| * (asterisk) |
Replaces any number of characters.
Only applies to files in the last folder defined in the argument. |
- Replaces a single folder.
Use multiple * with folder slashes \ to indicate multiple, nested folders. After matching the number of wilcarded and named folders, all subfolders will also be included. |
+ Replaces a single folder.
Use multiple * with folder slashes \ to indicate multiple, nested folders. After matching the number of wild carded and named folders, all subfolders will also be included. |
- C:\MyData\*.txt
@@ -227,7 +225,7 @@ The following table describes how the wildcards can be used and provides some ex
|
Replaces a single character in a folder name.
- After matching the number of wilcarded and named folders, all subfolders will also be included.
+ After matching the number of wild carded and named folders, all subfolders will also be included.
|
@@ -264,15 +262,20 @@ The following table describes how the wildcards can be used and provides some ex
>[!IMPORTANT]
>If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
>
->For example, you can exclude all files that start with "date" in the folders *c:\data\final\marked* and *c:\data\review\marked* by using the rule argument c:\data\\\*\marked\date*.\*.
+>For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument c:\data\\\*\marked\date*.\*.
>
->This argument, however, will not match any files in **subfolders** under *c:\data\final\marked* or *c:\data\review\marked*.
+>This argument, however, will not match any files in **subfolders** under `c:\data\final\marked` or `c:\data\review\marked`.
## Review the list of exclusions
-You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), MpCmdRun, PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
+You can retrieve the items in the exclusion list using one of the following methods:
+- [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
+- [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings)
+- MpCmdRun
+- PowerShell
+- [Windows Security app](windows-defender-security-center-antivirus.md#exclusions)
>[!IMPORTANT]
>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
@@ -284,7 +287,7 @@ If you use PowerShell, you can retrieve the list in two ways:
- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
-**Validate the exclusion list by using MpCmdRun:**
+### Validate the exclusion list by using MpCmdRun
To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
@@ -295,7 +298,7 @@ MpCmdRun.exe -CheckExclusion -path
>[!NOTE]
>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
-**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:**
+### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell
Use the following cmdlet:
@@ -307,9 +310,9 @@ In the following example, the items contained in the `ExclusionExtension` list a
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
-**Retrieve a specific exclusions list by using PowerShell:**
+### Retrieve a specific exclusions list by using PowerShell
Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
@@ -323,7 +326,7 @@ In the following example, the list is split into new lines for each use of the `
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
@@ -331,15 +334,15 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use
You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file.
-In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the .testing extension, replace *test.txt* with *test.testing*. If you are testing a path, ensure you run the cmdlet within that path.
+In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure you run the cmdlet within that path.
```PowerShell
Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
```
-If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html).
+If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html).
-You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating:
+You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating:
```PowerShell
$client = new-object System.Net.WebClient
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
index 499df8dfac..c51a7da9ea 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index d600158473..a562fd5f60 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 10/08/2018
ms.reviewer:
manager: dansimp
@@ -24,9 +25,9 @@ manager: dansimp
To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
-This topic lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. This will help ensure you receive the best protection from our cloud-delivered protection services.
+This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. Configuring your protection properly helps ensure that you receive the best value from your cloud-delivered protection services.
-See the Enterprise Mobility and Security blog post [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) for some details about network connectivity.
+See the blog post [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) for some details about network connectivity.
>[!TIP]
>You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
@@ -37,7 +38,7 @@ See the Enterprise Mobility and Security blog post [Important changes to Microso
## Allow connections to the Windows Defender Antivirus cloud service
-The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides very important protection against malware on your endpoints and across your network.
+The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network.
>[!NOTE]
>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
@@ -46,18 +47,18 @@ See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender
After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
-As a cloud service, it is required that computers have access to the internet and that the ATP machine learning services are reachable. The URL: "\*.blob.core.windows.net" should not be excluded from any kind of network inspection. The table below lists the services and their associated URLs. You should ensure there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL: "\*.blob.core.windows.net"). Below mention URLs are using port 443 for communication.
+Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication.
| **Service**| **Description** |**URL** |
| :--: | :-- | :-- |
-| *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|\*.wdcp.microsoft.com \*.wdcpalt.microsoft.com \*.wd.microsoft.com|
-| *Microsoft Update Service (MU)*| Security intelligence and product updates |\*.update.microsoft.com|
-| *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| \*.download.microsoft.com|
-| *Malware submission storage*|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net |
-| *Certificate Revocation List (CRL)*|Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs |
-| *Symbol Store*|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols |
-| *Universal Telemetry Client*| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: vortex-win.data.microsoft.com settings-win.data.microsoft.com|
+| Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Windows Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
`*.wdcpalt.microsoft.com`
`*.wd.microsoft.com`|
+| Microsoft Update Service (MU)| Security intelligence and product updates |`*.update.microsoft.com`|
+|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`|
+| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
`ussus1westprod.blob.core.windows.net`
`usseu1northprod.blob.core.windows.net`
`usseu1westprod.blob.core.windows.net`
`ussuk1southprod.blob.core.windows.net`
`ussuk1westprod.blob.core.windows.net`
`ussas1eastprod.blob.core.windows.net`
`ussas1southeastprod.blob.core.windows.net`
`ussau1eastprod.blob.core.windows.net`
`ussau1southeastprod.blob.core.windows.net` |
+| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/`
`https://www.microsoft.com/pkiops/certs`
`https://crl.microsoft.com/pki/crl/products`
`https://www.microsoft.com/pki/certs` |
+| Symbol Store|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` |
+| Universal Telemetry Client| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`|
## Validate connections between your network and the cloud
@@ -66,7 +67,7 @@ After whitelisting the URLs listed above, you can test if you are connected to t
**Use the cmdline tool to validate cloud-delivered protection:**
-Use the following argument with the Windows Defender Antivirus command line utility (*mpcmdrun.exe*) to verify that your network can communicate with the Windows Defender Antivirus cloud service:
+Use the following argument with the Windows Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Windows Defender Antivirus cloud service:
```DOS
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
@@ -75,7 +76,7 @@ Use the following argument with the Windows Defender Antivirus command line util
> [!NOTE]
> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher.
