Merge branch 'master' into air-working

.openpublishing.redirection.json

@@ -1030,6 +1030,11 @@
       "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table",
       "redirect_document_id": true
     },
+    {
+      "source_path": "windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md",
+      "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os",
+      "redirect_document_id": true
+    },
     {
       "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md",
       "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table",

windows/client-management/mdm/defender-csp.md

@@ -10,11 +10,14 @@ ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.localizationpriority: medium
-ms.date: 10/21/2019
+ms.date: 08/11/2020
 ---
 
 # Defender CSP
 
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
 The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
 
 The following image shows the Windows Defender configuration service provider in tree format.
@@ -48,7 +51,7 @@ Supported operation is Get.
 <a href="" id="detections-threatid-severity"></a>**Detections/*ThreatId*/Severity**  
 Threat severity ID.
 
-The data type is a integer.
+The data type is integer.
 
 The following list shows the supported values:
 
@@ -63,7 +66,7 @@ Supported operation is Get.
 <a href="" id="detections-threatid-category"></a>**Detections/*ThreatId*/Category**  
 Threat category ID.
 
-The data type is a integer.
+The data type is integer.
 
 The following table describes the supported values:
 
@@ -125,7 +128,7 @@ Supported operation is Get.
 <a href="" id="detections-threatid-currentstatus"></a>**Detections/*ThreatId*/CurrentStatus**  
 Information about the current status of the threat.
 
-The data type is a integer.
+The data type is integer.
 
 The following list shows the supported values:
 
@@ -146,7 +149,7 @@ Supported operation is Get.
 <a href="" id="detections-threatid-executionstatus"></a>**Detections/*ThreatId*/ExecutionStatus**  
 Information about the execution status of the threat.
 
-The data type is a integer.
+The data type is integer.
 
 Supported operation is Get.
 
@@ -167,7 +170,7 @@ Supported operation is Get.
 <a href="" id="detections-threatid-numberofdetections"></a>**Detections/*ThreatId*/NumberOfDetections**  
 Number of times this threat has been detected on a particular client.
 
-The data type is a integer.
+The data type is integer.
 
 Supported operation is Get.
 
@@ -179,7 +182,7 @@ Supported operation is Get.
 <a href="" id="health-productstatus"></a>**Health/ProductStatus**  
 Added in Windows 10, version 1809. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list.
 
-Data type is integer. Supported operation is Get.
+The data type is integer. Supported operation is Get.
 
 Supported product status values:  
 -  No status                                                        = 0
@@ -230,7 +233,7 @@ Example:
 <a href="" id="health-computerstate"></a>**Health/ComputerState**  
 Provide the current state of the device.
 
-The data type is a integer.
+The data type is integer.
 
 The following list shows the supported values:
 
@@ -391,7 +394,7 @@ When enabled or disabled exists on the client and admin moves the setting to not
 Enables or disables file hash computation feature.
 When this feature is enabled Windows defender will compute hashes for files it scans.
 
-The data type is a integer.
+The data type is integer.
 
 Supported operations are Add, Delete, Get, Replace.
 
@@ -399,6 +402,26 @@ Valid values are:
 - 1 – Enable.
 - 0 (default) – Disable.
 
+<a href="" id="configuration-supportloglocation"></a>**Configuration/SupportLogLocation**  
+The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (**MpCmdRun.exe**) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise. 
+
+Data type is string.
+
+Supported operations are Add, Delete, Get, Replace.
+
+Intune Support log location setting UX supports three states:  
+
+- Not configured (default) - Does not have any impact on the default state of the device. 
+- 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path.
+- 0 - Disabled. Turns off the Support log location feature. 
+
+When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.  
+
+More details:  
+
+- [Microsoft Defender AV diagnostic data](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)  
+- [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices)  
+
 <a href="" id="scan"></a>**Scan**  
 Node that can be used to start a Windows Defender scan on a device.
 

windows/client-management/mdm/defender-ddf.md

@@ -1,6 +1,6 @@
 ---
 title: Defender DDF file
-description: See how the the OMA DM device description framework (DDF) for the **Defender** configuration service provider is used.
+description: See how the OMA DM device description framework (DDF) for the **Defender** configuration service provider is used.
 ms.assetid: 39B9E6CF-4857-4199-B3C3-EC740A439F65
 ms.reviewer: 
 manager: dansimp
@@ -10,7 +10,7 @@ ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.localizationpriority: medium
-ms.date: 10/21/2019
+ms.date: 08/11/2020
 ---
 
 # Defender DDF file
@@ -45,7 +45,7 @@ The XML below is the current version for this CSP.
             <Permanent />
           </Scope>
           <DFType>
-            <MIME>com.microsoft/1.2/MDM/Defender</MIME>
+            <MIME>com.microsoft/1.3/MDM/Defender</MIME>
           </DFType>
         </DFProperties>
         <Node>
@@ -734,6 +734,29 @@ The XML below is the current version for this CSP.
               </DFType>
             </DFProperties>
           </Node>
+          <Node>
+            <NodeName>SupportLogLocation</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Replace />
+                <Add />
+                <Delete />
+              </AccessType>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
         </Node>
         <Node>
           <NodeName>Scan</NodeName>

windows/security/threat-protection/TOC.md

@@ -293,6 +293,7 @@
  
 #### [Devices list]()
 ##### [View and organize the Devices list](microsoft-defender-atp/machines-view-overview.md)
+##### [Device timeline event flags](microsoft-defender-atp/device-timeline-event-flag.md)
 ##### [Manage device group and tags](microsoft-defender-atp/machine-tags.md)
  
 #### [Take response actions]()

windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md

@@ -7,7 +7,6 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
@@ -23,13 +22,11 @@ manager: dansimp
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-**Use Microsoft Intune to configure scanning options**
+## Use Microsoft Intune to configure scanning options
 
 See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
 
-<a id="ref1"></a>
+## Use Microsoft Endpoint Configuration Manager to configure scanning options
-
-## Use Microsoft Endpoint Configuration Manager to configure scanning options:
 
 See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
 
@@ -70,6 +67,8 @@ See [Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell
 
 For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx).
 
+<a id="ref1"></a>
+
 ## Email scanning limitations
 
 Email scanning enables scanning of  email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:

windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md

@@ -7,7 +7,6 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
@@ -20,7 +19,8 @@ manager: dansimp
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Windows Server 2016
+- Windows Server 2019
 
 Microsoft Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Microsoft Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same.
 

windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md

@@ -7,11 +7,10 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.date: 09/03/2018
+ms.date: 08/12/2020
 ms.reviewer: 
 manager: dansimp
 ms.custom: nextgen
@@ -62,7 +61,8 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht
 5.  Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**.
 
 6.  Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
-    - **Default Microsoft Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files.
+    - **Default blocking level** provides strong detection without increasing the risk of detecting legitimate files.
+    - **Moderate blocking level** provides moderate only for high confidence detections
     - **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives).
     - **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives).
     - **Zero tolerance blocking level** blocks all unknown executables.

windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md

@@ -8,7 +8,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.date: 06/02/2020
+ms.date: 08/12/2020
 ms.reviewer: 
 manager: dansimp
 ms.custom: asr
@@ -45,9 +45,9 @@ Depending on your organization's settings, employees can copy and paste images (
 
 To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device. 
 
-### Why aren’t employees able to see their Extensions in the Application Guard Edge session?
+### Are extensions supported in the Application Guard?
 
-Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this. 
+Extension installs in the container are supported from Microsoft Edge version 81. For more details, see [Extension support inside the container](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard#extension-support-inside-the-container).
 
 ### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? 
 
