diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index d42055564e..c3243e4a9c 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -158,14 +158,24 @@
 ### [Configure attack surface reduction]()
 #### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
 
+### [Configure and manage capabilities](microsoft-defender-atp/onboard.md)
+#### [Microsoft Defender Advanced Threat Protection for Mac](windows-defender-antivirus/microsoft-defender-atp-mac.md)
+##### [Deploy Microsoft Defender Advanced Threat Protection for Mac]()
+###### [Microsoft Intune-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md)
+###### [JAMF-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md)
+###### [Deployment with a different Mobile Device Management (MDM) system](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md)
+###### [Manual deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md)
+##### [Update Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-updates.md)
+##### [Set preferences for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md)
+##### [Privacy for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md)
+##### [Resources for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-resources.md)
+
 #### [Hardware-based isolation]()
 ##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
 
 ##### [Application isolation]()
 ###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
-###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md)
-
-#### [Application control](windows-defender-application-control/windows-defender-application-control.md)
+###### [Application control](windows-defender-application-control/windows-defender-application-control.md)
 
 #### [Device control]()
 ##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
index 5855b14b1d..e8f58439cb 100644
--- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@@ -114,7 +114,7 @@ To prevent malware infections or data loss, an organization may restrict USB dri
 
 All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/en-us/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates:
 
-![Admintemplates](windows-defender-antivirus/images/admintemplates.png)
+![Admintemplates](images/admintemplates.png)
 
 >[!Note]
 >Using Intune, you can apply device configuration policies to AAD user and/or device groups.
@@ -159,13 +159,13 @@ If you want to prevent a device class or certain devices, you can use the preven
 
 The Microsoft Defender Advanced Threat Protection (ATP) baseline settings, represent the recommended configuration for ATP.  Configuration settings for baseline are located here in the edit profile page of the configuration settings.
 
-![Baselines](https://github.com/MicrosoftDocs/windows-docs-pr/blob/v-jowirt-updates/windows/security/threat-protection/windows-defender-antivirus/images/baselines.png)
+![Baselines](images/baselines.png)
 
 ### Bluetooth
 
 Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed.  As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked. 
 
-![Bluetooth](https://github.com/MicrosoftDocs/windows-docs-pr/blob/v-jowirt-updates/windows/security/threat-protection/windows-defender-antivirus/images/bluetooth.png)
+![Bluetooth](images/bluetooth.png)
 
 
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/admintemplates.png b/windows/security/threat-protection/device-control/images/admintemplates.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/admintemplates.png
rename to windows/security/threat-protection/device-control/images/admintemplates.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/baselines.png b/windows/security/threat-protection/device-control/images/baselines.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/baselines.png
rename to windows/security/threat-protection/device-control/images/baselines.png
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/bluetooth.png b/windows/security/threat-protection/device-control/images/bluetooth.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/images/bluetooth.png
rename to windows/security/threat-protection/device-control/images/bluetooth.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
index b9ff87202a..84bd3f8d8a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@@ -175,6 +175,56 @@ However, if the connectivity check results indicate a failure, an HTTP error is
 > The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
 > When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
 
+## Conduct investigations with Microsoft Defender ATP behind a proxy
+Microsoft Defender ATP supports network connection monitoring from different levels of the operating system network stack. A challenging case is when the network uses a forward proxy as a gateway to the internet.
+The proxy acts as if it was the target endpoint.  In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value. Microsoft Defender ATP supports advanced HTTP level sensor.
+By enabling this sensor, Microsoft Defender ATP will expose a new type of events that surfaces the real target domain names. <br><br>
+
+**Investigation Impact**<br>
+In machine's timeline the IP address will keep representing the proxy, while the real target address shows up.
+![Image of network events on machine's timeline](images/atp-proxy-investigation.png)<br>
+
+Additional events triggered by the Network Protection layer are now available to surface the real domain names even behind a proxy. <br>
+Event's information:
+![Image of single network event](images/atp-proxy-investigation-event.png)<br>
+
+**Advanced Hunting**<br>
+All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the ‘ConnecionSuccess’ action type.<br>
+Using this simple query will show you all the relevant events:
+
+```
+NetworkCommunicationEvents
+| where ActionType == "ConnectionSuccess" 
+| take 10
+```
+![Image of advanced hunting query](images/atp-proxy-investigation-ah.png)
+
+You can also filter out the events that are related to connection to the proxy itself. Use the following query to filter out the connections to the proxy:
+```
+NetworkCommunicationEvents
+| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"  
+| take 10
+```
+
+**How to enable the advanced network connection sensor**<br>
+Monitoring network connection behind forward proxy is possible due to additional Network Events that originate from Network Protection. To see them in machine’s timeline you need to turn Network Protection on at least in audit mode. <br>
+
+Network protection is a feature in Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites.  Its behavior can be controlled by the following options: Block and Audit. <br>
+If you turn this policy on in "Block" mode, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.<br>
+
+If you turn this policy on in "Audit" mode, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.<br>
+
+If you turn this policy off, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft Defender Security Center.<br>
+
+If you do not configure this policy, network blocking will be disabled by default. <br><br>
+
+> [!NOTE]
+> In order to enable Monitoring network connection behind forward proxy and see the domains you will need to enable network protection at least in audit mode.
+
+Additional documentation:
+- [Applying network protection with GP – policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection)
+- [Windows Defender Exploit Guard Documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet)
+
 ## Related topics
 - [Onboard Windows 10 machines](configure-endpoints.md)
 - [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-ah.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-ah.png
new file mode 100644
index 0000000000..890817a70b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-ah.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-event.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-event.png
new file mode 100644
index 0000000000..f30feb9983
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-event.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation.png
new file mode 100644
index 0000000000..be66344ea0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation.png differ