diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index f60748b37b..9483ca4022 100644
--- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -1,13 +1,12 @@
---
-title: WDAC and virtualization-based code integrity (Windows 10)
-description: Hardware and software system integrity-hardening capabilites that can be deployed separately or in combination with Windows Defender Application Control (WDAC).
+title: Windows Defender Application Control and virtualization-based code integrity (Windows 10)
+description: Hardware and software system integrity-hardening capabilities that can be deployed separately or in combination with Windows Defender Application Control (WDAC).
keywords: virtualization, security, malware, device guard
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 07/01/2019
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -19,24 +18,24 @@ ms.custom: asr
- Windows 10
- Windows Server 2016
-Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI).
+Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks by using virtualization-based protection of code integrity (more specifically, HVCI).
-Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices.
+Configurable code integrity policies and HVCI are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows 10 devices.
Using configurable code integrity to restrict devices to only authorized apps has these advantages over other solutions:
1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. Configurable code integrity allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
-3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy.
-4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.
+3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy.
+4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.
## Windows Defender Application Control
-When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either.
+When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with more hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either.
Configurable code integrity carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability.
-Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as a independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control).
+Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as an independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control).
We hope this change will help us better communicate options for adopting application control within an organization.
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
index 58cd36777d..d33ce3552f 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
@@ -21,12 +21,12 @@ manager: dansimp
You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable.
-This topic describes some common mistake that you should avoid when defining exclusions.
+This article describes some common mistake that you should avoid when defining exclusions.
Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions).
## Excluding certain trusted items
-There are certain files, file types, folders, or processes that you should not exclude from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning.
+Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning.
**Do not add exclusions for the following folder locations:**
@@ -61,44 +61,44 @@ There are certain files, file types, folders, or processes that you should not e
- C:\Windows\Temp\*
**Do not add exclusions for the following file extensions:**
-- .7zip
-- .bat
-- .bin
-- .cab
-- .cmd
-- .com
-- .cpl
-- .dll
-- .exe
-- .fla
-- .gif
-- .gz
-- .hta
-- .inf
-- .java
-- .jar
-- .job
-- .jpeg
-- .jpg
-- .js
-- .ko
-- .ko.gz
-- .msi
-- .ocx
-- .png
-- .ps1
-- .py
-- .rar
-- .reg
-- .scr
-- .sys
-- .tar
-- .tmp
-- .url
-- .vbe
-- .vbs
-- .wsf
-- .zip
+- `.7zip`
+- `.bat`
+- `.bin`
+- `.cab`
+- `.cmd`
+- `.com`
+- `.cpl`
+- `.dll`
+- `.exe`
+- `.fla`
+- `.gif`
+- `.gz`
+- `.hta`
+- `.inf`
+- `.java`
+- `.jar`
+- `.job`
+- `.jpeg`
+- `.jpg`
+- `.js`
+- `.ko`
+- `.ko.gz`
+- `.msi`
+- `.ocx`
+- `.png`
+- `.ps1`
+- `.py`
+- `.rar`
+- `.reg`
+- `.scr`
+- `.sys`
+- `.tar`
+- `.tmp`
+- `.url`
+- `.vbe`
+- `.vbs`
+- `.wsf`
+- `.zip`
>[!NOTE]
> You can chose to exclude file types, such as .gif, .jpg, .jpeg, .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
@@ -150,7 +150,7 @@ Do not use a single exclusion list to define exclusions for multiple server work
Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables.
See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists.
-## Related topics
+## Related articles
- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
- [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
index 43aa53b445..c3ec759d81 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
@@ -22,7 +22,7 @@ ms.date: 10/22/2020
**Applies to:**
-- Microsoft Defender Antivirus
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
index 4be673460a..2555377694 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
@@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
-- Microsoft Defender Antivirus
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
index 1485e83d0a..e4896f9709 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
@@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
-- Microsoft Defender Antivirus
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
index cc8fa8dec9..b080c70faa 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 01/06/2021
ms.reviewer:
manager: dansimp
---
@@ -39,20 +39,20 @@ To configure these settings:
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
-4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+4. Select the policy **Setting** as specified in the table below, and set the option to your desired configuration. Select **OK**, and repeat for any other settings.
-Location | Setting | Description | Default setting (if not configured)
----|---|---|---
-Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled
-Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days
-Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically)
-Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed
-Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
-Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable
+|Location | Setting | Description | Default setting (if not configured) |
+|:---|:---|:---|:---|
+|Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled|
+|Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days |
+|Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) |
+|Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed |
+|Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable |
+|Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable |
> [!IMPORTANT]
> Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
index 1fa6c1665b..7c834bd8e4 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
@@ -19,6 +19,10 @@ ms.custom: nextgen
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
index 97eeac6ba1..56d70bda19 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 01/06/2021
ms.reviewer:
manager: dansimp
---
@@ -29,11 +29,11 @@ Depending on the management tool you are using, you may need to specifically ena
See the table in [Deploy, manage, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
-Some scenarios require additional guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
+Some scenarios require more guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
-The remaining topic in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md).
+The remaining article in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md).
-## Related topics
+## Related articles
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
- [Deploy, manage updates, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
index 2dfddb6de2..69956ae919 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
@@ -21,7 +21,7 @@ ms.custom: nextgen
**Applies to:**
-- Microsoft Defender Antivirus
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
> [!NOTE]
> The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
index add2af0433..acbc359a64 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.reviewer:
+ms.reviewer: pahuijbr
manager: dansimp
---
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
index 613d0bb3b1..42af3da160 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
@@ -1,5 +1,5 @@
---
-title: Manage how and where Microsoft Defender AV receives updates
+title: Manage how and where Microsoft Defender Antivirus receives updates
description: Manage the fallback order for how Microsoft Defender Antivirus receives protection updates.
keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus
search.product: eADQiWindows 10XVcnh
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.reviewer:
+ms.reviewer: pahuijbr
manager: dansimp
ms.custom: nextgen
---
@@ -170,7 +170,7 @@ Set up a network file share (UNC/mapped drive) to download security intelligence
MD C:\Temp\TempSigs\x86
```
-3. Download the Powershell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4).
+3. Download the PowerShell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4).
4. Click **Manual Download**.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index 9700678379..b0d94c4785 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -11,9 +11,9 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.reviewer:
+ms.reviewer: pahuijbr
manager: dansimp
-ms.date: 12/05/2020
+ms.date: 01/07/2021
---
# Manage Microsoft Defender Antivirus updates and apply baselines
@@ -47,7 +47,7 @@ Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft
Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
-For a list of recent security intelligence updates, please visit: [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes).