@@ -119,8 +119,8 @@ For guidance on how to create a firewall rule by using group policy, see:
 - [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
 
 First rule (DHCP Server):
-1. Program path: %SystemRoot%\System32\svchost.exe
+1. Program path: `%SystemRoot%\System32\svchost.exe`
-2. Local Service: Sid:  S-1-5-80-2009329905-444645132-2728249442-922493431-93864177  (Internet Connection Service (SharedAccess))
+2. Local Service: Sid:  `S-1-5-80-2009329905-444645132-2728249442-922493431-93864177`  (Internet Connection Service (SharedAccess))
 3. Protocol UDP
 4. Port 67
 
@@ -148,14 +148,14 @@ This is a two step process.
 
 Step 1:
 
-Enable Internet Connection sharing by changing the Group Policy setting “Prohibit use of Internet Connection Sharing on your DNS domain network” which is part of the MS Security baseline from Enabled to Disabled.
+Enable Internet Connection sharing by changing the Group Policy setting **Prohibit use of Internet Connection Sharing on your DNS domain network.** This setting is part of the Microsoft security baseline. Change it from Enabled to Disabled.
  
 Step 2:
  
-1. Disable IpNat.sys from ICS load
+1. Disable IpNat.sys from ICS load: 
-System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1
+`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`.
-2. Configure ICS (SharedAccess) to enabled
+2. Configure ICS (SharedAccess) to enabled: 
-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`.
-3. Disabling IPNAT (Optional)
+3. Disable IPNAT (Optional): 
-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`.
-4. Reboot.
+4. Restart the device.

windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md

@@ -1,53 +0,0 @@
----
-title: Configure Threat & Vulnerability Management in Microsoft Defender ATP
-ms.reviewer: 
-description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft Endpoint Configuration Manager integrations.
-keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM  
-search.product: Windows 10
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
----
-# Configure Threat & Vulnerability Management
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft Endpoint Configuration Manager for a seamless collaboration of issue remediation.
-
-### Before you begin
-> [!IMPORTANT]
-> Threat & Vulnerability Management data currently supports Windows 10 devices. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data.</br>
-
-Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft Endpoint Configuration Manager.   
-
->[!WARNING]
->Only Intune and Microsoft Endpoint Configuration Manager enrolled devices are supported in this scenario.</br>
->Use any of the following options to enroll devices in Intune:
->- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
->- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school)
->- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup).
-
-## Related topics
-
-- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
-- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation and exception](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md

@@ -55,13 +55,13 @@ The following steps will guide you through onboarding VDI devices and will highl
 
 1.  Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
 
-    a.  In the navigation pane, select **Settings** > **Onboarding**.
+    1.  In the navigation pane, select **Settings** > **Onboarding**.
 
-    b. Select Windows 10 as the operating system.
+    1. Select Windows 10 as the operating system.
 
-    c.  In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**.
+    1.  In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**.
 
-    d. Click **Download package** and save the .zip file.
+    1. Click **Download package** and save the .zip file.
 
 2. Copy the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`.
 
@@ -69,34 +69,38 @@ The following steps will guide you through onboarding VDI devices and will highl
     >If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
 
 3. The following step is only applicable if you're implementing a single entry for each device: <br>
-    **For single entry for each device**:<br>
+   **For single entry for each device**:
-        a. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. <br>
     
-    >[!NOTE]
+   1. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` and `WindowsDefenderATPOnboardingScript.cmd` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. <br>
-    >If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
+
+   > [!NOTE]
+   > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
 
 4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
 
-    >[!NOTE]
+   > [!NOTE]
-    >Domain Group Policy may also be used for onboarding non-persistent VDI devices.
+   > Domain Group Policy may also be used for onboarding non-persistent VDI devices.
 
 5. Depending on the method you'd like to implement, follow the appropriate steps: <br>
    **For single entry for each device**:<br>
-  Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. <br><br>
+   
-  **For multiple entries for each device**:<br>
+   Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`.
+   
+   **For multiple entries for each device**:
+   
    Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
 
 6. Test your solution:
 
-    a. Create a pool with one device.
+   1. Create a pool with one device.
       
-    b. Logon to device.
+   1. Logon to device.
       
-    c. Logoff from device.
+   1. Logoff from device.
 
-    d. Logon to device with another user.
+   1. Logon to device with another user.
       
-    e. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.<br>
+   1. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.<br>
       **For multiple entries for each device**: Check multiple entries in Microsoft Defender Security Center.
 
 7. Click **Devices list** on the Navigation pane.
@@ -107,7 +111,7 @@ The following steps will guide you through onboarding VDI devices and will highl
 As a best practice, we recommend using offline servicing tools to patch golden/master images.<br>
 For example, you can use the below commands to install an update while the image remains offline:
 
-```
+```console
 DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing" 
 DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"
 DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit
@@ -124,7 +128,7 @@ If offline servicing is not a viable option for your non-persistent VDI environm
 
 2. Ensure the sensor is stopped by running the command below in a CMD window:
 
-    ```
+   ```console
    sc query sense
    ```
 
@@ -132,7 +136,7 @@ If offline servicing is not a viable option for your non-persistent VDI environm
 
 4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot:
 
-    ```
+    ```console
     PsExec.exe -s cmd.exe
     cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"
     del *.* /f /s /q

windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md

@@ -201,6 +201,9 @@ However, if the connectivity check results indicate a failure, an HTTP error is
 
 > [!NOTE]
 > The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
+
+
+> [!NOTE]
 > When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
 
 ## Related topics

windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md

@@ -33,6 +33,10 @@ Custom detection rules built from [Advanced hunting](advanced-hunting-overview.m
 
 In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results.
 
+>[!IMPORTANT]
+>To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
+
+
 #### Required columns in the query results
 To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
 

windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md

@@ -0,0 +1,45 @@
+---
+title: Microsoft Defender ATP device timeline event flags
+description: Use Microsoft Defender ATP device timeline event flags to 
+keywords: Defender ATP device timeline, event flags
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
+---
+
+# Microsoft Defender ATP device timeline event flags
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Event flags in the Microsoft Defender ATP device timeline help you filter and organize specific events when you're  investigate potential attacks.
+
+The Microsoft Defender ATP device timeline provides a chronological view of the events and associated alerts observed on a device. This list of events provides full visibility into any events, files, and IP addresses observed on the device. The list can sometimes be lengthy. Device timeline event flags help you track events that could be related. 
+
+After you've gone through a device timeline, you can sort, filter, and export the specific events that you flagged.
+
+While navigating the device timeline, you can search and filter for specific events. You can set event flags by: 
+
+- Highlighting the most important events 
+- Marking events that requires deep dive 
+- Building a clean breach timeline
+
+
+
+## Flag an event
+1. Find the event that you want to flag
+2. Click the flag icon in the Flag column. 
+![Image of device timeline flag](images/device-flags.png)
+
+## View flagged events  
+1. In the timeline **Filters** section, enable **Flagged events**.
+2. Click **Apply**. Only flagged events are displayed.
+You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event.  
+![Image of device timeline flag with filter on](images/device-flag-filter.png)

windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md

@@ -64,7 +64,7 @@ For more information on how to configure exclusions from Puppet, Ansible, or ano
 Run the following command to see the available switches for managing exclusions:
 
 ```bash
-$ mdatp exclusion
+mdatp exclusion
 ```
 
 Examples:
@@ -72,28 +72,36 @@ Examples:
 - Add an exclusion for a file extension:
 
     ```bash
-    $ mdatp exclusion extension add --name .txt
+    mdatp exclusion extension add --name .txt
+    ```
+    ```Output
     Extension exclusion configured successfully
     ```
 
 - Add an exclusion for a file:
 
     ```bash
-    $ mdatp exclusion file add --path /var/log/dummy.log
+    mdatp exclusion file add --path /var/log/dummy.log
+    ```
+    ```Output
     File exclusion configured successfully
     ```
 
 - Add an exclusion for a folder:
 
     ```bash
-    $ mdatp exclusion folder add --path /var/log/
+    mdatp exclusion folder add --path /var/log/
+    ```
+    ```Output
     Folder exclusion configured successfully
     ```
 
