups won't be included in the exception. Device groups that already have an exception will not be displayed in the list. If you only select certain device groups, the recommendation state will change from “active” to “partial exception.” The state will change to “full exception” if you select all the device groups.
+
+![Showing device group dropdown.](images/tvm-exception-device-group-500.png)
+
+#### Filtered views
+
+If you have filtered by device group on any of the threat and vulnerability management pages, only your filtered device groups will appear as options.
+
+This is the button to filter by device group on any of the threat and vulnerability management pages: 
+
+![Showing selected device groups filter.](images/tvm-selected-device-groups.png)
+
+Exception view with filtered device groups:
+
+![Showing filtered device group dropdown.](images/tvm-exception-device-filter500.png)
+
+#### Large number of device groups
+
+If your organization has more than 20 device groups, select **Edit** next to the filtered device group option.
+
+![Showing how to edit large numbers of groups.](images/tvm-exception-edit-groups.png)
+
+A flyout will appear where you can search and choose device groups you want included. Select the check mark icon below Search to check/uncheck all.
+
+![Showing large device group flyout.](images/tvm-exception-device-group-flyout-400.png)
+
+### Global exceptions
+
+If you have global administrator permissions (called Microsoft Defender ATP administrator), you will be able to create and cancel a global exception. It affects **all** current and future device groups in your organization, and only a user with similar permission would be able to change it. The recommendation state will change from “active” to “full exception.”
+
+![Showing global exception option.](images/tvm-exception-global.png)
+
+Some things to keep in mind:
+
+- If a recommendation is under global exception, then newly created exceptions for device groups will be suspended until the global exception has expired or been cancelled. After that point, the new device group exceptions will go into effect until they expire.
+- If a recommendation already has exceptions for specific device groups and a global exception is created, then the device group exception will be suspended until it expires or the global exception is cancelled before it expires.
+
+### Justification
+
+Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
 
 The following list details the justifications behind the exception options:
 
 - **Third party control** - A third party product or software already addresses this recommendation
-        - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced
+        - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced
 - **Alternate mitigation** - An internal tool already addresses this recommendation
-        - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced
+        - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced
 - **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive
 - **Planned remediation (grace)** - Already planned but is awaiting execution or authorization
 
-4. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
+## View all exceptions
 
-## View your exceptions
+Navigate to the **Exceptions** tab in the **Remediation** page. You can filter by justification, type, and status.
 
-When you file for an exception from the security recommendations page, you create an exception  for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md).
+ Select an exception to open a flyout with more details. Exceptions per devices group will have a list of every device group the exception covers, which you can export. You can also view the related recommendation or cancel the exception.
 
-The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status.  
 
-![Example of the exception page and filter options.](images/tvm-exception-filters.png)
+![Showing the "Exceptions" tab in the Remediation page.](images/tvm-exception-view.png)
 
-### Exception actions and statuses
 
-Once an exception exists, you can cancel it at any time by going to the exception in the **Remediation** page and selecting **Cancel exception**.
+## How to cancel an exception
 
-The following statuses will be a part of an exception:
+To cancel an exception, navigate to the **Exceptions** tab in the **Remediation** page. Select the exception. To cancel the exception for all device groups, select the **Cancel exception** button. You can also cancel the exception for a specific device group.
 
-- **Canceled** - The exception has been canceled and is no longer in effect  
-- **Expired** - The exception that you've filed is no longer in effect
-- **In effect** - The exception that you've filed is in progress
+### Cancel the exception for a specific device group
 
-### Exception impact on scores
+Select the specific device group to cancel the exception for it. A flyout will appear for the device group, and you can select **Cancel exception**.
 
-Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Microsoft Secure Score for Devices of your organization in the following manner:
+![Showing how to select a specific device group.](images/tvm-exception-device-group-hover.png)
 
-- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores.
-- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control.
-- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Microsoft Secure Score for Devices results out of the exception option that you made.
 
-The exception impact shows on both the Security recommendations page column and in the flyout pane.
+### Cancel a global exception
 
-![Screenshot identifying the impact sections which list score impacts in the full page security recommendations table, and the flyout.](images/tvm-exception-impact.png)
+If it is a global exception, select an exception from the list and then select **Cancel exception** from the flyout.
 
-### View exceptions in other places
+![Showing how to cancel the exception for a global exception.](images/tvm-exception-cancel-global-400.png)
 
-Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. It will open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status.
+## View impact after exceptions are applied
 
-![Screenshot of Show exceptions link in the Top security recommendations card in the dashboard.](images/tvm-exception-dashboard.png)
+In the Security Recommendations page, select **Customize columns** and check the boxes for **Exposed devices (after exceptions)** and **Impact (after exceptions)**.
+
+![Showing customize columns options.](images/tvm-after-exceptions.png)
+
+The exposed devices (after exceptions) column shows the remaining devices that are still exposed to vulnerabilities after exceptions are applied. Exception justifications that affect the exposure include ‘third party control’ and ‘alternate mitigation’. Other justifications do not reduce the exposure of a device, and they are still considered exposed.
+
+The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. Exception justifications that affect the scores include ‘third party control’ and ‘alternate mitigation.’ Other justifications do not reduce the exposure of a device, and so the exposure score and secure score do not change.
+
+![Showing the columns in the table.](images/tvm-after-exceptions-table.png)
 
 ## Related topics
 

windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md

@@ -44,11 +44,13 @@ See [Use Intune to remediate vulnerabilities identified by Microsoft Defender fo
 
 2. Select a security recommendation you would like to request remediation for, and then select **Remediation options**.
 
-3. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices.
+3. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. If you choose the "attention required" remediation option, selecting a due date will not be available since there is no specific action.
 
-4. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
+4. Select **Submit request**. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices.
 
-5. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request.
+5. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
+
+6. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request.
 
 If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
 
@@ -63,6 +65,8 @@ Lower your organization's exposure from vulnerabilities and increase your securi
 
 When you submit a remediation request from the Security recommendations page, it kicks-off a remediation activity. A security task is created that can be tracked in the threat and vulnerability management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
 
+If you chose the "attention required" remediation option, there will be no progress bar, ticket status, or due date since there is no actual action we can monitor.
+
 Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete.
 ![Example of the Remediation page, with a selected remediation activity, and that activity's flyout listing the description, IT service and device management tools, and device remediation progress.](images/remediation_flyouteolsw.png)
 

windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md

@@ -95,7 +95,7 @@ From the flyout, you can choose any of the following options:
 
 - **Open software page** - Open the software page to get more context on the software and how it's distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution.
 
-- [**Remediation options**](tvm-remediation.md) - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
+- [**Remediation options**](tvm-remediation.md) - Submit a remediation request to open a ticket in Microsoft Intune for your IT administrator to pick up and address. Track the remediation activity in the Remediation page.
 
 - [**Exception options**](tvm-exception.md) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue yet.
 
@@ -104,6 +104,144 @@ From the flyout, you can choose any of the following options:
 
 ### Investigate changes in device exposure or impact
 
+If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and configuration score, then that security recommendation is worth investigating.
+
+1. Select the recommendation and **Open software page**
+2. Select the **Event timeline** tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. [Learn more about event timeline](threat-and-vuln-mgt-event-timeline.md)
+3. Decide how to address the increase or your organization's exposure, such as submitting a remediation request
+
+## Request remediation
+
+The threat and vulnerability management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
+
+### Enable Microsoft Intune connection
+
+To use this capability, enable your Microsoft Intune connections. In the Microsoft Defender Security Center, navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**.
+
+See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+
+### Remediation request steps
+
+1. Select a security recommendation you would like to request remediation for, and then select **Remediation options**.
+
+2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices.
+
+3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
+
+4. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request.
+
+If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+
+>[!NOTE]
+>If your request involves remediating more than 10,000 devices, we can only send 10,000 devices for remediation to Intune.
+
+## File for exception
+
+As an alternative to a remediation request when a recommendation is not relevant at the moment, you can create exceptions for recommendations. Only users with “exceptions handling” permissions can add exception. [Learn more about RBAC roles](user-roles.md). If your organization has device groups, you will now be able to scope the exception to specific device groups.
+
+When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state will change to **Full exception** or **Partial exception** (by device group).
+
+### How to create an exception
+
+Select a security recommendation you would like create an exception for, and then select **Exception options**.  
+
+![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-options.png)
+
+Choose the scope and justification, set a date for the exception duration, and submit. To view all your exceptions (current and past), navigate to the [Remediation](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and select the **Exceptions** tab.
+
+### Exception scope
+
+Exceptions can either be created for selected device groups, or for all device groups past and present.  
+
+#### Exception by device group
+
+Apply the exception to all device groups or choose specific device groups. Device groups that already have an exception will not be displayed in the list. If you only select certain device groups, the recommendation state will change from “active” to “partial exception.” The state will change to “full exception” if you select all the device groups.
+
+![Showing device group dropdown.](images/tvm-exception-device-group-500.png)
+
+##### Filtered
+
+If you have filtered by device group on any of the threat and vulnerability management pages, only your filtered device groups will appear as options.
+
+Button to filter by device group on any of the threat and vulnerability management pages: 
+
+![Showing selected device groups filter.](images/tvm-selected-device-groups.png)
+
+Exception view with filtered device groups:
+
+![Showing filtered device group dropdown.](images/tvm-exception-device-filter500.png)
+
+##### Large number of device groups
+
+If your organization has more than 20 device groups, select **Edit** next to the filtered device group option.
+
+![Showing how to edit large numbers of groups.](images/tvm-exception-edit-groups.png)
+
+A flyout will appear where you can search and choose device groups you want included. Select the check mark icon below Search to check/uncheck all.
+
+![Showing large device group flyout.](images/tvm-exception-device-group-flyout-400.png)
+
+#### Global exceptions
+
+If you have global administrator permissions (called Microsoft Defender ATP administrator), you will be able to create and cancel a global exception. It affects **all** current and future device groups in your organization, and only a user with similar permission would be able to change it. The recommendation state will change from “active” to “full exception.”
+
+![Showing global exception option.](images/tvm-exception-global.png)
+
+Some things to keep in mind:
+
+- If a recommendation is under global exception, then newly created exceptions for device groups will be suspended until the global exception has expired or been cancelled. After that point, the new device group exceptions will go into effect until they expire.
+- If a recommendation already has exceptions for specific device groups and a global exception is created, then the device group exception will be suspended until it expires or the global exception is cancelled before it expires.
+
+### Justification
+
+Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
+
+The following list details the justifications behind the exception options:
+
+- **Third party control** - A third party product or software already addresses this recommendation
+        - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced
+- **Alternate mitigation** - An internal tool already addresses this recommendation
+        - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced
+- **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive
+- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization
+
+### View all exceptions
+
+Navigate to the **Exceptions** tab in the **Remediation** page.
+
+![Showing the "Exceptions" tab in the Remediation page.](images/tvm-exception-tab400.png)
+
+Select an exception to open a flyout with more details. Exceptions per devices group will have a list of every device group the exception covers, which you can Export. You can also view the related recommendation or cancel the exception.
+
+### How to cancel an exception
+
+To cancel an exception, navigate to the **Exceptions** tab in the **Remediation** page. Select the exception.
+
+#### Cancel the exception for a specific device group
+
+If the exception is per device group, then you will need to select the specific device group to cancel the exception for it. 
+
+![Showing how to select a specific device group.](images/tvm-exception-device-group-hover.png)
+
+A flyout will appear for the device group, and you can select **Cancel exception**.
+
+#### Cancel a global exception
+
+If it is a global exception, select an exception from the list and then select **Cancel exception** from the flyout.
+
+![Showing how to cancel the exception for a global exception.](images/tvm-exception-cancel-global-400.png)
+
+### View impact after exceptions are applied
+
+In the Security Recommendations page, select **Customize columns** and check the boxes for **Exposed devices (after exceptions)** and **Impact (after exceptions)**.
+
+![Showing customize columns options.](images/tvm-after-exceptions.png)
+
+The exposed devices (after exceptions) column shows the remaining devices that are still exposed to vulnerabilities after exceptions are applied. Exception justifications that affect the exposure include ‘third party control’ and ‘alternate mitigation’. Other justifications do not reduce the exposure of a device, and they are still considered exposed.
+
+The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. Exception justifications that affect the scores include ‘third party control’ and ‘alternate mitigation.’ Other justifications do not reduce the exposure of a device, and so the exposure score and secure score do not change.
+
+![Showing the columns in the table.](images/tvm-after-exceptions-table.png)
 If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and Microsoft Secure Score for Devices, then that security recommendation is worth investigating.
 