+For a list of recent security intelligence updates, see [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/definitions/antimalware-definition-release-notes).
Engine updates are included with security intelligence updates and are released on a monthly cadence.
@@ -64,17 +64,17 @@ You can manage the distribution of updates through one of the following methods:
For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
> [!NOTE]
-> We release these monthly updates in phases. This results in multiple packages visible in your WSUS server.
+> Monthly updates are released in phases, resulting in multiple packages visible in your [Window Server Update Services](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus).
## Monthly platform and engine versions
-For information how to update or how to install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
+For information how to update or install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
All our updates contain
- performance improvements;
- serviceability improvements; and
- integration improvements (Cloud, Microsoft 365 Defender).
-
+
@@ -87,6 +87,7 @@ All our updates contain
Support phase: **Security and Critical Updates**
### What's new
+
- Improved SmartScreen status support logging
- Apply CPU throttling policy to manually initiated scans
@@ -103,12 +104,14 @@ No known issues
Support phase: **Security and Critical Updates**
### What's new
+
- New descriptions for special threat categories
- Improved emulation capabilities
- Improved host address allow/block capabilities
- New option in Defender CSP to Ignore merging of local user exclusions
### Known Issues
+
No known issues
@@ -121,6 +124,7 @@ No known issues
Support phase: **Security and Critical Updates**
### What's new
+
- Admin permissions are required to restore files in quarantine
- XML formatted events are now supported
- CSP support for ignoring exclusion merges
@@ -132,9 +136,16 @@ No known issues
- Improved Office VBA module scanning
### Known Issues
+
No known issues
+
+### Previous version updates: Technical upgrade support only
+
+After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only.
+
+
August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)
@@ -142,7 +153,6 @@ No known issues
Released: **August 27, 2020**
Platform: **4.18.2008.9**
Engine: **1.1.17400.5**
- Support phase: **Security and Critical Updates**
### What's new
@@ -166,11 +176,12 @@ No known issues
Released: **July 28, 2020**
Platform: **4.18.2007.8**
Engine: **1.1.17300.4**
- Support phase: **Security and Critical Updates**
+ Support phase: **Technical upgrade support (only)**
### What's new
-* Improved telemetry for BITS
-* Improved Authenticode code signing certificate validation
+
+- Improved telemetry for BITS
+- Improved Authenticode code signing certificate validation
### Known Issues
No known issues
@@ -184,15 +195,16 @@ No known issues
Released: **June 22, 2020**
Platform: **4.18.2006.10**
Engine: **1.1.17200.2**
- Support phase: **Technical upgrade Support (Only)**
+ Support phase: **Technical upgrade support (only)**
### What's new
-* Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)
-* Skipping aggressive catchup scan in Passive mode.
-* Allow Defender to update on metered connections
-* Fixed performance tuning when caching is disabled
-* Fixed registry query
-* Fixed scantime randomization in ADMX
+
+- Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)
+- Skipping aggressive catchup scan in Passive mode.
+- Allow Defender to update on metered connections
+- Fixed performance tuning when caching is disabled
+- Fixed registry query
+- Fixed scantime randomization in ADMX
### Known Issues
No known issues
@@ -206,15 +218,16 @@ No known issues
Released: **May 26, 2020**
Platform: **4.18.2005.4**
Engine: **1.1.17100.2**
- Support phase: **Technical upgrade Support (Only)**
+ Support phase: **Technical upgrade support (only)**
### What's new
-* Improved logging for scan events
-* Improved user mode crash handling.
-* Added event tracing for Tamper protection
-* Fixed AMSI Sample submission
-* Fixed AMSI Cloud blocking
-* Fixed Security update install log
+
+- Improved logging for scan events
+- Improved user mode crash handling.
+- Added event tracing for Tamper protection
+- Fixed AMSI Sample submission
+- Fixed AMSI Cloud blocking
+- Fixed Security update install log
### Known Issues
No known issues
@@ -228,16 +241,16 @@ No known issues
Released: **April 30, 2020**
Platform: **4.18.2004.6**
Engine: **1.1.17000.2**
- Support phase: **Technical upgrade Support (Only)**
+ Support phase: **Technical upgrade support (only)**
### What's new
-* WDfilter improvements
-* Add more actionable event data to attack surface reduction detection events
-* Fixed version information in diagnostic data and WMI
-* Fixed incorrect platform version in UI after platform update
-* Dynamic URL intel for Fileless threat protection
-* UEFI scan capability
-* Extend logging for updates
+- WDfilter improvements
+- Add more actionable event data to attack surface reduction detection events
+- Fixed version information in diagnostic data and WMI
+- Fixed incorrect platform version in UI after platform update
+- Dynamic URL intel for Fileless threat protection
+- UEFI scan capability
+- Extend logging for updates
### Known Issues
No known issues
@@ -251,15 +264,15 @@ No known issues
Released: **March 24, 2020**
Platform: **4.18.2003.8**
Engine: **1.1.16900.4**
- Support phase: **Technical upgrade Support (Only)**
+ Support phase: **Technical upgrade support (only)**
### What's new
-* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus)
-* Improve diagnostic capability
-* reduce Security intelligence timeout (5 min)
-* Extend AMSI engine internal log capability
-* Improve notification for process blocking
+- CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus)
+- Improve diagnostic capability
+- reduce Security intelligence timeout (5 min)
+- Extend AMSI engine internal log capability
+- Improve notification for process blocking
### Known Issues
[**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan.
@@ -272,11 +285,11 @@ No known issues
February-2020 (Platform: - | Engine: 1.1.16800.2)
- Security intelligence update version: **1.311.4.0**
- Released: **February 25, 2020**
- Platform/Client: **-**
- Engine: **1.1.16800.2**
- Support phase: **N/A**
+ Security intelligence update version: **1.311.4.0**
+ Released: **February 25, 2020**
+ Platform/Client: **-**
+ Engine: **1.1.16800.2**
+ Support phase: **Technical upgrade support (only)**
### What's new
@@ -294,24 +307,26 @@ Security intelligence update version: **1.309.32.0**
Released: **January 30, 2020**
Platform/Client: **4.18.2001.10**
Engine: **1.1.16700.2**
-Support phase: **Technical upgrade Support (Only)**
+ Support phase: **Technical upgrade support (only)**
### What's new
-* Fixed BSOD on WS2016 with Exchange
-* Support platform updates when TMP is redirected to network path
-* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates)
-* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility)
-* Fix 4.18.1911.3 hang
+- Fixed BSOD on WS2016 with Exchange
+- Support platform updates when TMP is redirected to network path
+- Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates)
+- extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility)
+- Fix 4.18.1911.3 hang
### Known Issues
[**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
> [!IMPORTANT]
-> This updates is needed by RS1 devices running lower version of the platform to support SHA2.
This update has reboot flag for systems that are experiencing the hang issue.
the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability.
-
-> [!IMPORTANT]
-> This update is categorized as an "update" due to its reboot requirement and will only be offered with a [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update)
+> This update is:
+> - needed by RS1 devices running lower version of the platform to support SHA2;
+> - has a reboot flag for systems that have hanging issues;
+> - is re-released in April 2020 and will not be superseded by newer updates to keep future availability;
+> - is categorized as an update due to the reboot requirement; and
+> - is only be offered with [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update).
@@ -326,24 +341,23 @@ Support phase: **No support**
### What's new
-* Fixed MpCmdRun tracing level
-* Fixed WDFilter version info
-* Improve notifications (PUA)
-* add MRT logs to support files
+- Fixed MpCmdRun tracing level
+- Fixed WDFilter version info
+- Improve notifications (PUA)
+- add MRT logs to support files
### Known Issues
When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version.
+
## Microsoft Defender Antivirus platform support
Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version:
-
-* **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.
+- **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.
-
-* **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.*
+- **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.*
\* Technical support will continue to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version.
@@ -354,22 +368,38 @@ The below table provides the Microsoft Defender Antivirus platform and engine ve
|Windows 10 release |Platform version |Engine version |Support phase |
|:---|:---|:---|:---|
-|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade Support (Only) |
-|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) |
-|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) |
-|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) |
-|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade Support (Only) |
-|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade Support (Only) |
-|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) |
-|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) |
+|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade support (only) |
+|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade support (only) |
+|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade support (only) |
+|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade support (only) |
+|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade support (only) |
+|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade support (only) |
+|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade support (only) |
+|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade support (only) |
-Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet).
+For Windows 10 release information, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet).
## Updates for Deployment Image Servicing and Management (DISM)
-We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection. For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
+We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection.
+
+For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
+1.1.2101.02
+
+ Package version: **1.1.2101.02**
+ Platform version: **4.18.2011.6**
+ Engine version: **1.17700.4**
+ Signature version: **1.329.1796.0**
+
+### Fixes
+- None
+
+### Additional information
+- None
+
+
1.1.2012.01
Package version: **1.1.2012.01**
@@ -427,12 +457,12 @@ We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind
-## See also
+## Additional resources
| Article | Description |
|:---|:---|
|[Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images) | Review antimalware update packages for your OS installation images (WIM and VHD files). Get Microsoft Defender Antivirus updates for Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 installation images. |
-|[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources. |
+|[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through many sources. |
|[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded. |
|[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan the next time a user signs in. |
|[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. |
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
index fbbf677933..e2fb5173d8 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Define how mobile devices are updated by Microsoft Defender AV
-description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender AV protection updates.
+title: Define how mobile devices are updated by Microsoft Defender Antivirus
+description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender Antivirus protection updates.
keywords: updates, protection, schedule updates, battery, mobile device, laptop, notebook, opt-in, microsoft update, wsus, override
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -11,7 +11,6 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
---
@@ -25,53 +24,56 @@ manager: dansimp
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates.
+Mobile devices and VMs may require more configuration to ensure performance is not impacted by updates.
-There are two settings that are particularly useful for these devices:
+There are two settings that are useful for these devices:
-- Opt-in to Microsoft Update on mobile computers without a WSUS connection
+- Opt in to Microsoft Update on mobile computers without a WSUS connection
- Prevent Security intelligence updates when running on battery power
-The following topics may also be useful in these situations:
+The following articles may also be useful in these situations:
- [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
- [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md)
-## Opt-in to Microsoft Update on mobile computers without a WSUS connection
+## Opt in to Microsoft Update on mobile computers without a WSUS connection
You can use Microsoft Update to keep Security intelligence on mobile devices running Microsoft Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection.
This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update.
-You can opt-in to Microsoft Update on the mobile device in one of the following ways:
+You can opt in to Microsoft Update on the mobile device in one of the following ways:
-1. Change the setting with Group Policy
-2. Use a VBScript to create a script, then run it on each computer in your network.
-3. Manually opt-in every computer on your network through the **Settings** menu.
+- Change the setting with Group Policy.
+- Use a VBScript to create a script, then run it on each computer in your network.
+- Manually opt in every computer on your network through the **Settings** menu.
-### Use Group Policy to opt-in to Microsoft Update
+### Use Group Policy to opt in to Microsoft Update
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
-4. Click **Policies** then **Administrative templates**.
+3. Select **Policies** then **Administrative templates**.
-5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**.
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**.
-6. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**.
+5. Set **Allow security intelligence updates from Microsoft Update** to **Enabled**, and then select **OK**.
-### Use a VBScript to opt-in to Microsoft Update
+### Use a VBScript to opt in to Microsoft Update
-1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
-2. Run the VBScript you created on each computer in your network.
+1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
-### Manually opt-in to Microsoft Update
+2. Run the VBScript you created on each computer in your network.
-1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in.
-2. Click **Advanced** options.
-3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**.
+### Manually opt in to Microsoft Update
+
+1. Open **Windows Update** in **Update & security** settings on the computer you want to opt in.
+
+2. Select **Advanced** options.
+
+3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**.
## Prevent Security intelligence updates when running on battery power
@@ -79,17 +81,15 @@ You can configure Microsoft Defender Antivirus to only download protection updat
### Use Group Policy to prevent security intelligence updates on battery power
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), choose the Group Policy Object you want to configure, and open it for editing.
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
-4. Click **Policies** then **Administrative templates**.
+3. Select **Policies** then **Administrative templates**.
-5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following setting:
-
- 1. Double-click the **Allow security intelligence updates when running on battery power** setting and set the option to **Disabled**.
- 2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power.
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**, and then set **Allow security intelligence updates when running on battery power** to **Disabled**. Then select **OK**.
+This action prevents protection updates from downloading when the PC is on battery power.
