diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 0d071ba0be..ca67afe7cb 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -573,7 +573,7 @@
###### [Vulnerability]()
####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md)
####### [List vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md)
-####### [List vulnerabilities by Machine and Software](microsoft-defender-atp/get-all-vulnerabilities-by-machines.md)
+####### [List vulnerabilities by machine and software](microsoft-defender-atp/get-all-vulnerabilities-by-machines.md)
####### [Get vulnerability by Id](microsoft-defender-atp/get-vulnerability-by-id.md)
####### [List machines by vulnerability](microsoft-defender-atp/get-machines-by-vulnerability.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
index 92405839bb..9022d913df 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
@@ -42,7 +42,8 @@ Microsoft Defender ATP for Android enables admins to configure custom indicators
## Configure web protection
Microsoft Defender ATP for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center.
-[!NOTE]
+
+>[!NOTE]
> Microsoft Defender ATP for Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-manage-android).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-cve-detection-logic.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-cve-detection-logic.png
new file mode 100644
index 0000000000..6701a4521b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-cve-detection-logic.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-software.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-software.png
new file mode 100644
index 0000000000..9f360f0b7e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-software.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weakness-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weakness-flyout.png
new file mode 100644
index 0000000000..0e81640cb2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weakness-flyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weakness-flyout400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weakness-flyout400.png
new file mode 100644
index 0000000000..302b4883b3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weakness-flyout400.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
index d96e6da0ab..c0fe9490e6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
@@ -74,7 +74,7 @@ You can validate that your exclusion lists are working by using `curl` to downlo
In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
```bash
-$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
+curl -o test.txt https://www.eicar.org/download/eicar.com.txt
```
If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
index 018c229b01..b95777caa1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
@@ -747,7 +747,7 @@ The following templates contain entries for all settings described in this docum
The property list must be a valid *.plist* file. This can be checked by executing:
```bash
-$ plutil -lint com.microsoft.wdav.plist
+plutil -lint com.microsoft.wdav.plist
com.microsoft.wdav.plist: OK
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
index 0f63486ad1..5fbcec859f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
@@ -53,7 +53,7 @@ You can configure how PUA files are handled from the command line or from the ma
In Terminal, execute the following command to configure PUA protection:
```bash
-$ mdatp --threat --type-handling potentially_unwanted_application [off|audit|block]
+mdatp --threat --type-handling potentially_unwanted_application [off|audit|block]
```
### Use the management console to configure PUA protection:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
index a4780aaea9..602205a4ae 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
@@ -30,7 +30,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
1. Increase logging level:
```bash
- $ mdatp --log-level verbose
+ mdatp --log-level verbose
Creating connection to daemon
Connection established
Operation succeeded
@@ -38,10 +38,10 @@ If you can reproduce a problem, please increase the logging level, run the syste
2. Reproduce the problem
-3. Run `sudo mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
+3. Run `sudo mdatp --diagnostic --create` to back up Microsoft Defender ATP's logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
```bash
- $ sudo mdatp --diagnostic --create
+ sudo mdatp --diagnostic --create
Creating connection to daemon
Connection established
```
@@ -49,7 +49,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
4. Restore logging level:
```bash
- $ mdatp --log-level info
+ mdatp --log-level info
Creating connection to daemon
Connection established
Operation succeeded
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
index d7a913d13f..4fc24b4545 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
@@ -36,8 +36,8 @@ While you can start a threat scan at any time with Microsoft Defender ATP, your
ProgramArguments
sh
- -c
- /usr/local/bin/mdatp --scan --quick
+ -c
+ /usr/local/bin/mdatp --scan --quick
RunAtLoad
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
index 4e380f4e2a..0728dd83ad 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
@@ -30,7 +30,7 @@ For manual installation, the Summary page of the installation wizard says, "An e
While we do not display an exact error to the end user, we keep a log file with installation progress in `/Library/Logs/Microsoft/mdatp/install.log`. Each installation session appends to this log file. You can use `sed` to output the last installation session only:
```bash
-$ sed -n 'H; /^preinstall com.microsoft.wdav begin/h; ${g;p;}' /Library/Logs/Microsoft/mdatp/install.log
+sed -n 'H; /^preinstall com.microsoft.wdav begin/h; ${g;p;}' /Library/Logs/Microsoft/mdatp/install.log
preinstall com.microsoft.wdav begin [2020-03-11 13:08:49 -0700] 804
INSTALLER_SECURE_TEMP=/Library/InstallerSandboxes/.PKInstallSandboxManager/CB509765-70FC-4679-866D-8A14AD3F13CC.activeSandbox/89FA879B-971B-42BF-B4EA-7F5BB7CB5695
@@ -45,7 +45,7 @@ The installation failed because a downgrade between these versions is not suppor
## MDATP install log missing or not updated
In rare cases, installation leaves no trace in MDATP's /Library/Logs/Microsoft/mdatp/install.log file.
-You can verify that an installation happened and analyze possible errors by querying macOS logs (this is helpful in case of MDM deployment, when there is no client UI). We recommend that you use a narrow time window to run a query, and that you filter by the logging process name, as there will be a huge amount of information.
+You can verify that an installation happened and analyze possible errors by querying macOS logs (this is helpful in MDM deployment, when there is no client UI). We recommend that you use a narrow time window to run a query, and that you filter by the logging process name, as there will be a huge amount of information.
```bash
grep '^2020-03-11 13:08' /var/log/install.log
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
index 04021812ac..650b67011f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
@@ -34,7 +34,7 @@ If you did not approve the kernel extension during the deployment / installation
You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This is an indication that the kernel extension is not approved to run on your device.
```bash
-$ mdatp --health
+mdatp --health
...
realTimeProtectionAvailable : false
realTimeProtectionEnabled : true
@@ -63,7 +63,7 @@ In this case, you need to perform the following steps to trigger the approval fl
1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension was not approved to run on the device, however it will trigger the approval flow again.
```bash
- $ sudo kextutil /Library/Extensions/wdavkext.kext
+ sudo kextutil /Library/Extensions/wdavkext.kext
Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Diagnostics for /Library/Extensions/wdavkext.kext:
@@ -76,13 +76,13 @@ In this case, you need to perform the following steps to trigger the approval fl
4. In Terminal, install the driver again. This time the operation will succeed:
```bash
-$ sudo kextutil /Library/Extensions/wdavkext.kext
+sudo kextutil /Library/Extensions/wdavkext.kext
```
The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available:
```bash
-$ mdatp --health
+mdatp --health
...
realTimeProtectionAvailable : true
realTimeProtectionEnabled : true
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
index fccc1b4442..4bdc6a325d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
@@ -42,7 +42,7 @@ The following steps can be used to troubleshoot and mitigate these issues:
- From the Terminal. For security purposes, this operation requires elevation.
```bash
- $ mdatp --config realTimeProtectionEnabled false
+ mdatp --config realTimeProtectionEnabled false
```
If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
index 782c6a98e7..16b648b1c4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
@@ -64,7 +64,7 @@ The `Production` channel contains the most stable version of the product.
>[!WARNING]
>This setting changes the channel for all applications that are updated through Microsoft AutoUpdate. To change the channel only for Microsoft Defender ATP for Mac, execute the following command after replacing `[channel-name]` with the desired channel:
> ```bash
-> $ defaults write com.microsoft.autoupdate2 Applications -dict-add "/Applications/Microsoft Defender ATP.app" " { 'Application ID' = 'WDAV00' ; 'App Domain' = 'com.microsoft.wdav' ; LCID = 1033 ; ChannelName = '[channel-name]' ; }"
+> defaults write com.microsoft.autoupdate2 Applications -dict-add "/Applications/Microsoft Defender ATP.app" " { 'Application ID' = 'WDAV00' ; 'App Domain' = 'com.microsoft.wdav' ; LCID = 1033 ; ChannelName = '[channel-name]' ; }"
> ```
### Set update check frequency
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
index e2d4158d0d..f459d51a29 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
@@ -112,7 +112,11 @@ From there, select **Go to related security recommendation** to go to the [secur
To open a software page, select an event > select the hyperlinked software name (like Visual Studio 2017) in the section called "Related component" in the flyout. [Learn more about software pages](tvm-software-inventory.md#software-pages)
-A full page will appear with all the details of a specific software, including an event timeline tab. From there you can view all the events related to that software, along with security recommendations, discovered vulnerabilities, installed machines, and version distribution.
