From 9d79c614ef3fd37d6763739aa8fbbb07e22df606 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Wed, 1 Nov 2017 13:31:58 -0700
Subject: [PATCH 1/8] update to pre-reqs on actions

---
 ...windows-defender-advanced-threat-protection.md | 15 ++++++++++++---
 ...windows-defender-advanced-threat-protection.md | 11 +++++------
 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index 10734a86ca..db6ecc2b69 100644
--- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -29,17 +29,26 @@ ms.date: 10/17/2017
 
 Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center.
 
->[!NOTE]
-> These response actions are only available for machines on Windows 10, version  1703.
+>[!IMPORTANT]
+>These response actions are only available for machines on Windows 10, version 1703 or later.
 
 You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file.
 
 ## Stop and quarantine files in your network
 You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed.
 
+>[!IMPORTANT]
+>You can only take this action if:
+> - The machine you're taking the action on is running Windows 10, version 1703 or later
+> - The file does not belong to the system or not signed by Microsoft
+> - Windows Defender Antivirus must at least be running on Passive mode
+
 The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
 
-The action takes effect on machines with the latest Windows 10, version 1703 where the file was observed in the last 30 days.
+The action takes effect on machines with the latest Windows 10, version 1703 and above where the file was observed in the last 30 days.
+
+>[!NOTE]
+>You’ll be able to remove the file from quarantine at any time.
 
 ### Stop and quarantine files
 1.	Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index ffd0412eb8..dbed86a45a 100644
--- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -24,20 +24,19 @@ ms.date: 10/17/2017
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
-
-
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) 
 
 Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center.
 
->[!NOTE]
-> These response actions are only available for machines on Windows 10, version  1703.
-
-
+>[!IMPORTANT]
+> These response actions are only available for PCs on Windows 10, version  1703 and above. 
 
 ## Collect investigation package from machines
 As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker.
 
+>[!IMPORTANT]
+> This response action is only available for machines on Windows 10, version  1703 and above.
+
 You can download the package (Zip file) and investigate the events that occurred on a machine.
 
 The package contains the following folders:

From b24fe893325b29b09dba603cafcb03679064f090 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Wed, 1 Nov 2017 16:27:41 -0700
Subject: [PATCH 2/8] updates

---
 ...ile-alerts-windows-defender-advanced-threat-protection.md | 5 +++--
 ...ine-alerts-windows-defender-advanced-threat-protection.md | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index db6ecc2b69..583a583988 100644
--- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -107,8 +107,9 @@ You can roll back and remove a file from quarantine if you’ve determined that
 You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
 
 >[!NOTE]
->This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.  For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). </br></br>
-This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. This response action is available for machines on Windows 10, version 1703 or later.
+>- This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.  For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). </br></br>
+>- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. 
+>- This response action is only available for machines on Windows 10, version 1703 or later.
 
 >[!IMPORTANT]
 > The PE file needs to be in the machine timeline for you to be able to take this action.  
diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index dbed86a45a..8d6f2ada9e 100644
--- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -29,13 +29,13 @@ ms.date: 10/17/2017
 Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center.
 
 >[!IMPORTANT]
-> These response actions are only available for PCs on Windows 10, version  1703 and above. 
+> These response actions are only available for PCs on Windows 10, version  1703 and later. 
 
 ## Collect investigation package from machines
 As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker.
 
 >[!IMPORTANT]
-> This response action is only available for machines on Windows 10, version  1703 and above.
+> This response action is only available for machines on Windows 10, version  1703 and later.
 
 You can download the package (Zip file) and investigate the events that occurred on a machine.
 

From d2f2c7b515b72e1a1b1c31f293a8499c4a52db95 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Wed, 1 Nov 2017 16:42:44 -0700
Subject: [PATCH 3/8] minor updates

---
 windows/threat-protection/TOC.md                            | 1 +
 ...le-alerts-windows-defender-advanced-threat-protection.md | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
index ce3a47ceb7..3eb9dfc4fd 100644
--- a/windows/threat-protection/TOC.md
+++ b/windows/threat-protection/TOC.md
@@ -69,6 +69,7 @@
 ###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
 ###### [Remove file from quarantine](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
 ###### [Block files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+###### [Remove file from blocked list](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
 ###### [Check activity details in Action center](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
 ###### [Deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
 ####### [Submit files for analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index 583a583988..a559e0f478 100644
--- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -40,8 +40,8 @@ You can contain an attack in your organization by stopping the malicious process
 >[!IMPORTANT]
 >You can only take this action if:
 > - The machine you're taking the action on is running Windows 10, version 1703 or later
-> - The file does not belong to the system or not signed by Microsoft
-> - Windows Defender Antivirus must at least be running on Passive mode
+> - The file does not belong to trusted third-party publishers or not signed by Microsoft
+> - Windows Defender Antivirus must at least be running on Passive mode 
 
 The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
 
@@ -79,7 +79,7 @@ When the file is being removed from an endpoint, the following notification is s
 
 In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
 
->[!NOTE]
+>[!IMPORTANT]
 >The **Action** button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal of critical system files and files used by important applications.
 