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
index eb9a31fb16..3ca4e0239b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
@@ -24,9 +24,9 @@ manager: dansimp
**Applies to:**
-
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Microsoft Defender Antivirus
-- Office 365
+- Microsoft 365
You might already know that:
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 567fc845b6..ad05cd6b37 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -14,7 +14,7 @@ audience: ITPro
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 11/19/2020
+ms.date: 01/07/2021
---
# Protect security settings with tamper protection
@@ -24,8 +24,12 @@ ms.date: 11/19/2020
**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
+Tamper protection is available on devices running the following versions of Windows:
+
- Windows 10
-- Windows Server 2019 (if using tenant attach with [Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006))
+- Windows Server 2016 and 2019 (if using tenant attach with [Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006))
## Overview
@@ -74,7 +78,7 @@ Tamper protection doesn't prevent you from viewing your security settings. And,
If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do change security settings, such as tamper protection.
-1. Click **Start**, and start typing *Defender*. In the search results, select **Windows Security**.
+1. Click **Start**, and start typing *Security*. In the search results, select **Windows Security**.
2. Select **Virus & threat protection** > **Virus & threat protection settings**.
@@ -90,7 +94,7 @@ If you are part of your organization's security team, and your subscription incl
You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
-1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune:
+1. Make sure your organization meets all of the following requirements to use Intune to manage tamper protection:
- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.)
- Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).)
@@ -101,15 +105,15 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
3. Select **Devices** > **Configuration Profiles**.
-4. Create a profile as follows:
+4. Create a profile that includes the following settings:
- - Platform: **Windows 10 and later**
+ - **Platform: Windows 10 and later**
- - Profile type: **Endpoint protection**
+ - **Profile type: Endpoint protection**
- - Category: **Microsoft Defender Security Center**
+ - **Category: Microsoft Defender Security Center**
- - Tamper Protection: **Enabled**
+ - **Tamper Protection: Enabled**
@@ -132,7 +136,7 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release
> [!IMPORTANT]
> The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure.
-If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10 and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices.
+If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10, Windows Server 2016, and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices.
1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions).
@@ -209,7 +213,7 @@ Your regular group policy doesn’t apply to tamper protection, and changes to M
### For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only?
-Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization as well as to specific devices and user groups.
+Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization and to specific devices and user groups.
### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager?
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
index 433c59bb6f..79cb4f70cc 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
@@ -23,7 +23,7 @@ ms.custom: nextgen
**Applies to:**
-- Microsoft Defender Antivirus
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can specify your level of cloud-delivered protection offered by Microsoft Defender Antivirus by using Microsoft Endpoint Manager (recommended) or Group Policy.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
index da103c7192..b0a598436f 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
@@ -21,7 +21,7 @@ ms.custom: nextgen
**Applies to:**
-- Microsoft Defender Antivirus
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
index 629775a962..8c2ab186eb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
@@ -1,6 +1,6 @@
---
title: Customize controlled folder access
-description: Add additional folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files.
+description: Add other folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files.
keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -12,7 +12,7 @@ author: denisebmsft
ms.author: deniseb
ms.reviewer: jcedola, dbodorin, vladiso, nixanm, anvascon
manager: dansimp
-ms.date: 12/16/2020
+ms.date: 01/06/2021
---
# Customize controlled folder access
@@ -38,7 +38,7 @@ This article describes how to customize controlled folder access capabilities, a
## Protect additional folders
-Controlled folder access applies to a number of system folders and default locations, including folders such as **Documents**, **Pictures**, and **Movies**. You can add additional folders to be protected, but you cannot remove the default folders in the default list.
+Controlled folder access applies to many system folders and default locations, including folders such as **Documents**, **Pictures**, and **Movies**. You can add additional folders to be protected, but you cannot remove the default folders in the default list.
Adding other folders to controlled folder access can be helpful for cases when you don't store files in the default Windows libraries, or you've changed the default location of your libraries.
@@ -72,7 +72,7 @@ You can use the Windows Security app, Group Policy, PowerShell cmdlets, or mobil
### Use PowerShell to protect additional folders
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
+1. Type **PowerShell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
@@ -125,7 +125,7 @@ An allowed application or service only has write access to a controlled folder a
### Use PowerShell to allow specific apps
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
+1. Type **PowerShell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
index f519113f0c..0c01e2faf7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
@@ -15,7 +15,7 @@ ms.localizationpriority: medium
ms.custom:
- next-gen
- edr
-ms.date: 12/14/2020
+ms.date: 01/07/2021
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
@@ -32,7 +32,7 @@ ms.collection:
## What is EDR in block mode?
-When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is turned on, Defender for Endpoint blocks malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected, post breach.
+[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode provides protection from malicious artifacts, even when Microsoft Defender Antivirus is running in passive mode. When turned on, EDR in block mode blocks malicious artifacts or behaviors that are detected on a device. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post breach.
EDR in block mode is also integrated with [threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt). Your organization's security team will get a [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) to turn EDR in block mode on if it isn't already enabled.
@@ -43,7 +43,7 @@ EDR in block mode is also integrated with [threat & vulnerability management](ht
## What happens when something is detected?
-When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as **Blocked** or **Prevented** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center).
+When EDR in block mode is turned on, and a malicious artifact is detected, Microsoft Defender for Endpoint blocks and remediates that artifact. You'll see detection status as **Blocked** or **Prevented** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center).
The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode:
@@ -71,32 +71,61 @@ The following image shows an instance of unwanted software that was detected and
|Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). |
|Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server 2016 or later |
|Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering
See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). |
-|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled.
See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). |
-|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
-|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
+|Microsoft Defender Antivirus |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode). |
+|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). |
+|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
+|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
> [!IMPORTANT]
-> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your exclusions are defined.
-
+> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your [exclusions are configured](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md). EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus.
## Frequently asked questions
### Do I need to turn EDR in block mode on even when I have Microsoft Defender Antivirus running on devices?
-We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode gives you an added layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections.
+We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode provides another layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections.
### Will EDR in block mode have any impact on a user's antivirus protection?
-EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
+EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), except it also blocks and remediates malicious artifacts or behaviors that are detected.
### Why do I need to keep Microsoft Defender Antivirus up to date?
-Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest device learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date.
+Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date. For EDR in block mode to be effective, it uses the latest device learning models, behavioral detections, and heuristics. The [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner. To get best protection value, you should keep Microsoft Defender Antivirus up to date.