+A full page will appear with all the details of a specific software. Mouse over the graph to see the timeline of events for that specific software.
+
+
+
+ You can also navigate to the event timeline tab to view all the events related to that software, along with security recommendations, discovered vulnerabilities, installed machines, and version distribution.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index aa166b9796..d82ae3d95c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -25,9 +25,9 @@ ms.topic: conceptual
[!include[Prerelease information](../../includes/prerelease.md)]
-Threat and vulnerability management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
+Threat and vulnerability management uses the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
-The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, and threat insights.
+The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more.
>[!IMPORTANT]
>To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network:
@@ -50,21 +50,21 @@ Go to the threat and vulnerability management navigation menu and select **Weakn
### Vulnerabilities in global search
1. Go to the global search drop-down menu.
-2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you are looking for.
+2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you're looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you're looking for.
-3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates.
+3. Select the CVE and a flyout panel opens up with more information, including the vulnerability description, details, threat insights, and exposed devices.
-To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search.
+To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then select search.
## Weaknesses overview
-If the **Exposed Devices** column shows 0, that means you are not at risk. If exposed devices exist, the next step is to remediate the vulnerabilities in those devices to reduce the risk to your assets and organization.
+If exposed devices exist, the next step is to remediate the vulnerabilities in those devices to reduce the risk to your assets and organization. If the **Exposed Devices** column shows 0, that means you are not at risk.
-
+
### Breach and threat insights
-You can view the related breach and threat insights in the **Threat** column when the icons are colored red.
+View related breach and threat insights in the **Threat** column when the icons are colored red.
>[!NOTE]
> Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon  and breach insight icon .
@@ -76,6 +76,14 @@ The threat insights icon is highlighted if there are associated exploits in the
+### Gain vulnerability insights
+
+If you select a CVE, a flyout panel will open with more information, including the vulnerability description, details, threat insights, and exposed devices.
+
+The "OS Feature" category is shown in relevant scenarios.
+
+ 
+
## View Common Vulnerabilities and Exposures (CVE) entries in other places
### Top vulnerable software in the dashboard
@@ -84,9 +92,9 @@ The threat insights icon is highlighted if there are associated exploits in the
-2. Select the software that you want to investigate to go a drill down page.
+2. Select the software you want to investigate to go to a drill down page.
3. Select the **Discovered vulnerabilities** tab.
-4. Select the vulnerability that you want to investigate. A flyout panel will appear with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
+4. Select the vulnerability you want to investigate for more information on vulnerability details
@@ -102,7 +110,7 @@ View related weaknesses information in the device page.
3. The device page will open with details and response options for the device you want to investigate.
4. Select **Discovered vulnerabilities**.
- [Screenshot of the device page with details and response options](images/tvm-discovered-vulnerabilities.png)
+ 
5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic.
@@ -110,7 +118,9 @@ View related weaknesses information in the device page.
Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the device page) that shows the detection logic and source.
-
+The "OS Feature" category is also shown in relevant scenarios. For example, a CVE affects devices that run a vulnerable OS, only if a specific OS component is enabled on these devices. Let's say Windows Server 2019 has vulnerability in its DNS component. With this new capability, we’ll attach this CVE only to the Windows Server 2019 devices with DNS capability enabled in their OS.
+
+
## Report inaccuracy