diff --git a/devices/surface-hub/surface-hub-authenticator-app.md b/devices/surface-hub/surface-hub-authenticator-app.md
index a13280d8d4..a501494419 100644
--- a/devices/surface-hub/surface-hub-authenticator-app.md
+++ b/devices/surface-hub/surface-hub-authenticator-app.md
@@ -39,8 +39,13 @@ Currently, you cannot use Microsoft Authenticator to sign in to Surface Hubs tha
## Individual prerequisites
- An Android phone running 6.0 or later, or an iPhone or iPad running iOS9 or later
+
- The most recent version of the Microsoft Authenticator app from the appropriate app store
+ >[!NOTE]
+ >The Microsoft Authenticator app on phones running a Windows operating system can't be used to sign in to Surface Hub.
+
- Passcode or screen lock on your device is enabled
+
- A standard SMTP email address (example: joe@contoso.com). Non-standard or vanity SMTP email addresses (example: firstname.lastname@contoso.com) currently don’t work.
diff --git a/windows/deployment/Windows-AutoPilot-EULA-note.md b/windows/deployment/Windows-AutoPilot-EULA-note.md
new file mode 100644
index 0000000000..941c15911e
--- /dev/null
+++ b/windows/deployment/Windows-AutoPilot-EULA-note.md
@@ -0,0 +1,20 @@
+---
+title: Windows Autopilot EULA dismissal – important information
+description: A notice about EULA dismissal through Windows AutoPilot
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+ms.localizationpriority: high
+ms.author: mayam
+ms.date: 08/22/2017
+ROBOTS: noindex,nofollow
+---
+# Windows Autopilot EULA dismissal – important information
+
+>[!IMPORTANT]
+>The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience).
+
+Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen.
+
+By using this function, you agree that suppressing or hiding any screens that are designed to provide users with notice or acceptance of terms means that you, on behalf of your organization or the individual user as the case may be, have consented to the notices and accepted the applicable terms. This includes your agreement to the terms and conditions of the license or notice that would be presented to the user if you did not suppress or hide it using this tool. You and your users may not use the Windows software on those devices if you have not validly acquired a license for the software from Microsoft or its licensed distributors.
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
index 3e2f82bcdc..251fe4e680 100644
--- a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
@@ -23,6 +23,8 @@ ms.localizationpriority: high
Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Windows Defender ATP with.
+
+
Turn on the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
## Block file
@@ -41,6 +43,12 @@ For more information, see [Investigate a user account](investigate-user-windows-
## Skype for Business integration
Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
+## Azure Advanced Threat Protection integration
+The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you’ll enrich the machine-based investigation capability by pivoting across the network from an identify point of view. Advanced Threat Protection portal.
+
+>[!NOTE]
+>You'll need to have the appropriate license to enable this feature.
+
## Office 365 Threat Intelligence connection
This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png
index c9063c8fa9..0c7f50581f 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png
index da80abb64f..c90cef7b32 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-view-ata.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-view-ata.png
new file mode 100644
index 0000000000..5e2258d16d
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machine-view-ata.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png b/windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png
index 508822a2ad..b4865884d3 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png and b/windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png b/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png
index 1d852999b9..b08381baed 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png and b/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-view-ata.png b/windows/threat-protection/windows-defender-atp/images/atp-user-view-ata.png
new file mode 100644
index 0000000000..2bea8cb48d
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-user-view-ata.png differ
diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
index 2a4675f3c4..e1a65b12c9 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -31,15 +31,25 @@ You can click on affected machines whenever you see them in the portal to open a
- Any IP address or domain details view
When you investigate a specific machine, you'll see:
-- Machine details, Logged on users, and Machine Reporting
+- Machine details, Azure Advanced Threat Protection alerts, Logged on users, and Machine Reporting
- Alerts related to this machine
- Machine timeline
-
+
-The machine details, total logged on users and machine reporting sections display various attributes about the machine. You’ll see details such as machine name, health state, actions you can take on the machine, and others. For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md).
+The machine details, Azure Advanced Threat Protection alerts, total logged on users, and machine reporting sections display various attributes about the machine.
-You'll also see other information such as domain, operating system (OS) and build, total logged on users and who frequently and less frequently logged on, IP address, and how long it's been reporting sensor data to the Windows Defender ATP service.
+The machine details tile provides information such as the domain and OS of the machine. If there's an investigation package available on the machine, you'll see a link that allows you to download the package.
+
+For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md).