### Why do we need cloud protection on?
Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.
+### How do I set Microsoft Defender Antivirus to passive mode?
+
+See [Enable Microsoft Defender Antivirus and confirm it's in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).
+
+### How do I confirm Microsoft Defender Antivirus is in active or passive mode?
+
+To confirm whether Microsoft Defender Antivirus is running in active or passive mode, you can use Command Prompt or PowerShell on a device running Windows.
+
+#### Use PowerShell
+
+1. Select the Start menu, begin typing `PowerShell`, and then open Windows PowerShell in the results.
+
+2. Type `Get-MpComputerStatus`.
+
+3. In the list of results, in the **AMRunningMode** row, look for one of the following values:
+ - `Normal`
+ - `Passive Mode`
+ - `SxS Passive Mode`
+
+To learn more, see [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus).
+
+#### Use Command Prompt
+
+1. Select the Start menu, begin typing `Command Prompt`, and then open Windows Command Prompt in the results.
+
+2. Type `sc query windefend`.
+
+3. In the list of results, in the **STATE** row, confirm that the service is running.
+
## See also
- [Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
index a6dcacc047..a7d1eb5399 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
-ms.date: 08/28/2020
+ms.date: 01/06/2021
ms.reviewer:
manager: dansimp
---
@@ -38,20 +38,20 @@ You can set mitigation in audit mode for specific programs either by using the W
### Windows Security app
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
+2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**.
3. Go to **Program settings** and choose the app you want to apply protection to:
- 1. If the app you want to configure is already listed, click it and then click **Edit**
- 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ 1. If the app you want to configure is already listed, select it and then select **Edit**
+ 2. If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
+ - Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
-5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+5. Repeat this procedure for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration.
### PowerShell
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
index 99f4521685..f1867fadcb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
-ms.date: 07/20/2020
+ms.date: 01/06/2021
ms.reviewer: cjacks
manager: dansimp
ms.custom: asr
@@ -223,7 +223,7 @@ Block low integrity images will prevent the application from loading files that
### Description
-Block remote images will prevent the application from loading files that are hosted on a remote device, such as a UNC share. This helps protect against loading binaries into memory that are on an external device controlled by the attacker.
+Blocking remote images helps to prevent the application from loading files that are hosted on a remote device, such as a UNC share. Blocking remote images helps protect against loading binaries into memory that are on an external device controlled by the attacker.
This mitigation will block image loads if the image is determined to be on a remote device. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a remote file, it will trigger a STATUS_ACCESS_DENIED error.
@@ -257,7 +257,7 @@ The most common use of fonts outside of the system fonts directory is with [web
### Description
-Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. This includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process.
+Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. Code integrity guard includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process.
This mitigation is implemented within the memory manager, which blocks the binary from being mapped into memory. If you attempt to load a binary that is not signed by Microsoft, the memory manger will return the error STATUS_INVALID_IMAGE_HASH. By blocking at the memory manager level, this prevents both binaries loaded by the process and binaries injected into the process.
@@ -275,9 +275,9 @@ This mitigation specifically blocks any binary that is not signed by Microsoft.
### Description
-Control flow guard (CFG) mitigates the risk of attackers leveraging memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program).
+Control flow guard (CFG) mitigates the risk of attackers using memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program).
-This mitigation is provided by injecting an additional check at compile time. Before each indirect function call, additional instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications that are compiled with CFG support can benefit from this mitigation.
+This mitigation is provided by injecting another check at compile time. Before each indirect function call, another instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications that are compiled with CFG support can benefit from this mitigation.
The check for a valid target is provided by the Windows kernel. When executable files are loaded, the metadata for indirect call targets is extracted at load time and marked as valid call targets. Additionally, when memory is allocated and marked as executable (such as for generated code), these memory locations are also marked as valid call targets, to support mechanisms such as JIT compilation.
@@ -296,7 +296,7 @@ Since applications must be compiled to support CFG, they implicitly declare thei
### Description
-Data execution prevention (DEP) prevents memory that was not explicitly allocated as executable from being executed. This helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code.
+Data execution prevention (DEP) prevents memory that was not explicitly allocated as executable from being executed. DEP helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code.
If you attempt to set the instruction pointer to a memory address not marked as executable, the processor will throw an exception (general-protection violation), causing the application to crash.
@@ -304,7 +304,7 @@ If you attempt to set the instruction pointer to a memory address not marked as
All x64, ARM, and ARM-64 executables have DEP enabled by default, and it cannot be disabled. Since an application will have never been executed without DEP, compatibility is assumed.
-All x86 (32-bit) binaries will have DEP enabled by default, but it can be disabled per process. Some old legacy applications, typically applications developed prior to Windows XP SP2, may not be compatible with DEP. These are typically applications that dynamically generate code (for example, JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code.
+All x86 (32-bit) binaries have DEP enabled by default, but DEP can be disabled per process. Some old legacy applications, typically applications developed prior to Windows XP SP2, might not be compatible with DEP. Such applications typically generate code dynamically (for example, JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code.
### Configuration options
@@ -324,7 +324,7 @@ This includes:
### Compatibility considerations
-Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third party Legacy IMEs that will not work with the protected application.
+Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third-party Legacy IMEs that will not work with the protected application.
### Configuration options
@@ -341,7 +341,7 @@ Win32k.sys provides a broad attack surface for an attacker. As a kernel-mode com
### Compatibility considerations
-This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will leverage process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation.
+This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will use process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation.
### Configuration options
@@ -379,18 +379,18 @@ This mitigation is primarily an issue for applications such as debuggers, sandbo
### Configuration options
-**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for additional commonly attacked modules:
+**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for other commonly attacked modules:
-- mshtml.dll
-- flash*.ocx
-- jscript*.ocx
-- vbscript.dll
-- vgx.dll
-- mozjs.dll
-- xul.dll
-- acrord32.dll
-- acrofx32.dll
-- acroform.api
+- `mshtml.dll`
+- `flash*.ocx`
+- `jscript*.ocx`
+- `vbscript.dll`
+- `vgx.dll`
+- `mozjs.dll`
+- `xul.dll`
+- `acrord32.dll`
+- `acrofx32.dll`
+- `acroform.api`
Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection to the page containing the "MZ" header, the first two bytes of the [DOS header in a PE file](https://docs.microsoft.com/windows/win32/debug/pe-format#ms-dos-stub-image-only), which is another aspect of known memory content which shellcode can look for to identify modules potentially of interest in memory.