 1. Select the recommendation and **Open software page**

windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md

@@ -57,7 +57,7 @@ Select the software that you want to investigate. A flyout panel will open with
 
 ### Software that isn't supported
 
-Software that isn't currently supported by threat & vulnerability management is still present in the Software inventory page. Because it is not supported, only limited data will be available. Filter by unsupported software with the "Not available" option in the "Weakness" section.
+Software that isn't currently supported by threat & vulnerability management may be present in the Software inventory page. Because it is not supported, only limited data will be available. Filter by unsupported software with the "Not available" option in the "Weakness" section.
 
 ![Unsupported software filter.](images/tvm-unsupported-software-filter.png)
 
@@ -66,6 +66,7 @@ The following indicates that a software is not supported:
 - Weaknesses field shows "Not available"
 - Exposed devices field shows a dash
 - Informational text added in side panel and in software page
+- The software page won't have the security recommendations, discovered vulnerabilities, or event timeline sections
 
 Currently, products without a CPE are not shown in the software inventory page, only in the device level software inventory.
 

windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md

@@ -84,10 +84,14 @@ Go to the security recommendation page and select a recommendation with a zero-d
 
 There will be a link to mitigation options and workarounds if they are available. Workarounds may help reduce the risk posed by this zero-day vulnerability until a patch or security update can be deployed.
 
-Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose “update.”
+Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. You won't be able to select a due date, since there is no specific action to perform. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose “update.”
 
 ![Zero day flyout example of Windows Server 2016 in the security recommendations page.](images/tvm-zero-day-software-flyout-400.png)
 
+## Track zero-day remediation activities
+
+Go to the threat and vulnerability management [Remediation](tvm-remediation.md) page to view the remediation activity item. If you chose the "attention required" remediation option, there will be no progress bar, ticket status, or due date since there is no actual action we can monitor. You can filter by remediation type, such as "software update" or "attention required," to see all activity items in the same category.
+
 ## Patching zero-day vulnerabilities
 
 When a patch is released for the zero-day, the recommendation will be changed to “Update” and a blue label next to it that says “New security update for zero day.” It will no longer consider as a zero-day, the zero-day tag will be removed from all pages.

windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md

@@ -33,17 +33,17 @@ As of Windows 10, version 1703, you can use WDAC policies not only to control ap
 
 To work with these options, the typical method is to create a policy that only affects plug-ins, add-ins, and modules, then merge it into your 'master' policy (merging is described in the next section).
 
-For example, to create a WDAC policy that allows **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization's enterprise resource planning (ERP) application, run the following commands. Note that in the second command, **+=** is used to add a second rule to the **$rule** variable:
+For example, to create a WDAC policy allowing **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization's enterprise resource planning (ERP) application, run the following commands. Note that in the second command, **+=** is used to add a second rule to the **$rule** variable:
 
 ```powershell
-$rule = New-CIPolicyRule -DriverFilePath '.\ERP1.exe' -Level FileName -AppID '.\temp\addin1.dll'
-$rule += New-CIPolicyRule -DriverFilePath '.\ERP1.exe' -Level FileName -AppID '.\temp\addin2.dll'
+$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe'
+$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe'
 New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs
 ```
 
 As another example, to create a WDAC policy that blocks **addin3.dll** from running in Microsoft Word, run the following command. You must include the `-Deny` option to block the specified add-ins in the specified application:
 
 ```powershell
-$rule = New-CIPolicyRule -DriverFilePath '.\winword.exe' -Level FileName -Deny -AppID '.\temp\addin3.dll'
+$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin3.dll' -Level FileName -Deny -AppID '.\winword.exe'
 New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs
 ```