 - Add an exclusion for a process:
 
     ```bash
-    $ mdatp exclusion process add --name cat
+    mdatp exclusion process add --name cat
+    ```
+    ```Output    
     Process exclusion configured successfully
     ```
 
@@ -104,7 +112,7 @@ You can validate that your exclusion lists are working by using `curl` to downlo
 In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
 
 ```bash
-$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
+curl -o test.txt https://www.eicar.org/download/eicar.com.txt
 ```
 
 If Microsoft Defender ATP for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).

windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md

@@ -71,7 +71,7 @@ In order to preview new features and provide early feedback, it is recommended t
     sudo rpm --import http://packages.microsoft.com/keys/microsoft.asc
     ```
 
-- Install `yum-utils` if it is not already installed:
+- Install `yum-utils` if it isn't installed yet:
 
     ```bash
     sudo yum install yum-utils
@@ -107,13 +107,13 @@ In order to preview new features and provide early feedback, it is recommended t
 
 ### Ubuntu and Debian systems
 
-- Install `curl` if it is not already installed:
+- Install `curl` if it isn't installed yet:
 
     ```bash
     sudo apt-get install curl
     ```
 
-- Install `libplist-utils` if it is not already installed:
+- Install `libplist-utils` if it isn't installed yet:
 
     ```bash
     sudo apt-get install libplist-utils
@@ -177,14 +177,17 @@ In order to preview new features and provide early feedback, it is recommended t
 
     ```bash
     # list all repositories
-    $ yum repolist
+    yum repolist
+    ```
+    ```Output
     ...
     packages-microsoft-com-prod               packages-microsoft-com-prod        316
     packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins      2
     ...
-
+    ```
+    ```bash
     # install the package from the production repository
-    $ sudo yum --enablerepo=packages-microsoft-com-prod install mdatp
+    sudo yum --enablerepo=packages-microsoft-com-prod install mdatp
     ```
 
 - SLES and variants:
@@ -196,16 +199,18 @@ In order to preview new features and provide early feedback, it is recommended t
     If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
 
     ```bash
-    # list all repositories
+    zypper repos
-    $ zypper repos
+    ```
+
+    ```Output
     ...
     #  | Alias | Name | ...
     XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ...
     XX | packages-microsoft-com-prod | microsoft-prod | ...
     ...
-
+    ```
-    # install the package from the production repository
+    ```bash
-    $ sudo zypper install packages-microsoft-com-prod:mdatp
+    sudo zypper install packages-microsoft-com-prod:mdatp
     ```
 
 - Ubuntu and Debian system:
@@ -217,13 +222,14 @@ In order to preview new features and provide early feedback, it is recommended t
     If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
 
     ```bash
-    # list all repositories
+    cat /etc/apt/sources.list.d/*
-    $ cat /etc/apt/sources.list.d/*
+    ```
+    ```Output
     deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/18.04/prod insiders-fast main
     deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main
-
+    ```
-    # install the package from the production repository
+    ```bash
-    $ sudo apt -t bionic install mdatp
+    sudo apt -t bionic install mdatp
     ```
 
 ## Download the onboarding package
@@ -243,17 +249,19 @@ Download the onboarding package from Microsoft Defender Security Center:
     ls -l
     ```
 
-    `total 8`
+    ```Output
-    `-rw-r--r-- 1 test  staff  5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip`
+    total 8
+    -rw-r--r-- 1 test  staff  5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
+    ```
 
     ```bash
     unzip WindowsDefenderATPOnboardingPackage.zip
+    ```
+    ```Output
     Archive:  WindowsDefenderATPOnboardingPackage.zip
     inflating: MicrosoftDefenderATPOnboardingLinuxServer.py
     ```
 
-    `Archive:  WindowsDefenderATPOnboardingPackage.zip`
-    `inflating: WindowsDefenderATPOnboarding.py`
 
 ## Client configuration
 

windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md

@@ -24,7 +24,7 @@ ms.topic: conceptual
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
 
-This topic describes how to deploy Microsoft Defender ATP for Linux using Ansible. A successful deployment requires the completion of all of the following tasks:
+This article describes how to deploy Microsoft Defender ATP for Linux using Ansible. A successful deployment requires the completion of all of the following tasks:
 
 - [Download the onboarding package](#download-the-onboarding-package)
 - [Create Ansible YAML files](#create-ansible-yaml-files)
@@ -33,12 +33,12 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Ansibl
 
 ## Prerequisites and system requirements
 
-Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
+Before you get started, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
 
-In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Please refer to the [Ansible documentation](https://docs.ansible.com/) for details.
+In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Refer to the [Ansible documentation](https://docs.ansible.com/) for details.
 
-- Ansible needs to be installed on at least on one computer (we will call it the master).
+- Ansible needs to be installed on at least one computer (we will call it the primary computer).
-- SSH must be configured for an administrator account between the master and all clients, and it is recommended be configured with public key authentication.
+- SSH must be configured for an administrator account between the primary computer and all clients, and it is recommended be configured with public key authentication.
 - The following software must be installed on all clients:
   - curl
   - python-apt
@@ -54,7 +54,7 @@ In addition, for Ansible deployment, you need to be familiar with Ansible admini
 - Ping test:
 
     ```bash
-    $ ansible -m ping all
+    ansible -m ping all
     ```
 
 ## Download the onboarding package
@@ -70,10 +70,16 @@ Download the onboarding package from Microsoft Defender Security Center:
 4. From a command prompt, verify that you have the file. Extract the contents of the archive:
 
     ```bash
-    $ ls -l
+    ls -l
+    ```
+    ```Output
     total 8
     -rw-r--r-- 1 test  staff  4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
-    $ unzip WindowsDefenderATPOnboardingPackage.zip
+    ```
+    ```bash
+    unzip WindowsDefenderATPOnboardingPackage.zip
+    ```
+    ```Output
     Archive:  WindowsDefenderATPOnboardingPackage.zip
     inflating: mdatp_onboard.json
     ```
@@ -158,7 +164,9 @@ Create a subtask or role files that contribute to an playbook or task.
     - For apt-based distributions use the following YAML file:
 
         ```bash
-        $ cat install_mdatp.yml
+        cat install_mdatp.yml
+        ```
+        ```Output
         - hosts: servers
             tasks:
                 - include: ../roles/onboarding_setup.yml
@@ -170,7 +178,9 @@ Create a subtask or role files that contribute to an playbook or task.
         ```
 
         ```bash
-        $ cat uninstall_mdatp.yml
+        cat uninstall_mdatp.yml
+        ```
+        ```Output
         - hosts: servers
         tasks:
             - apt:
@@ -181,7 +191,9 @@ Create a subtask or role files that contribute to an playbook or task.
     - For yum-based distributions use the following YAML file:
 
         ```bash
-        $ cat install_mdatp_yum.yml
+        cat install_mdatp_yum.yml
+        ```
+        ```Output
         - hosts: servers
         tasks:
             - include: ../roles/onboarding_setup.yml
@@ -193,7 +205,9 @@ Create a subtask or role files that contribute to an playbook or task.
         ```
 
         ```bash
-        $ cat uninstall_mdatp_yum.yml
+        cat uninstall_mdatp_yum.yml
+        ```
+        ```Output
         - hosts: servers
         tasks:
             - yum:
@@ -208,7 +222,7 @@ Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory.
 - Installation:
 
     ```bash
-    $ ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts
+    ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts
     ```
 
 > [!IMPORTANT]
@@ -217,14 +231,16 @@ Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory.
 - Validation/configuration:
 
     ```bash
-    $ ansible -m shell -a 'mdatp connectivity test' all
+    ansible -m shell -a 'mdatp connectivity test' all
-    $ ansible -m shell -a 'mdatp health' all
+    ```
+    ```bash
+    ansible -m shell -a 'mdatp health' all
     ```
 
 - Uninstallation:
 
     ```bash
-    $ ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts
+    ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts
     ```
 
 ## Log installation issues

windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md

@@ -24,7 +24,7 @@ ms.topic: conceptual
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
 
-This topic describes how to deploy Microsoft Defender ATP for Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
+This article describes how to deploy Microsoft Defender ATP for Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
 
 - [Download the onboarding package](#download-the-onboarding-package)
 - [Create Puppet manifest](#create-a-puppet-manifest)
@@ -35,7 +35,7 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Puppet
 
  For a description of prerequisites and system requirements for the current software version, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md).
 