@@ -400,7 +400,7 @@ Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection t
### Description
-Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker leveraging techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose.
+Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker using techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose.
Mandatory ASLR forces a rebase of all DLLs within the process. A developer can enable ASLR using the [/DYNAMICBASE](https://docs.microsoft.com/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019&preserve-view=true) linker option, and this mitigation has the same effect.
@@ -427,31 +427,31 @@ The memory pages for all protected APIs will have the [PAGE_GUARD](https://docs.
This mitigation protects the following Windows APIs:
-- GetProcAddress
-- GetProcAddressForCaller
-- LoadLibraryA
-- LoadLibraryExA
-- LoadLibraryW
-- LoadLibraryExW
-- LdrGetProcedureAddress
-- LdrGetProcedureAddressEx
-- LdrGetProcedureAddressForCaller
-- LdrLoadDll
-- VirtualProtect
-- VirtualProtectEx
-- VirtualAlloc
-- VirtualAllocEx
-- NtAllocateVirtualMemory
-- NtProtectVirtualMemory
-- CreateProcessA
-- CreateProcessW
-- WinExec
-- CreateProcessAsUserA
-- CreateProcessAsUserW
-- GetModuleHandleA
-- GetModuleHandleW
-- RtlDecodePointer
-- DecodePointer
+- `GetProcAddress`
+- `GetProcAddressForCaller`
+- `LoadLibraryA`
+- `LoadLibraryExA`
+- `LoadLibraryW`
+- `LoadLibraryExW`
+- `LdrGetProcedureAddress`
+- `LdrGetProcedureAddressEx`
+- `LdrGetProcedureAddressForCaller`
+- `LdrLoadDll`
+- `VirtualProtect`
+- `VirtualProtectEx`
+- `VirtualAlloc`
+- `VirtualAllocEx`
+- `NtAllocateVirtualMemory`
+- `NtProtectVirtualMemory`
+- `CreateProcessA`
+- `CreateProcessW`
+- `WinExec`
+- `CreateProcessAsUserA`
+- `CreateProcessAsUserW`
+- `GetModuleHandleA`
+- `GetModuleHandleW`
+- `RtlDecodePointer`
+- `DecodePointer`
### Compatibility considerations
@@ -471,7 +471,7 @@ The size of the 32-bit address space places practical constraints on the entropy
### Compatibility considerations
-Most applications that are compatible with Mandatory ASLR (rebasing) will also be compatible with the additional entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4 GB), and thus will be incompatible with the high entropy option (which can be disabled).
+Most applications that are compatible with Mandatory ASLR (rebasing) are also compatible with the other entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4 GB), and thus will be incompatible with the high entropy option (which can be disabled).
### Configuration options
@@ -488,40 +488,40 @@ Simulate execution (SimExec) is a mitigation for 32-bit applications only. This
The APIs intercepted by this mitigation are:
-- LoadLibraryA
-- LoadLibraryW
-- LoadLibraryExA
-- LoadLibraryExW
-- LdrLoadDll
-- VirtualAlloc
-- VirtualAllocEx
-- NtAllocateVirtualMemory
-- VirtualProtect
-- VirtualProtectEx
-- NtProtectVirtualMemory
-- HeapCreate
-- RtlCreateHeap
-- CreateProcessA
-- CreateProcessW
-- CreateProcessInternalA
-- CreateProcessInternalW
-- NtCreateUserProcess
-- NtCreateProcess
-- NtCreateProcessEx
-- CreateRemoteThread
-- CreateRemoteThreadEx
-- NtCreateThreadEx
-- WriteProcessMemory
-- NtWriteVirtualMemory
-- WinExec
-- CreateFileMappingA
-- CreateFileMappingW
-- CreateFileMappingNumaW
-- NtCreateSection
-- MapViewOfFile
-- MapViewOfFileEx
-- MapViewOfFileFromApp
-- LdrGetProcedureAddressForCaller
+- `LoadLibraryA`
+- `LoadLibraryW`
+- `LoadLibraryExA`
+- `LoadLibraryExW`
+- `LdrLoadDll`
+- `VirtualAlloc`
+- `VirtualAllocEx`
+- `NtAllocateVirtualMemory`
+- `VirtualProtect`
+- `VirtualProtectEx`
+- `NtProtectVirtualMemory`
+- `HeapCreate`
+- `RtlCreateHeap`
+- `CreateProcessA`
+- `CreateProcessW`
+- `CreateProcessInternalA`
+- `CreateProcessInternalW`
+- `NtCreateUserProcess`
+- `NtCreateProcess`
+- `NtCreateProcessEx`
+- `CreateRemoteThread`
+- `CreateRemoteThreadEx`
+- `NtCreateThreadEx`
+- `WriteProcessMemory`
+- `NtWriteVirtualMemory`
+- `WinExec`
+- `CreateFileMappingA`
+- `CreateFileMappingW`
+- `CreateFileMappingNumaW`
+- `NtCreateSection`
+- `MapViewOfFile`
+- `MapViewOfFileEx`
+- `MapViewOfFileFromApp`
+- `LdrGetProcedureAddressForCaller`
If a ROP gadget is detected, the process is terminated.
@@ -543,40 +543,40 @@ Validate API invocation (CallerCheck) is a mitigation for return-oriented progra
The APIs intercepted by this mitigation are:
-- LoadLibraryA
-- LoadLibraryW
-- LoadLibraryExA
-- LoadLibraryExW
-- LdrLoadDll
-- VirtualAlloc
-- VirtualAllocEx
-- NtAllocateVirtualMemory
-- VirtualProtect
-- VirtualProtectEx
-- NtProtectVirtualMemory
-- HeapCreate
-- RtlCreateHeap
-- CreateProcessA
-- CreateProcessW
-- CreateProcessInternalA
-- CreateProcessInternalW
-- NtCreateUserProcess
-- NtCreateProcess
-- NtCreateProcessEx
-- CreateRemoteThread
-- CreateRemoteThreadEx
-- NtCreateThreadEx
-- WriteProcessMemory
-- NtWriteVirtualMemory
-- WinExec
-- CreateFileMappingA
-- CreateFileMappingW
-- CreateFileMappingNumaW
-- NtCreateSection
-- MapViewOfFile
-- MapViewOfFileEx
-- MapViewOfFileFromApp
-- LdrGetProcedureAddressForCaller
+- `LoadLibraryA`
+- `LoadLibraryW`
+- `LoadLibraryExA`
+- `LoadLibraryExW`
+- `LdrLoadDll`
+- `VirtualAlloc`
+- `VirtualAllocEx`
+- `NtAllocateVirtualMemory`
+- `VirtualProtect`
+- `VirtualProtectEx`
+- `NtProtectVirtualMemory`
+- `HeapCreate`
+- `RtlCreateHeap`
+- `CreateProcessA`
+- `CreateProcessW`
+- `CreateProcessInternalA`
+- `CreateProcessInternalW`
+- `NtCreateUserProcess`
+- `NtCreateProcess`
+- `NtCreateProcessEx`
+- `CreateRemoteThread`
+- `CreateRemoteThreadEx`
+- `NtCreateThreadEx`
+- `WriteProcessMemory`
+- `NtWriteVirtualMemory`
+- `WinExec`
+- `CreateFileMappingA`
+- `CreateFileMappingW`
+- `CreateFileMappingNumaW`
+- `NtCreateSection`
+- `MapViewOfFile`
+- `MapViewOfFileEx`
+- `MapViewOfFileFromApp`
+- `LdrGetProcedureAddressForCaller`
If a ROP gadget is detected, the process is terminated.
@@ -594,7 +594,7 @@ This mitigation is incompatible with the Arbitrary Code Guard mitigation.
### Description
-Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured exception handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can leverage a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice.
+Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured exception handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can use a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice.
This mitigation relies on the design of SEH, where each SEH entry contains both a pointer to the exception handler, as well as a pointer to the next handler in the exception chain. This mitigation is called by the exception dispatcher, which validates the SEH chain when an exception is invoked. It verifies that:
@@ -619,7 +619,7 @@ Compatibility issues with SEHOP are relatively rare. It's uncommon for an applic
### Description
-*Validate handle usage* is a mitigation that helps protect against an attacker leveraging an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE).
+*Validate handle usage* is a mitigation that helps protect against an attacker using an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE).
This mitigation is automatically applied to Windows Store applications.
@@ -639,7 +639,7 @@ Applications that were not accurately tracking handle references, and which were
The *validate heap integrity* mitigation increases the protection level of heap mitigations in Windows, by causing the application to terminate if a heap corruption is detected. The mitigations include:
- Preventing a HEAP handle from being freed
-- Performing additional validation on extended block headers for heap allocations
+- Performing another validation on extended block headers for heap allocations
- Verifying that heap allocations are not already flagged as in-use
- Adding guard pages to large allocations, heap segments, and subsegments above a minimum size
@@ -672,48 +672,48 @@ Compatibility issues are uncommon. Applications that depend on replacing Windows
The *validate stack integrity (StackPivot)* mitigation helps protect against the Stack Pivot attack, a ROP attack where an attacker creates a fake stack in heap memory, and then tricks the application into returning into the fake stack that controls the flow of execution.
-This mitigation intercepts a number of Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated.
+This mitigation intercepts many Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated.
The APIs intercepted by this mitigation are:
-- LoadLibraryA
-- LoadLibraryW
-- LoadLibraryExA
-- LoadLibraryExW
-- LdrLoadDll
-- VirtualAlloc
-- VirtualAllocEx
-- NtAllocateVirtualMemory
-- VirtualProtect
-- VirtualProtectEx
-- NtProtectVirtualMemory
-- HeapCreate
-- RtlCreateHeap
-- CreateProcessA
-- CreateProcessW
-- CreateProcessInternalA
-- CreateProcessInternalW
-- NtCreateUserProcess
-- NtCreateProcess
-- NtCreateProcessEx
-- CreateRemoteThread
-- CreateRemoteThreadEx
-- NtCreateThreadEx
-- WriteProcessMemory
-- NtWriteVirtualMemory
-- WinExec
-- CreateFileMappingA
-- CreateFileMappingW
-- CreateFileMappingNumaW
-- NtCreateSection
-- MapViewOfFile
-- MapViewOfFileEx
-- MapViewOfFileFromApp
-- LdrGetProcedureAddressForCaller
+- `LoadLibraryA`
+- `LoadLibraryW`
+- `LoadLibraryExA`
+- `LoadLibraryExW`
+- `LdrLoadDll`
+- `VirtualAlloc`
+- `VirtualAllocEx`
+- `NtAllocateVirtualMemory`
+- `VirtualProtect`
+- `VirtualProtectEx`
+- `NtProtectVirtualMemory`
+- `HeapCreate`
+- `RtlCreateHeap`
+- `CreateProcessA`
+- `CreateProcessW`
+- `CreateProcessInternalA`
+- `CreateProcessInternalW`
+- `NtCreateUserProcess`
+- `NtCreateProcess`
+- `NtCreateProcessEx`
+- `CreateRemoteThread`
+- `CreateRemoteThreadEx`
+- `NtCreateThreadEx`
+- `WriteProcessMemory`
+- `NtWriteVirtualMemory`
+- `WinExec`
+- `CreateFileMappingA`
+- `CreateFileMappingW`
+- `CreateFileMappingNumaW`
+- `NtCreateSection`
+- `MapViewOfFile`
+- `MapViewOfFileEx`
+- `MapViewOfFileFromApp`
+- `LdrGetProcedureAddressForCaller`
### Compatibility considerations
-Applications that are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications.
+Applications that are using fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications.
Applications that perform API interception, particularly security software, can cause compatibility problems with this mitigation.