 ![Image of action button turned off](images/atp-file-action.png)

From 0ce44c44e19625d51661c484b9a885426ad9d0f1 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Wed, 1 Nov 2017 17:01:05 -0700
Subject: [PATCH 4/8] minor change

---
 ...file-alerts-windows-defender-advanced-threat-protection.md | 4 ++--
 ...hine-alerts-windows-defender-advanced-threat-protection.md | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index a559e0f478..20cd52d1c5 100644
--- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -106,12 +106,12 @@ You can roll back and remove a file from quarantine if you’ve determined that
 ## Block files in your network
 You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
 
->[!NOTE]
+>[!IMPORTANT]
 >- This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.  For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). </br></br>
 >- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. 
 >- This response action is only available for machines on Windows 10, version 1703 or later.
 
->[!IMPORTANT]
+>[!NOTE]
 > The PE file needs to be in the machine timeline for you to be able to take this action.  
 
 
diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index 8d6f2ada9e..bbef37d999 100644
--- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -29,7 +29,7 @@ ms.date: 10/17/2017
 Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center.
 
 >[!IMPORTANT]
-> These response actions are only available for PCs on Windows 10, version  1703 and later. 
+> These response actions are only available for machines on Windows 10, version  1703 and later. 
 
 ## Collect investigation package from machines
 As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker.

From 075074135adbbaabd51586097a07b3d682454a14 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Thu, 2 Nov 2017 11:10:13 -0700
Subject: [PATCH 5/8] updates on notes and important

---
 ...ndows-defender-advanced-threat-protection.md |  6 +++---
 ...ndows-defender-advanced-threat-protection.md | 17 ++++++++++++++---
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index 20cd52d1c5..c346dc4ffe 100644
--- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -41,7 +41,7 @@ You can contain an attack in your organization by stopping the malicious process
 >You can only take this action if:
 > - The machine you're taking the action on is running Windows 10, version 1703 or later
 > - The file does not belong to trusted third-party publishers or not signed by Microsoft
-> - Windows Defender Antivirus must at least be running on Passive mode 
+> - Windows Defender Antivirus must at least be running on Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility).
 
 The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
 
@@ -107,9 +107,9 @@ You can roll back and remove a file from quarantine if you’ve determined that
 You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
 
 >[!IMPORTANT]
->- This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.  For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). </br></br>
+>- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). </br></br>
 >- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. 
->- This response action is only available for machines on Windows 10, version 1703 or later.
+>- This response action is available for machines on Windows 10, version 1703 or later.
 
 >[!NOTE]
 > The PE file needs to be in the machine timeline for you to be able to take this action.  
diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index bbef37d999..af19622d4a 100644
--- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -35,7 +35,7 @@ Quickly respond to detected attacks by isolating machines or collecting an inves
 As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker.
 
 >[!IMPORTANT]
-> This response action is only available for machines on Windows 10, version  1703 and later.
+> This response action is available for machines on Windows 10, version  1703 and later.
 
 You can download the package (Zip file) and investigate the events that occurred on a machine.
 
@@ -88,8 +88,9 @@ The package contains the following folders:
 ## Run Windows Defender Antivirus scan on machines
 As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine.
 
->[!NOTE]
-> A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not.
+>[!IMPORTANT]
+>- This action is available for machines on Windows 10, version  1709 and later.
+>- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not.
 
 1.	Select the machine that you want to run the scan on. You can select or search for a machine from any of the following views:
 
@@ -120,6 +121,11 @@ The machine timeline will include a new event, reflecting that a scan action was
 ## Restrict app execution
 In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
 
+>[!IMPORTANT]
+> - This action is available for machines on Windows 10, version  1709 and later.
+> - This action needs to meet the Windows Defender Application Control code integrity policy formas and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/en-us/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing).
+
+
 The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities.
 
 >[!NOTE]
@@ -170,6 +176,11 @@ Depending on the severity of the attack and the state of the machine, you can ch
 ## Isolate machines from the network
 Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement.
 
+>[!IMPORTANT]
+>- Full isolation is available for machines on Windows 10, version 1703.
+>- Selective isolation is available for machines on Windows 10, version 1709 and above.
+>- 
+
 This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine.
 
 On Windows 10, version 1710 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity.

From d465f6fd751cb04f7c96fc75fd71cd85fe2b1ff7 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Thu, 2 Nov 2017 12:50:52 -0700
Subject: [PATCH 6/8] fix link

---
 ...d-file-alerts-windows-defender-advanced-threat-protection.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index c346dc4ffe..8101839e92 100644
--- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -41,7 +41,7 @@ You can contain an attack in your organization by stopping the malicious process
 >You can only take this action if:
 > - The machine you're taking the action on is running Windows 10, version 1703 or later
 > - The file does not belong to trusted third-party publishers or not signed by Microsoft
-> - Windows Defender Antivirus must at least be running on Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility).
+> - Windows Defender Antivirus must at least be running on Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
 
 The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
 

From 26665db1f0d3fe102af6bad0b9955f24d3d8c86f Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Thu, 9 Nov 2017 16:01:16 -0800
Subject: [PATCH 7/8] update to wdav reqs

---
 ...ile-alerts-windows-defender-advanced-threat-protection.md | 2 +-
 ...ine-alerts-windows-defender-advanced-threat-protection.md | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index 8101839e92..9d43d529d6 100644
--- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 10/17/2017
+ms.date: 11/10/2017
 ---
 
 # Take response actions on a file
diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index a7f615af1e..244613a878 100644
--- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 10/17/2017
+ms.date: 11/10/2017
 ---
 
 # Take response actions on a machine
@@ -90,7 +90,8 @@ As part of the investigation or response process, you can remotely initiate an a
 
 >[!IMPORTANT]
 >- This action is available for machines on Windows 10, version  1709 and later.
->- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not.
+>- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+
 
 1.	Select the machine that you want to run the scan on. You can select or search for a machine from any of the following views:
 

From 2a690af06602471d349c67bac4aecc445cc563f0 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Thu, 9 Nov 2017 16:12:34 -0800
Subject: [PATCH 8/8] updates

---
 windows/threat-protection/TOC.md                     |  2 +-
 ...ts-windows-defender-advanced-threat-protection.md |  2 +-
 ...ts-windows-defender-advanced-threat-protection.md | 12 ++++++------
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
index 1646612a6a..e9db3c1bbe 100644
--- a/windows/threat-protection/TOC.md
+++ b/windows/threat-protection/TOC.md
@@ -60,7 +60,7 @@
 #### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md)
 #### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md)
 ##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md)
-###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package)
+###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
 ###### [Run antivirus scan](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
 ###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
 ###### [Remove app restriction](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index 9d43d529d6..f5bdb18d2e 100644
--- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -45,7 +45,7 @@ You can contain an attack in your organization by stopping the malicious process
 
 The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
 
-The action takes effect on machines with the latest Windows 10, version 1703 and above where the file was observed in the last 30 days.
+The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last 30 days.
 
 >[!NOTE]
 >You’ll be able to remove the file from quarantine at any time.
diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index 244613a878..3ab0892e62 100644
--- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -29,13 +29,13 @@ ms.date: 11/10/2017
 Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center.
 
 >[!IMPORTANT]
-> These response actions are only available for machines on Windows 10, version  1703 and later. 
+> These response actions are only available for machines on Windows 10, version  1703 or later. 
 
 ## Collect investigation package from machines
 As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker.
 
 >[!IMPORTANT]
-> This response action is available for machines on Windows 10, version  1703 and later.
+> This response action is available for machines on Windows 10, version  1703 or later.
 
 You can download the package (Zip file) and investigate the events that occurred on a machine.
 
@@ -89,7 +89,7 @@ The package contains the following folders:
 As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine.
 
 >[!IMPORTANT]
->- This action is available for machines on Windows 10, version  1709 and later.
+>- This action is available for machines on Windows 10, version  1709 or later.
 >- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
 
 
@@ -123,7 +123,7 @@ The machine timeline will include a new event, reflecting that a scan action was
 In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
 
 >[!IMPORTANT]
-> - This action is available for machines on Windows 10, version  1709 and later.
+> - This action is available for machines on Windows 10, version  1709 or later.
 > - This action needs to meet the Windows Defender Application Control code integrity policy formas and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/en-us/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing).
 
 
@@ -179,12 +179,12 @@ Depending on the severity of the attack and the sensitivity of the machine, you
 
 >[!IMPORTANT]
 >- Full isolation is available for machines on Windows 10, version 1703.
->- Selective isolation is available for machines on Windows 10, version 1709 and above.
+>- Selective isolation is available for machines on Windows 10, version 1709 or later.
 >- 
 
 This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine.
 
-On Windows 10, version 1709 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity.
+On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity.
 
 >[!NOTE]
 >You’ll be able to reconnect the machine back to the network at any time.