-In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Please refer to the [Puppet documentation](https://puppet.com/docs) for details.
+In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Refer to the [Puppet documentation](https://puppet.com/docs) for details.
 
 ## Download the onboarding package
 
@@ -47,13 +47,20 @@ Download the onboarding package from Microsoft Defender Security Center:
 
     ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png)
 
-4. From a command prompt, verify that you have the file. Extract the contents of the archive:
+4. From a command prompt, verify that you have the file. 
 
     ```bash
-    $ ls -l
+    ls -l
+    ```
+    ```Output
     total 8
     -rw-r--r-- 1 test  staff  4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
-    $ unzip WindowsDefenderATPOnboardingPackage.zip
+    ```
+5. Extract the contents of the archive.
+    ```bash
+    unzip WindowsDefenderATPOnboardingPackage.zip
+    ```
+    ```Output
     Archive:  WindowsDefenderATPOnboardingPackage.zip
     inflating: mdatp_onboard.json
     ```
@@ -62,13 +69,19 @@ Download the onboarding package from Microsoft Defender Security Center:
 
 You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server.
 
-Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions:
+Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This folder is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions:
 
 ```bash
-$ pwd
+pwd
+```
+```Output
 /etc/puppetlabs/code/environments/production/modules
+```
 
-$ tree install_mdatp
+```bash
+tree install_mdatp
+```
+```Output
 install_mdatp
 ├── files
 │   └── mdatp_onboard.json
@@ -161,20 +174,24 @@ $version = undef
 Include the above manifest in your site.pp file:
 
 ```bash
-$ cat /etc/puppetlabs/code/environments/production/manifests/site.pp
+cat /etc/puppetlabs/code/environments/production/manifests/site.pp
+```
+```Output
 node "default" {
     include install_mdatp
 }
 ```
 
-Enrolled agent devices periodically poll the Puppet Server, and install new configuration profiles and policies as soon as they are detected.
+Enrolled agent devices periodically poll the Puppet Server and install new configuration profiles and policies as soon as they are detected.
 
 ## Monitor Puppet deployment
 
 On the agent device, you can also check the onboarding status by running:
 
 ```bash
-$ mdatp health
+mdatp health
+```
+```Output
 ...
 licensed                                : true
 org_id                                  : "[your organization identifier]"
@@ -200,7 +217,7 @@ The above command prints `1` if the product is onboarded and functioning as expe
 
 If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
 
-- 1 if the device is not yet onboarded.
+- 1 if the device isn't onboarded yet.
 - 3 if the connection to the daemon cannot be established.
 
 ## Log installation issues

windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md

@@ -29,7 +29,7 @@ ms.topic: conceptual
 
 In enterprise environments, Microsoft Defender ATP for Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.
 
-This topic describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.
+This article describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.
 
 ## Configuration profile structure
 
@@ -141,7 +141,7 @@ Used to exclude content from the scan by file extension.
 
 **Process excluded from the scan**
 
-Specifies a process for which all file activity is excluded from scanning. The process can be specified either by its name (e.g. `cat`) or full path (e.g. `/bin/cat`).
+Specifies a process for which all file activity is excluded from scanning. The process can be specified either by its name (for example, `cat`) or full path (for example, `/bin/cat`).
 
 |||
 |:---|:---|
@@ -373,7 +373,7 @@ The following configuration profile contains entries for all settings described
 The configuration profile must be a valid JSON-formatted file. There are a number of tools that can be used to verify this. For example, if you have `python` installed on your device:
 
 ```bash
-$ python -m json.tool mdatp_managed.json
+python -m json.tool mdatp_managed.json
 ```
 
 If the JSON is well-formed, the above command outputs it back to the Terminal and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`.

windows/security/threat-protection/microsoft-defender-atp/linux-pua.md

@@ -53,13 +53,13 @@ You can configure how PUA files are handled from the command line or from the ma
 In Terminal, execute the following command to configure PUA protection:
 
 ```bash
-$ mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block]
+mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block]
 ```
 
 ### Use the management console to configure PUA protection:
 
-In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) topic.
+In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) article.
 
-## Related topics
+## Related articles
 
 - [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md)

windows/security/threat-protection/microsoft-defender-atp/linux-resources.md

@@ -26,28 +26,35 @@ ms.topic: conceptual
 
 ## Collect diagnostic information
 
-If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.
+If you can reproduce a problem, first increase the logging level, run the system for some time, and then restore the logging level to the default.
 
 1. Increase logging level:
 
    ```bash
-   $ mdatp log level set --level verbose
+   mdatp log level set --level verbose
+   ```
+   ```Output
    Log level configured successfully
    ```
 
 2. Reproduce the problem.
 
-3. Run `sudo mdatp diagnostic create` to back up Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds:
+3. Run the following command to back up Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. 
 
    ```bash
-   $ sudo mdatp diagnostic create
+   sudo mdatp diagnostic create
+   ```
+    This command will also print out the file path to the backup after the operation succeeds:
+   ```Output
    Diagnostic file created: <path to file>
    ```
 
 4. Restore logging level:
 
    ```bash
-   $ mdatp log level set --level info
+   mdatp log level set --level info
+   ```
+   ```Output
    Log level configured successfully
    ```
 
@@ -59,7 +66,7 @@ The detailed log will be saved to `/var/log/microsoft/mdatp_install.log`. If you
 
 ## Uninstall
 
-There are several ways to uninstall Microsoft Defender ATP for Linux. If you are using a configuration tool such as Puppet, please follow the package uninstallation instructions for the configuration tool.
+There are several ways to uninstall Microsoft Defender ATP for Linux. If you are using a configuration tool such as Puppet, follow the package uninstallation instructions for the configuration tool.
 
 ### Manual uninstallation
 
@@ -73,7 +80,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
 
 ### Global options
 
-By default, the command-line tool outputs the result in human-readable format. In addition to this, the tool also supports outputting the result as JSON, which is useful for automation scenarios. To change the output to JSON, pass `--output json` to any of the below commands.
+By default, the command-line tool outputs the result in human-readable format. In addition, the tool also supports outputting the result as JSON, which is useful for automation scenarios. To change the output to JSON, pass `--output json` to any of the below commands.
 
 ### Supported commands
 
@@ -138,5 +145,5 @@ In the Microsoft Defender ATP portal, you'll see two categories of information:
 - In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered:
 
     ```bash
-    $ sudo SUSEConnect --status-text
+   sudo SUSEConnect --status-text
     ```

windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md

@@ -48,7 +48,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
 - The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender ATP: 
 
     ```bash  
-    $ HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
+    HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
     ```
 
     > [!NOTE]
@@ -56,7 +56,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
 
 The `HTTPS_PROXY` environment variable may similarly be defined during uninstallation.
 
-Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry will not be submitted, and the operation could take significantly longer due to network timeouts.
+Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry will not be submitted, and the operation could take much longer due to network timeouts.
 