+
+If you have enabled the Azure Advanced Threat Protection feature and there are alerts related to the machine, you can click on the link that will take you to the Azure Advanced Threat Protection page where more information about the alerts are provided. The Azure Advanced Threat Protection tile also provides details such as the last Azure Active Directory site information and total domain group memberships.
+
+>[!NOTE]
+>You’ll need to enable the integration between Windows Defender ATP and Azure Advanced Threat Protection to use this feature.
+
+
+For more information on how to enable the Azure Advanced Threat Protection integration, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md).
Clicking on the number of total logged on users in the Logged on users tile opens the Users Details pane that displays the following information for logged on users in the past 30 days:
@@ -72,38 +82,40 @@ Use the search bar to look for specific timeline events. Harness the power of us
- **Value** - Type in any search keyword to filter the timeline with the attribute you’re searching for. This search supports defined search queries based on type:value pairs.
You can use any of the following values:
- - Hash: Sha1 or MD5
- - File name
- - File extension
- - Path
- - Command line
- - User
- - IP
- - URL
+ - Hash: Sha1 or MD5
+ - File name
+ - File extension
+ - Path
+ - Command line
+ - User
+ - IP
+ - URL
+
- **Informational level** – Click the drop-down button to filter by the following levels:
- - Detections mode: displays Windows ATP Alerts and detections
- - Behaviors mode: displays "detections" and selected events of interest
- - Verbose mode: displays all raw events without aggregation or filtering
+ - Detections mode: displays Windows ATP Alerts and detections
+ - Behaviors mode: displays "detections" and selected events of interest
+ - Verbose mode: displays all raw events without aggregation or filtering
- **Event type** - Click the drop-down button to filter by the following levels:
- - Windows Defender ATP alerts
- - Windows Defender AV alerts
- - Response actions
- - AppGuard related events
- - Windows Defender Device Guard events
- - Process events
- - Network events
- - File events
- - Registry events
- - Load DLL events
- - Other events
- Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed.
+ - Windows Defender ATP alerts
+ - Windows Defender AV alerts
+ - Device Guard events
+ - Exploit Guard events
+ - SmartScreen events
+ - Response actions
+ - Process events
+ - Network events
+ - File events
+ - Registry events
+ - Load DLL events
+ - Other events
+ Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed.
- **User account** – Click the drop-down button to filter the machine timeline by the following user associated events:
- - Logon users
- - System
- - Network
- - Local service
+ - Logon users
+ - System
+ - Network
+ - Local service
The following example illustrates the use of type:value pair. The events were filtered by searching for the user jonathan.wolcott and network events as the event type:
diff --git a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
index 3fad51eada..cdacf606dc 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
@@ -32,13 +32,26 @@ You can find user account information in the following views:
A clickable user account link is available in these views, that will take you to the user account details page where more details about the user account are shown.
When you investigate a user account entity, you'll see:
-- User account details and Logged on machines
+- User account details, Azure Advanced Threat Protection alerts, and Logged on machines
- Alerts related to this user
- Observed in organization (machines logged on to)
-
-The user account entity details and logged on machines section display various attributes about the user account. You'll see details such as when the user was first and last seen and the total number of machines the user logged on to. You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine.
+
+
+The user account entity details, Azure Advanced Threat Protection alerts, and logged on machines sections display various attributes about the user account.
+
+The user entity tile provides details about the user such as when the user was first and last seen. Depending on the integration features you enable, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal.
+
+If you have enabled the Azure Advanced Threat Protection feature and there are alerts related to the user, you can click on the link that will take you to the Azure Advanced Threat Protection page where more information about the alerts are provided. The Azure Advanced Threat Protection tile also provides details such as the last AD site, total group memberships, and login failure associated with the user.
+
+You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine.
+
+>[!NOTE]
+>You’ll need to enable the integration between Windows Defender ATP and Azure Advanced Threat Protection to use this feature.
+
+
+For more information on how to enable advanced features, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md).
The **Alerts related to this user** section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert.
@@ -54,6 +67,8 @@ The machine health state is displayed in the machine icon and color as well as i
2. Enter the user account in the **Search** field.
3. Click the search icon or press **Enter**.
+[IS THE BEHAVIOUR BELOW STILL TRUE? I TRIED TO SEARCH FOR USERS AND IT DOESN'T SEEM TO DISPLAY A LIST - PLEASE CHECK FOR TECHNICAL ACCURACY. THANKS!]
+
A list of users matching the query text is displayed. You'll see the user account's domain and name, when the user account was last seen, and the total number of machines it was observed logged on to in the last 30 days.
You can filter the results by the following time periods: