Tweaks to BAFS and WinDef intro for MAPS, insert states links.

windows/keep-secure/configure-windows-defender-in-windows-10.md

@@ -1,5 +1,5 @@
 ---
-title: Configure Windows Defender in Windows 10 (Windows 10)
+title: Configure and use Windows Defender in Windows 10
 description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
 ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D
 ms.prod: w10
@@ -14,7 +14,9 @@ author: jasesso
 **Applies to**
 -   Windows 10
 
-IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
+You can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
+
+You can also enable and configure the Microsoft Active Protection Service to ensure endpoints are protected by cloud-based protection technologies.
 
 ## Configure definition updates
 

windows/keep-secure/windows-defender-block-at-first-seen.md

@@ -1,7 +1,7 @@
 ---
-title: Use PowerShell cmdlets to configure and run Windows Defender in Windows 10
+title: Enable the Block at First Sight feature to detect malware within seconds
-description: In Windows 10, you can use PowerShell cmdlets to run scans, update definitions, and change settings in Windows Defender.
+description: In Windows 10 Anniversary Update the Block at First Sight feature determines and blocks new malware variants in seconds. You can enable the feature with Group Policy
-keywords: scan, command line, mpcmdrun, defender
+keywords: scan, BAFS, malware, first seen, first sight, cloud, MAPS, defender
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -11,10 +11,17 @@ ms.pagetype: security
 author: iaanw
 ---
 
-# Enable the Block at First Sight feature
+# Block at First Sight
+
+**Applies to**
+-   Windows 10 Aniversary Update
 
 Block at First Sight (BAFS) is a feature of Windows Defender cloud protection that provides a way to detect and block new malware within seconds. 
 
+You can enable BAFS with Group Policy (GP) or individually on endpoints.
+
+## Backend procesing and near-instant determinations
+
 When a Windows Defender client encounters a suspicious but previously undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
 
 If the cloud backend is unable to make a determination, a copy of the file is requested for additional processing and analysis in the cloud. 
@@ -24,17 +31,17 @@ If the BAFS feature is enabled on the client, the file will be locked by Windows
 The file-based determination typically takes 1 to 4 seconds.
 
 The following video describes how this feature works:
-<iframe src="https://osgwiki.com/images/d/de/Windows_Defender_-_Fast_Learning.mp4" width="640" height="360" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe> 
+<iframe src="https://tnstage.redmond.corp.microsoft.com/en-us/itpro/windows/keep-secure/media/Windows_Defender_-_Fast_Learning.mp4" width="640" height="360" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe> 
 
 
-> **Note:**&nbsp;&nbsp;Suspicious file downloads requiring additional back-end processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the back-end. Users will see a longer “Running security scan” message in the browser while the file is being uploaded, leading to slower download times for these files.
+> **Note:**&nbsp;&nbsp;Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to slowerr download times for some files.
 
 
-## ENABLE BLOCK AT FIRST SIGHT
+## Enable Block at First Sight
 
-### USE GROUP POLICY TO CONFIGURE BAFS
+### Use Group Policy to configure Block at First Sight
 
-You can use Group Policy to control whether Windows Defender will continue to lock a suspicious file until it is uploaded to the back-end.
+You can use GP to control whether Windows Defender will continue to lock a suspicious file until it is uploaded to the backend.
 
 This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device.
 
@@ -42,42 +49,45 @@ BAFS requires a number of Group Policy settings to be configured correctly or it
 
 **Configure pre-requisite cloud protection Group Policy settings:**
 
-1.  On your GP management machine, Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
+1.  On your GP management machine, open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure, and click **Edit**.
 
-3.  In the **Group Policy Management Editor**, go to **Computer configuration**.
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
 
-4.  Click **Policies**, then **Administrative templates**.
+4.  Click **Policies** then **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender > MAPS** and configure the follow GPs:
+5.  Expand the tree to **Windows components > Windows Defender > MAPS** and configure the following GPs:
     
     1.  Double-click the **Join Microsoft MAPS** GP and set the option to **Enabled**. Click **OK**.
+    
     1.  Double-click the **Send file samples when further analysis is required** GP and set the option as **Enabled** and the additional options as either of the following:
     
         1. Send safe samples (1)
+        
         1. Send all samples (3)
 
         > **Note:**&nbsp;&nbsp;Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function.
 
     1. Click OK after both GPs have been set.
 
-1.  In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender > Real-time Protection**
+1.  In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender > Real-time Protection**:
     
     1.  Double-click the **Scan all downloaded files and attachments** GP and set the option to **Enabled**. Click **OK**.
+    
     1.  Double-click the **Turn off real-time protection** GP and set the option to **Disabled**. Click **OK**.
 
 
 
 **Enable Block at First Sight with Group Policy**
 
-1.  On your GP management machine, Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
+1.  On your GP management machine, open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure, and click **Edit**.
 
-3.  In the **Group Policy Management Editor**, go to **Computer configuration**.
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
 
-4.  Click **Policies**, then **Administrative templates**.
+4.  Click **Policies** then **Administrative templates**.
 
 5.  Expand the tree through **Windows components > Windows Defender > MAPS**.
 
-1.  Double-click the **Configure the ‘Block at First Sight’ feature** and set the option to **Enabled**. Click Next Setting.
+1.  Double-click the **Configure the ‘Block at First Sight’ feature** and set the option to **Enabled**.
 
     > **Note:**&nbsp;&nbsp;The Block at First Sight feature will not function if the pre-requisite group policies have not been correctly set.
 
@@ -89,9 +99,9 @@ To configure un-managed clients that are running Windows 10 Anniversary Update,
 
 1. Open Windows Defender settings:
 
-    a. Open the Windows Defender app and click Settings
+    a. Open the Windows Defender app and click **Settings**.
     
-    b. On the main Windows Setting page, click Update & Security and then Windows Defender.
+    b. On the main Windows Setting page, click **Update & Security** and then **Windows Defender88.
 
 2.	Switch **Cloud-based Protection** and **Automatic sample submission** to **On**.
 

windows/keep-secure/windows-defender-in-windows-10.md

@@ -31,6 +31,23 @@ Windows Defender provides the most protection when cloud-based protection is ena
 -   Reports and report management
 
 When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed.
+
+
+### Compatibility with Windows Defender Advanced Threat Protection
+
+Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network. 
+
+See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
+
+If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. 
+
+In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won’t run, and Windows Defender will not provide real-time protection from malware.
+
+You can [configure updates for Windows Defender](configure-windows-defender-in-windows-10.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+
+If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
+
+
  
 ### Minimum system requirements