 ## Post installation configuration
   
@@ -73,5 +73,5 @@ After installation, the `HTTPS_PROXY` environment variable must be defined in th
 After modifying the `mdatp.service` file, save and close it. Restart the service so the changes can be applied. In Ubuntu, this involves two commands:  
 
 ```bash
-$ systemctl daemon-reload; systemctl restart mdatp
+systemctl daemon-reload; systemctl restart mdatp
 ```

windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md

@@ -29,7 +29,7 @@ ms.topic: conceptual
 To test if Microsoft Defender ATP for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line:
 
 ```bash
-$ mdatp connectivity test
+mdatp connectivity test
 ```
 
 If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall.
@@ -44,7 +44,7 @@ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https:
 
 The output from this command should be similar to:
 
-```bash
+```Output
 OK https://x.cp.wd.microsoft.com/api/report
 OK https://cdn.x.cp.wd.microsoft.com/ping
 ```
@@ -59,7 +59,7 @@ OK https://cdn.x.cp.wd.microsoft.com/ping
 If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port:
 
 ```bash
-$ curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
 ```
 
 Ensure that you use the same proxy address and port as configured in the `/lib/system/system/mdatp.service` file. Check your proxy configuration if there are errors from the above commands.
@@ -78,13 +78,13 @@ Also ensure that the correct static proxy address is filled in to replace `addre
 If this file is correct, try running the following command in the terminal to reload Microsoft Defender ATP for Linux and propagate the setting:
 
 ```bash
-$ sudo systemctl daemon-reload; sudo systemctl restart mdatp
+sudo systemctl daemon-reload; sudo systemctl restart mdatp
 ```
 
 Upon success, attempt another connectivity test from the command line:
 
 ```bash
-$ mdatp connectivity test
+mdatp connectivity test
 ```
 
 If the problem persists, contact customer support.

windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md

@@ -26,12 +26,15 @@ ms.topic: conceptual
 
 ## Verify if installation succeeded
 
-An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, one can obtain and check the installation logs using:
+An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, obtain and check the installation logs using:
 
  ```bash
- $ sudo journalctl | grep 'microsoft-mdatp'  > installation.log
+ sudo journalctl | grep 'microsoft-mdatp'  > installation.log
- $ grep 'postinstall end' installation.log
+```
-
+```bash
+ grep 'postinstall end' installation.log
+```
+```Output
  microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216
  ```
 
@@ -44,8 +47,9 @@ Also check the [Client configuration](linux-install-manually.md#client-configura
 Check if the mdatp service is running:
 
 ```bash
- $ systemctl status mdatp
+systemctl status mdatp
-
+```
+```Output
  ● mdatp.service - Microsoft Defender ATP
    Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled)
    Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago
@@ -61,41 +65,43 @@ Check if the mdatp service is running:
 
 1. Check if "mdatp" user exists:
     ```bash
-    $ id "mdatp"
+    id "mdatp"
     ```
     If there’s no output, run
     ```bash
-    $ sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
+    sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
     ```
 
 2. Try enabling and restarting the service using:
     ```bash
-    $ sudo systemctl enable mdatp
+    sudo systemctl enable mdatp
-    $ sudo systemctl restart mdatp
     ```
-
-3. If mdatp.service isn't found upon running the previous command, run
     ```bash
-    $ sudo cp /opt/microsoft/mdatp/conf/mdatp.service <systemd_path>
+    sudo systemctl restart mdatp
-
-    where <systemd_path> is
-    /lib/systemd/system for Ubuntu and Debian distributions
-    /usr/lib/systemd/system for Rhel, CentOS, Oracle and SLES
     ```
-    and then rerun step 2.
+
+3. If mdatp.service isn't found upon running the previous command, run:
+    ```bash
+    sudo cp /opt/microsoft/mdatp/conf/mdatp.service <systemd_path>
+    ```
+    where ```<systemd_path>``` is
+    ```/lib/systemd/system``` for Ubuntu and Debian distributions and
+    ```/usr/lib/systemd/system``` for Rhel, CentOS, Oracle and SLES. 
+Then rerun step 2.
 
 4. If the above steps don’t work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details.
 Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot.
 
 5. Ensure that the daemon has executable permission.
     ```bash
-    $ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
+    ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
-
+    ```
+    ```Output
     -rwxr-xr-x 2 root root 15502160 Mar  3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon
     ```
     If the daemon doesn't have executable permissions, make it executable using:
     ```bash
-    $ sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
+    sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
     ```
     and retry running step 2.
 
@@ -105,7 +111,7 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan
 
 1. Check the file system type using:
     ```bash
-    $ findmnt -T <path_of_EICAR_file>
+    findmnt -T <path_of_EICAR_file>
     ```
     Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned.
 
@@ -113,13 +119,15 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan
 
 1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command:
     ```bash
-    $  sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
+    sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
     ```
     and try again.
 
     If none of the above steps help, collect the diagnostic logs:
     ```bash
-    $ sudo mdatp diagnostic create
+    sudo mdatp diagnostic create
+    ```
+    ```Output
     Diagnostic file created: <path to file>
     ```
     Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.

windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md

@@ -23,7 +23,7 @@ ms.topic: conceptual
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
 
-This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux.
+This article provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux.
 
 Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
 
@@ -36,7 +36,9 @@ The following steps can be used to troubleshoot and mitigate these issues:
     If your device is not managed by your organization, real-time protection can be disabled from the command line:
 
     ```bash
-    $ mdatp config real-time-protection --value disabled
+    mdatp config real-time-protection --value disabled
+    ```
+    ```Output
     Configuration property updated
     ```
 
@@ -50,26 +52,28 @@ The following steps can be used to troubleshoot and mitigate these issues:
     This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line:
  
     ```bash
-    $ mdatp config real-time-protection-statistics --value enabled
+    mdatp config real-time-protection-statistics --value enabled
     ```
 
     This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
 
     ```bash
-    $ mdatp health --field real_time_protection_enabled
+    mdatp health --field real_time_protection_enabled
     ```
 
     Verify that the `real_time_protection_enabled` entry is `true`. Otherwise, run the following command to enable it:
 
     ```bash
-    $ mdatp config real-time-protection --value enabled
+    mdatp config real-time-protection --value enabled
+    ```
+    ```Output
     Configuration property updated
     ```
 
     To collect current statistics, run:
 
     ```bash
-    $ mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file
+    mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file
     ```
 
     The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).

windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md

@@ -20,10 +20,8 @@ ms.topic: conceptual
 # Intune-based deployment for Microsoft Defender ATP for Mac
 
 > [!NOTE]
-> This documentation explains the legacy method for deploying and configuring Microsoft Defender ATP on macOS devices. The native experience is now available in the MEM console. The release of the native UI in the MEM console provide admins with a much simpler way to configure and dfeploy the application and send it down to macOS devices. 
+> This documentation explains the legacy method for deploying and configuring Microsoft Defender ATP on macOS devices. The native experience is now available in the MEM console. The release of the native UI in the MEM console provide admins with a much simpler way to configure and deploy the application and send it down to macOS devices. <br> <br>
-> This blog post explains the new features: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-endpoint-manager-simplifies-deployment-of-microsoft/ba-p/1322995
+>The blog post [MEM simplifies deployment of Microsoft Defender ATP for macOS](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-endpoint-manager-simplifies-deployment-of-microsoft/ba-p/1322995) explains the new features. To configure the app, go to [Settings for Microsoft Defender ATP for Mac in Microsoft InTune](https://docs.microsoft.com/mem/intune/protect/antivirus-microsoft-defender-settings-macos). To deploy the app, go to [Add Microsoft Defender ATP to macOS devices using Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos).
-> To configure the app go here: https://docs.microsoft.com/mem/intune/protect/antivirus-microsoft-defender-settings-macos
-> To deploy the app go here: https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos
 
 **Applies to:**
 
@@ -66,15 +64,24 @@ Download the installation and onboarding packages from Microsoft Defender Securi
 4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
 5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
 6. From a command prompt, verify that you have the three files.
-    Extract the contents of the .zip files:
+  
 
     ```bash
     ls -l
+    ```
+
+    ```Output
     total 721688
     -rw-r--r--  1 test  staff     269280 Mar 15 11:25 IntuneAppUtil
     -rw-r--r--  1 test  staff      11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
     -rw-r--r--  1 test  staff  354531845 Mar 13 08:57 wdav.pkg
+    ```
+7. Extract the contents of the .zip files:
+
+    ```bash
     unzip WindowsDefenderATPOnboardingPackage.zip
+    ```
+    ```Output
     Archive:  WindowsDefenderATPOnboardingPackage.zip
     warning:  WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
       inflating: intune/kext.xml
@@ -82,16 +89,18 @@ Download the installation and onboarding packages from Microsoft Defender Securi
       inflating: jamf/WindowsDefenderATPOnboarding.plist
     ```
 
-7. Make IntuneAppUtil an executable:
+8. Make IntuneAppUtil an executable:
 
     ```bash
     chmod +x IntuneAppUtil
     ```
 
-8. Create the wdav.pkg.intunemac package from wdav.pkg:
+9. Create the wdav.pkg.intunemac package from wdav.pkg:
 
     ```bash
     ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"
+    ```
+    ```Output
     Microsoft Intune Application Utility for Mac OS X
     Version: 1.0.0.0
     Copyright 2018 Microsoft Corporation

windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md

@@ -24,7 +24,7 @@ ms.date: 04/10/2020
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
 
-This topic describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps:
+This article describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps:
 
 1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
 1. [Create JAMF policies](#create-jamf-policies)
@@ -64,14 +64,22 @@ Download the installation and onboarding packages from Microsoft Defender Securi
 
 3. Select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
 4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
-5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so:
+5. From the command prompt, verify that you have the two files. 
 
     ```bash
     ls -l
+    ```
+    ```Output
     total 721160
     -rw-r--r--  1 test  staff      11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
     -rw-r--r--  1 test  staff  354531845 Mar 13 08:57 wdav.pkg
+    ```
+6. Extract the contents of the .zip files like so:
+ 
+    ```bash
     unzip WindowsDefenderATPOnboardingPackage.zip
+    ```
+    ```Output
     Archive:  WindowsDefenderATPOnboardingPackage.zip
     warning:  WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
      inflating: intune/kext.xml
@@ -283,6 +291,9 @@ You can monitor policy installation on a device by following the JAMF log file:
 
 ```bash
     tail -f /var/log/jamf.log
+```
+
+```Output
     Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found.
     Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"...
     Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV
@@ -296,6 +307,9 @@ You can also check the onboarding status:
 
 ```bash
 mdatp --health
+```
+
+```Output
 ...
 licensed                                : true
 orgId                                   : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45"

windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md

@@ -748,6 +748,8 @@ The property list must be a valid *.plist* file. This can be checked by executin
 
 ```bash
 plutil -lint com.microsoft.wdav.plist
+```
+```Output
 com.microsoft.wdav.plist: OK
 ```
 

windows/security/threat-protection/microsoft-defender-atp/mac-resources.md

@@ -31,6 +31,9 @@ If you can reproduce a problem, increase the logging level, run the system for s
 
    ```bash
    mdatp --log-level verbose
+   ```
+
+   ```Output
    Creating connection to daemon
    Connection established
    Operation succeeded
@@ -42,6 +45,8 @@ If you can reproduce a problem, increase the logging level, run the system for s
 
    ```bash
    sudo mdatp --diagnostic --create
+   ```
+   ```Output
    Creating connection to daemon
    Connection established
    ```
@@ -50,6 +55,8 @@ If you can reproduce a problem, increase the logging level, run the system for s
 
    ```bash
    mdatp --log-level info
+   ```
+   ```Output
    Creating connection to daemon
    Connection established
    Operation succeeded
@@ -105,7 +112,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
 To enable autocompletion in `Bash`, run the following command and restart the Terminal session:
 
 ```bash
-$ echo "source /Applications/Microsoft\ Defender\ ATP.app/Contents/Resources/Tools/mdatp_completion.bash" >> ~/.bash_profile
+echo "source /Applications/Microsoft\ Defender\ ATP.app/Contents/Resources/Tools/mdatp_completion.bash" >> ~/.bash_profile
 ```
 
 To enable autocompletion in `zsh`:
@@ -113,20 +120,21 @@ To enable autocompletion in `zsh`:
 - Check whether autocompletion is enabled on your device:
 
    ```zsh
-   $ cat ~/.zshrc | grep autoload
+   cat ~/.zshrc | grep autoload
    ```
 
 - If the above command does not produce any output, you can enable autocompletion using the following command:
 
    ```zsh
-   $ echo "autoload -Uz compinit && compinit" >> ~/.zshrc
+   echo "autoload -Uz compinit && compinit" >> ~/.zshrc
    ```
 
-- Run the following command to enable autocompletion for Microsoft Defender ATP for Mac and restart the Terminal session:
+- Run the following commands to enable autocompletion for Microsoft Defender ATP for Mac and restart the Terminal session:
 
    ```zsh
    sudo mkdir -p /usr/local/share/zsh/site-functions
-
+   ```
+   ```zsh
    sudo ln -svf "/Applications/Microsoft Defender ATP.app/Contents/Resources/Tools/mdatp_completion.zsh" /usr/local/share/zsh/site-functions/_mdatp
    ```
 

windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md

@@ -70,6 +70,8 @@ While you can start a threat scan at any time with Microsoft Defender ATP, your
 
     ```bash
     launchctl load /Library/LaunchDaemons/<your file name.plist>
+    ```
+    ```bash
     launchctl start <your file name>
     ```
 

windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md

@@ -31,7 +31,8 @@ While we do not display an exact error to the end user, we keep a log file with
 
 ```bash
 sed -n 'H; /^preinstall com.microsoft.wdav begin/h; ${g;p;}' /Library/Logs/Microsoft/mdatp/install.log
-
+```
+```Output
 preinstall com.microsoft.wdav begin [2020-03-11 13:08:49 -0700] 804
 INSTALLER_SECURE_TEMP=/Library/InstallerSandboxes/.PKInstallSandboxManager/CB509765-70FC-4679-866D-8A14AD3F13CC.activeSandbox/89FA879B-971B-42BF-B4EA-7F5BB7CB5695
 correlation id=CB509765-70FC-4679-866D-8A14AD3F13CC
@@ -49,6 +50,7 @@ You can verify that an installation happened and analyze possible errors by quer
 
 ```bash
 grep '^2020-03-11 13:08' /var/log/install.log
-
+```
+```Output
 log show --start '2020-03-11 13:00:00' --end '2020-03-11 13:08:50' --info --debug --source --predicate 'processImagePath CONTAINS[C] "install"' --style syslog
 ```

windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md

@@ -23,18 +23,20 @@ ms.topic: conceptual
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
 
-This topic provides information on how to troubleshoot issues with the kernel extension that is installed as part of Microsoft Defender ATP for Mac.
+This article provides information on how to troubleshoot issues with the kernel extension that is installed as part of Microsoft Defender ATP for Mac.
 
 Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to be explicitly approved before they are allowed to run on the device.
 