This mitigation is incompatible with the Arbitrary Code Guard mitigation.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md
index 71d6de5b4d..2942c525e6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/gov.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md
@@ -45,21 +45,21 @@ Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/44
Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/4586819)) |  | 
Windows 10, version 1903 (with [KB4586819](https://support.microsoft.com/help/4586819)) |  | 
Windows 10, version 1809 (with [KB4586839](https://support.microsoft.com/help/4586839)) |  | 
-Windows 10, version 1803 |  Coming soon |  With [KB4499183](https://support.microsoft.com/help/4499183)
-Windows 10, version 1709 | 
Note: Will not be supported |  With [KB4499147](https://support.microsoft.com/help/4499147)
Note: Will be deprecated, please upgrade
+Windows 10, version 1803 |  Rolling out |  With [KB4499183](https://support.microsoft.com/help/4499183)
+Windows 10, version 1709 | 
Note: Will not be supported |  With [KB4499147](https://support.microsoft.com/help/4499147)
Note: [Deprecated](https://docs.microsoft.com/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade
Windows 10, version 1703 and earlier | 
Note: Will not be supported | 
Note: Will not be supported
Windows Server 2019 (with [KB4586839](https://support.microsoft.com/help/4586839)) |  | 
-Windows Server 2016 |  Coming soon | 
-Windows Server 2012 R2 |  Coming soon | 
-Windows Server 2008 R2 SP1 |  Coming soon | 
-Windows 8.1 Enterprise |  Coming soon | 
-Windows 8 Pro |  Coming soon | 
-Windows 7 SP1 Enterprise |  Coming soon | 
-Windows 7 SP1 Pro |  Coming soon | 
-Mac OS |  | 
-Linux |  | 
-iOS |  | 
-Android |  | 
+Windows Server 2016 |  Rolling out |  In development
+Windows Server 2012 R2 |  Rolling out |  In development
+Windows Server 2008 R2 SP1 |  Rolling out |  In development
+Windows 8.1 Enterprise |  Rolling out |  In development
+Windows 8 Pro |  Rolling out |  In development
+Windows 7 SP1 Enterprise |  Rolling out |  In development
+Windows 7 SP1 Pro |  Rolling out |  In development
+Linux |  In development |  In development
+macOS |  In development |  In development
+Android |  On engineering backlog |  On engineering backlog
+iOS |  On engineering backlog |  On engineering backlog
> [!NOTE]
> A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment.
@@ -69,9 +69,9 @@ The following OS versions are supported when using [Azure Defender for Servers](
OS version | GCC | GCC High
:---|:---|:---
-Windows Server 2016 |  Coming soon | 
-Windows Server 2012 R2 |  Coming soon | 
-Windows Server 2008 R2 SP1 |  Coming soon | 
+Windows Server 2016 |  Rolling out | 
+Windows Server 2012 R2 |  Rolling out | 
+Windows Server 2008 R2 SP1 |  Rolling out | 
@@ -106,24 +106,24 @@ These are the known gaps as of January 2021:
Feature name | GCC | GCC High
:---|:---|:---
-Threat analytics |  | 
-Threat & vulnerability management |  | 
-Automated investigation and remediation: Response to Office 365 alerts |  | 
-Automated investigation and remediation: Live response |  | 
-Management and APIs: Threat protection report |  | 
-Management and APIs: Device health and compliance report |  | 
-Management and APIs: Streaming API |  Coming soon | 
-Management and APIs: Integration with third-party products |  | 
-Email notifications |  Coming soon | 
-Evaluation lab |  | 
-Web content filtering |  Coming soon | 
-Integrations: Azure Sentinel |  Coming soon | 
-Integrations: Microsoft Cloud App Security |  | 
-Integrations: Microsoft Compliance Center |  | 
-Integrations: Microsoft Defender for Identity |  | 
-Integrations: Microsoft Defender for Office 365 |  | 
-Integrations: Microsoft Endpoint DLP |  | 
-Integrations: Microsoft Intune |  | 
-Integrations: Microsoft Power Automate & Azure Logic Apps |  Coming soon | 
-Integrations: Skype for Business / Teams |  | 
-Microsoft Threat Experts |  | 
+Automated investigation and remediation: Live response |  |  In development
+Automated investigation and remediation: Response to Office 365 alerts |  On engineering backlog |  On engineering backlog
+Email notifications |  Rolling out |  In development
+Evaluation lab |  |  In development
+Management and APIs: Device health and compliance report |  |  In development
+Management and APIs: Integration with third-party products |  |  In development
+Management and APIs: Streaming API |  Rolling out |  In development
+Management and APIs: Threat protection report |  |  In development
+Threat & vulnerability management |  |  In development
+Threat analytics |  |  In development
+Web content filtering |  In development |  In development
+Integrations: Azure Sentinel |  Rolling out |  In development
+Integrations: Microsoft Cloud App Security |  On engineering backlog |  On engineering backlog
+Integrations: Microsoft Compliance Center |  On engineering backlog |  On engineering backlog
+Integrations: Microsoft Defender for Identity |  On engineering backlog |  On engineering backlog
+Integrations: Microsoft Defender for Office 365 |  On engineering backlog |  On engineering backlog
+Integrations: Microsoft Endpoint DLP |  On engineering backlog |  On engineering backlog
+Integrations: Microsoft Intune |  |  In development
+Integrations: Microsoft Power Automate & Azure Logic Apps |  Rolling out |  In development
+Integrations: Skype for Business / Teams |  |  In development
+Microsoft Threat Experts |  On engineering backlog |  On engineering backlog
diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
index 0b6737027d..ce1b2006f7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@@ -11,7 +11,6 @@ ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
-ms.date: 04/30/2019
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -33,7 +32,7 @@ Network protection expands the scope of [Microsoft Defender SmartScreen](../micr
Network protection is supported beginning with Windows 10, version 1709.
-For more details about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
+For more information about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
> [!TIP]
> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
@@ -46,7 +45,7 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network
## Requirements
-Network protection requires Windows 10 Pro, Enterprise E3, E5 and Microsoft Defender AV real-time protection.
+Network protection requires Windows 10 Pro, Enterprise E3, E5, and Microsoft Defender AV real-time protection.
Windows 10 version | Microsoft Defender Antivirus
-|-
@@ -76,7 +75,7 @@ You can review the Windows event log to see events that are created when network
1. [Copy the XML directly](event-views.md).
-2. Click **OK**.
+2. Select **OK**.
3. This will create a custom view that filters to only show the following events related to network protection:
@@ -88,6 +87,6 @@ You can review the Windows event log to see events that are created when network
## Related articles
-- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
+- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrates how the feature works, and what events would typically be created.
- [Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md
index 3b37769671..eeeba70ccd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/use.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/use.md
@@ -36,6 +36,11 @@ Use the **Threat & Vulnerability Management** dashboard to expand your visibilit
Use the **Threat analytics** dashboard to continually assess and control risk exposure to Spectre and Meltdown.
+## Microsoft Defender for Endpoint interactive guide
+In this interactive guide, you'll learn how to investigate threats to your organization with Microsoft Defender for Endpoint. You'll see how Microsoft Defender for Endpoint can help you identify suspicious activities, investigate risks to your organization, and remediate threats.
+
+> [!VIDEO https://aka.ms/MSDE-IG]
+
### In this section
Topic | Description