-If you did not approve the kernel extension during the deployment / installation of Microsoft Defender ATP for Mac, then the application displays a banner prompting you to enable it:
+If you did not approve the kernel extension during the deployment/installation of Microsoft Defender ATP for Mac, the application displays a banner prompting you to enable it:
 
    ![RTP disabled screenshot](../microsoft-defender-antivirus/images/MDATP-32-Main-App-Fix.png)
 
-You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This is an indication that the kernel extension is not approved to run on your device.
+You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device.
 
 ```bash
 mdatp --health
+```
+```Output
 ...
 realTimeProtectionAvailable             : false
 realTimeProtectionEnabled               : true
@@ -60,10 +62,13 @@ If you don't see this prompt, it means that 30 or more minutes have passed, and
 
 In this case, you need to perform the following steps to trigger the approval flow again.
 
-1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension was not approved to run on the device, however it will trigger the approval flow again.
+1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension was not approved to run on the device. However, it will trigger the approval flow again.
 
     ```bash
     sudo kextutil /Library/Extensions/wdavkext.kext
+    ```
+    
+    ```Output
     Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
     Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
     Diagnostics for /Library/Extensions/wdavkext.kext:
@@ -75,16 +80,19 @@ In this case, you need to perform the following steps to trigger the approval fl
 
 4. In Terminal, install the driver again. This time the operation will succeed:
 
-```bash
+    ```bash
-sudo kextutil /Library/Extensions/wdavkext.kext
+    sudo kextutil /Library/Extensions/wdavkext.kext
-```
+    ```
 
-The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available:
+    The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available:
 
-```bash
+    ```bash
-mdatp --health
+    mdatp --health
-...
+    ```
-realTimeProtectionAvailable             : true
+
-realTimeProtectionEnabled               : true
+    ```Output
-...
+    ...
-```
+    realTimeProtectionAvailable             : true
+    realTimeProtectionEnabled               : true
+    ...
+    ```

windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md

@@ -103,8 +103,9 @@ The hardware requirements for Microsoft Defender ATP on devices are the same for
 
 
 ### Other supported operating systems
-- macOS
+- Android
 - Linux (currently, Microsoft Defender ATP is only available in the Public Preview Edition for Linux)
+- macOS
 
 > [!NOTE]
 > You'll need to know the exact Linux distributions and versions of Android and macOS that are compatible with Microsoft Defender ATP for the integration to work.

windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md

@@ -27,19 +27,19 @@ ms.topic: conceptual
 
 Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat and vulnerability management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
 
-It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
+Discover vulnerabilities and misconfigurations in real time with sensors, and without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
 
 Watch this video for a quick overview of threat and vulnerability management.
 
 >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4mLsn]
 
-## Next-generation capabilities
+## Bridging the workflow gaps
 
-Threat and vulnerability management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base.  
+Threat and vulnerability management is built in, real time, and cloud powered. It's fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base.  
 
-It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft Microsoft Endpoint Configuration Manager.
+Vulnerability management is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. Create a security task or ticket by integrating with Microsoft Intune and Microsoft Endpoint Configuration Manager.
 
-It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.
+It provides the following solutions to frequently cited gaps across security operations, security administration, and IT administration workflows and communication:
 
 - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
 - Linked device vulnerability and security configuration assessment data in the context of exposure discovery
@@ -47,7 +47,9 @@ It provides the following solutions to frequently-cited gaps across security ope
 
 ### Real-time discovery
 
-To discover endpoint vulnerabilities and misconfiguration, threat and vulnerability management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides:
+To discover endpoint vulnerabilities and misconfiguration, threat and vulnerability management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead.
+
+It also provides:
 
 - Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard.
 - Visibility into software and vulnerabilities. Optics into the organization's software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
@@ -56,10 +58,10 @@ To discover endpoint vulnerabilities and misconfiguration, threat and vulnerabil
 
 ### Intelligence-driven prioritization
 
-Threat and vulnerability management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, threat and vulnerability management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context:
+Threat and vulnerability management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, threat and vulnerability management highlights the most critical weaknesses that need attention. It fuses security recommendations with dynamic threat and business context:
 
-- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, threat and vulnerability management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk.
+- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, threat and vulnerability management dynamically aligns the prioritization of its security recommendations. It focuses on vulnerabilities currently being exploited in the wild and emerging threats that pose the highest risk.
-- Pinpointing active breaches. Microsoft Defender ATP correlates threat and vulnerability management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization.
+- Pinpointing active breaches. Microsoft Defender ATP correlates threat and vulnerability management and EDR insights to prioritize vulnerabilities being exploited in an active breach within the organization.
 - Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows threat and vulnerability management to identify the exposed devices with business-critical applications, confidential data, or high-value users.
 
 ### Seamless remediation
@@ -95,13 +97,14 @@ Ensure that your devices:
 > Windows 10 Version 1809 | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
 > Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
 
-- Are onboarded to Microsoft Intune and  Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version.
+- Are onboarded to [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and  [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure). If you're using Configuration Manager, update your console to the latest version.
 - Have at least one security recommendation that can be viewed in the device page
 - Are tagged or marked as co-managed
 
 ## APIs
 
-Run threat and vulnerability management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
+Run threat and vulnerability management-related API calls to automate vulnerability management workflows. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
+
 See the following topics for related APIs:
 
 - [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)

windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md

@@ -1,6 +1,6 @@
 ---
 title: Event timeline in threat and vulnerability management
-description: Event timeline is a "risk news feed" which will help you interpret how risk is introduced into the organization and which mitigations happened to reduce it.
+description: Event timeline is a "risk news feed" that helps you interpret how risk is introduced into the organization, and which mitigations happened to reduce it.
 keywords: event timeline, mdatp event timeline, mdatp tvm event timeline, threat and vulnerability management, Microsoft Defender Advanced Threat Protection
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -23,9 +23,7 @@ ms.topic: conceptual
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
 
-[!include[Prerelease information](../../includes/prerelease.md)]
+Event timeline is a risk news feed that helps you interpret how risk is introduced into the organization through new vulnerabilities or exploits. You can view events that may impact your organization's risk. For example, you can find new vulnerabilities that were introduced, vulnerabilities that became exploitable, exploit that was added to an exploit kit, and more.
-
-Event timeline is a risk news feed which helps you interpret how risk, through new vulnerabilities or exploits, is introduced into the organization. You can view events which may impact your organization's risk. For example, you can find new vulnerabilities that were introduced, vulnerabilities that became exploitable, exploit that was addd to an exploit kit, and more.
 
 Event timeline also tells the story of your [exposure score](tvm-exposure-score.md) so you can determine the cause of large changes. Reduce you exposure score by addressing what needs to be remediated based on the prioritized [security recommendations](tvm-security-recommendation.md).
 
@@ -34,7 +32,7 @@ Event timeline also tells the story of your [exposure score](tvm-exposure-score.
 You can access Event timeline mainly through three ways:
 
 - In the threat and vulnerability management navigation menu in the Microsoft Defender Security Center
-- Top events card in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md). The highest impact events (for example, affect the most machines or critical vulnerabilities)
+- Top events card in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md). The highest impact events (for example, affect the most devices or critical vulnerabilities)
 - Hovering over the Exposure Score graph in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md)
 
 ### Navigation menu
@@ -43,17 +41,17 @@ Go to the threat and vulnerability management navigation menu and select **Event
 
 ### Top events card
 
-In the Tthreat and vulnerability management dashboard, the "Top events" card displays the three most impactful events in the last 7 days. Select **Show more** to go to the Event timeline page.
+In the threat and vulnerability management dashboard, the "Top events" card displays the three most impactful events in the last 7 days. Select **Show more** to go to the Event timeline page.
 
 ![Event timeline page](images/tvm-top-events-card.png)
 
 ### Exposure score graph
 
-In the threat and vulnerability management dashboard, hover over the Exposure score graph to view top events from that day that impacted your machines. If there are no events, then none will be shown.
+In the threat and vulnerability management dashboard, hover over the Exposure score graph to view top events from that day that impacted your devices. If there are no events, then none will be shown.
 
 ![Event timeline page](images/tvm-event-timeline-exposure-score400.png)
 
-Selecting **Show all events from this day** will lead you to the Event timeline page with a pre-populated custom date range for that day.
+Selecting **Show all events from this day** takes you to the Event timeline page with a custom date range for that day.
 
 ![Event timeline page](images/tvm-event-timeline-drilldown.png)
 
@@ -63,12 +61,12 @@ Select **Custom range** to change the date range to another custom one, or a pre
 
 ## Event timeline overview
 
-On the Event timeline page, you can view the all the necesssary info related to an event. 
+On the Event timeline page, you can view the all the necessary info related to an event. 
 
 Features:
 
 - Customize columns
-- Filter by event type or percent of impacted machines
+- Filter by event type or percent of impacted devices
 - View 30, 50, or 100 items per page
 
 The two large numbers at the top of the page show the number of new vulnerabilities and exploitable vulnerabilities, not events. Some events can have multiple vulnerabilities, and some vulnerabilities can have multiple events.
@@ -76,15 +74,15 @@ The two large numbers at the top of the page show the number of new vulnerabilit
 ![Event timeline page](images/tvm-event-timeline-overview-mixed-type.png)
 
 >[!NOTE]
->New configuration assessments are coming soon.
+>Event type called "New configuration assessment" coming soon.
 
 ### Columns
 
 - **Date**: month, day, year
-- **Event**: impactful event, including component, type, and number of impacted machines
+- **Event**: impactful event, including component, type, and number of impacted devices
 - **Related component**: software
-- **Originally impacted machines**: the number, and percentage, of impacted machines when this event originally occurred. You can also filter by the percent of originally impacted machines, out of your total number of machines.
+- **Originally impacted devices**: the number, and percentage, of impacted devices when this event originally occurred. You can also filter by the percent of originally impacted devices, out of your total number of devices.
-- **Currently impacted machines**: the current number, and percentage, of machines that this event currently impacts. You can find this field by selecting **Customize columns**.
+- **Currently impacted devices**: the current number, and percentage, of devices that this event currently impacts. You can find this field by selecting **Customize columns**.
 - **Types**: reflect time-stamped events that impact the score. They can be filtered.
     - Exploit added to an exploit kit
     - Exploit was verified
@@ -103,13 +101,13 @@ The following icons show up next to events:
 
 ### Drill down to a specific event
 
-Once you select an event, a flyout will appear listing the details and current CVEs that affect your machines. You can show more CVEs or view the related recommendation.
+Once you select an event, a flyout will appear with a list of the details and current CVEs that affect your devices. You can show more CVEs or view the related recommendation.
 
-The arrow below "score trend" helps you determine whether this event potentially raised or lowered your organizational exposure score. Higher exposure score means machines are more vulnerable to exploitation.
+The arrow below "score trend" helps you determine whether this event potentially raised or lowered your organizational exposure score. Higher exposure score means devices are more vulnerable to exploitation.
 
 ![Event timeline flyout](images/tvm-event-timeline-flyout500.png)
 
-From there, select **Go to related security recommendation** to go to the [security recommendations page](tvm-security-recommendation.md) and the recommendation that will address the new software vulnerability. After reading the description and vulnerability details in the security recommendation, you can [submit a remediation request](tvm-security-recommendation.md#request-remediation), and track the request in the [remediation page](tvm-remediation.md).  
+From there, select **Go to related security recommendation** view the recommendation that addresses the new software vulnerability in the [security recommendations page](tvm-security-recommendation.md). After reading the description and vulnerability details in the security recommendation, you can [submit a remediation request](tvm-security-recommendation.md#request-remediation), and track the request in the [remediation page](tvm-remediation.md).  
 
 ## View Event timelines in software pages
 
@@ -119,7 +117,7 @@ A full page will appear with all the details of a specific software. Mouse over
 
 ![Software page with an Event timeline graph](images/tvm-event-timeline-software2.png)
 
- You can also navigate to the event timeline tab to view all the events related to that software, along with security recommendations, discovered vulnerabilities, installed machines, and version distribution.
+Navigate to the event timeline tab to view all the events related to that software. You can also see security recommendations, discovered vulnerabilities, installed devices, and version distribution.
 
 ![Software page with an Event timeline tab](images/tvm-event-timeline-software-pages.png)
 

windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md

@@ -1,6 +1,6 @@
 ---
 title: Scenarios - threat and vulnerability management
-description: Learn how threat and vulnerability management can be used to help security admins, IT admins, and SecOps collaborate in defending against security threats.
+description: Learn how threat and vulnerability management can be used to help security admins, IT admins, and SecOps collaborate.
 keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase Microsoft Secure Score for Devices, increase threat & vulnerability Microsoft Secure Score for Devices, Microsoft Secure Score for Devices, exposure score, security controls 
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -52,7 +52,7 @@ DeviceName=any(DeviceName) by DeviceId, AlertId
 
 ## Define a device's value to the organization
 
-Defining a device’s value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the threat and vulnerability management exposure score calculation, so devices marked as “high value” will receive more weight.
+Defining a device’s value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the threat and vulnerability management exposure score calculation. Devices marked as “high value” will receive more weight.
 
 Device value options:
 

windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md

@@ -32,9 +32,9 @@ Threat and vulnerability management is a component of Microsoft Defender ATP, an
   
 You can use the threat and vulnerability management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
 
-- View exposure and Microsoft Secure Score for Devices side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices
+- View you exposure score and Microsoft Secure Score for Devices, along with top security recommendations, software vulnerability, remediation activities, and exposed devices
 - Correlate EDR insights with endpoint vulnerabilities and process them
-- Select remediation options, triage and track the remediation tasks
+- Select remediation options to triage and track the remediation tasks
 - Select exception options and track active exceptions
 
 > [!NOTE]
@@ -57,7 +57,7 @@ Area | Description
 **Dashboard**   | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data.
 [**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP.
 [**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions.
-[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs or security updates.
+[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs or security updates.
 [**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed devices there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details.
 
 ## Threat and vulnerability management dashboard
@@ -66,7 +66,7 @@ Area | Description
 :---|:---
 **Selected device groups (#/#)**   | Filter the threat and vulnerability management data you want to see in the dashboard and cards by device groups. What you select in the filter applies throughout the threat and vulnerability management pages.
 [**Exposure score**](tvm-exposure-score.md)   | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
-[**Microsoft Secure Score for Devices**](tvm-microsoft-secure-score-devices.md) | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your score for devices. Selecting the bars will take you to the **Security recommendation** page.
+[**Microsoft Secure Score for Devices**](tvm-microsoft-secure-score-devices.md) | See the security posture of the operating system, applications, network, accounts, and security controls of your organization. The goal is to remediate the related security configuration issues to increase your score for devices. Selecting the bars will take you to the **Security recommendation** page.
 **Device exposure distribution** | See how many devices are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Devices list** page and view the affected device names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
 **Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception.
 **Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.

windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md

@@ -27,7 +27,7 @@ ms.topic: article
 Before you begin, ensure that you meet the following operating system or platform requisites for threat and vulnerability management so the activities in your devices are properly accounted for.
 
 >[!NOTE]
->Operating systems supported by Microsoft Defender ATP are not necessarily supported by threat and vulnerability management (like MacOS and Linux).
+>The supported systems and platforms for threat and vulnerability management may be different from the [Minimum requirements for Microsoft Defender ATP](minimum-requirements.md) list.
 
 Operating system | Security assessment support
 :---|:---
@@ -42,8 +42,6 @@ Windows Server 2019 | Operating System (OS) vulnerabilities<br/>Software product
 MacOS | Not supported (planned)
 Linux | Not supported (planned)
 
-Some of the above prerequisites might be different from the [Minimum requirements for Microsoft Defender ATP](minimum-requirements.md) list.
-
 ## Related topics
 
 - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)

windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md

@@ -1,6 +1,6 @@
 ---
-title: Open the Group Policy Management Console to Windows Firewall with Advanced Security (Windows 10)
+title: Group Policy Management of Windows Firewall with Advanced Security (Windows 10)
-description: Open the Group Policy Management Console to Windows Firewall with Advanced Security
+description: Group Policy Management of Windows Firewall with Advanced Security
 ms.assetid: 28afab36-8768-4938-9ff2-9d6dab702e98
 ms.reviewer: 
 ms.author: dansimp
@@ -17,7 +17,7 @@ ms.topic: conceptual
 ms.date: 04/19/2017
 ---
 
-# Open the Group Policy Management Console to Windows Firewall with Advanced Security
+# Group Policy Management of Windows Firewall with Advanced Security
 
 **Applies to**
 -   Windows 10