-See [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility.
+For more information, see [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md).
**Attempt to download a fake malware file from Microsoft:**
@@ -112,16 +113,19 @@ You will also see a detection under **Quarantined threats** in the **Scan histor
>[!NOTE]
->Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md) for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces.
+>Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md).
The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md).
>[!IMPORTANT]
>You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity.
-## Related topics
+## Related articles
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+
- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+
- [Run an Windows Defender Antivirus scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md)
-- [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/)
+
+- [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
index 61c02f6a88..6bd6aeb7b2 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
index d2191e0488..36714d75c3 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 12/10/2018
ms.reviewer:
manager: dansimp
@@ -52,15 +53,15 @@ You can [configure how locally and globally defined exclusions lists are merged]
-**Use Microsoft Intune to exclude files that have been opened by specified processes from scans:**
+### Use Microsoft Intune to exclude files that have been opened by specified processes from scans
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
-**Use System Center Configuration Manager to exclude files that have been opened by specified processes from scans:**
+### Use System Center Configuration Manager to exclude files that have been opened by specified processes from scans
See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
-**Use Group Policy to exclude files that have been opened by specified processes from scans:**
+### Use Group Policy to exclude files that have been opened by specified processes from scans
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -80,7 +81,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
-**Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:**
+### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans
Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender).
@@ -109,7 +110,7 @@ Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Windows Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans:**
+### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans
Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
@@ -125,7 +126,7 @@ See the following for more information and allowed parameters:
-**Use the Windows Security app to exclude files that have been opened by specified processes from scans:**
+### Use the Windows Security app to exclude files that have been opened by specified processes from scans
See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
@@ -156,7 +157,7 @@ If you use PowerShell, you can retrieve the list in two ways:
- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
-**Validate the exclusion list by using MpCmdRun:**
+### Validate the exclusion list by using MpCmdRun
To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
@@ -168,7 +169,7 @@ MpCmdRun.exe -CheckExclusion -path
>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
-**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:**
+### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell
Use the following cmdlet:
@@ -178,7 +179,7 @@ Get-MpPreference
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Retrieve a specific exclusions list by using PowerShell:**
+### Retrieve a specific exclusions list by using PowerShell
Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
@@ -189,7 +190,7 @@ $WDAVprefs.ExclusionProcess
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
-## Related topics
+## Related articles
- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
index c1495c80c6..8e6f966e08 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
index 90c2964d84..b62d657934 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
@@ -9,11 +9,12 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
ms.date: 11/13/2018
ms.reviewer:
manager: dansimp
+ms.custom: nextgen
---
# Enable and configure antivirus always-on protection and monitoring
@@ -59,7 +60,7 @@ Root | Allow antimalware service to remain running always | If protection update
The main real-time protection capability is enabled by default, but you can disable it with Group Policy:
-**Use Group Policy to disable real-time protection:**
+### Use Group Policy to disable real-time protection
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -69,7 +70,7 @@ The main real-time protection capability is enabled by default, but you can disa
4. Double-click the **Turn off real-time protection** setting and set the option to **Enabled**. Click **OK**.
-## Related topics
+## Related articles
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
index 2b5bb82466..9702fdb478 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
index caae6efc4e..85b7b015a3 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@@ -11,8 +11,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
---
# Configure Windows Defender Antivirus exclusions on Windows Server
@@ -35,8 +36,6 @@ Custom exclusions take precedence over automatic exclusions.
> [!TIP]
> Custom and duplicate exclusions do not conflict with automatic exclusions.
-
-
Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
## Opt out of automatic exclusions
@@ -54,7 +53,7 @@ In Windows Server 2016, the predefined exclusions delivered by Security intellig
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
-**Use Group Policy to disable the auto-exclusions list on Windows Server 2016:**
+### Use Group Policy to disable the auto-exclusions list on Windows Server 2016
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -74,7 +73,7 @@ Set-MpPreference -DisableAutoExclusions $true
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016:**
+### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
@@ -294,6 +293,7 @@ This section lists the exclusions that are delivered automatically when you inst
- %systemroot%\System32\lsass.exe
### DHCP Server exclusions
+
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
- *%systemroot%*\System32\DHCP\\*\\\*.mdb
@@ -307,6 +307,7 @@ This section lists the exclusions that are delivered automatically when you inst
- *%systemroot%*\System32\DHCP\\*\\\*.edb
### DNS Server exclusions
+
This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role.
- File and folder exclusions for the DNS Server role:
@@ -324,6 +325,7 @@ This section lists the file and folder exclusions and the process exclusions tha
- *%systemroot%*\System32\dns.exe
### File and Storage Services exclusions
+
This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
- *%SystemDrive%*\ClusterStorage
@@ -333,6 +335,7 @@ This section lists the file and folder exclusions that are delivered automatical
- *%SystemDrive%*\mscs
### Print Server exclusions
+
This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role.
- File type exclusions:
@@ -350,6 +353,7 @@ This section lists the file type exclusions, folder exclusions, and the process
- spoolsv.exe
### Web Server exclusions
+
This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role.
- Folder exclusions:
@@ -373,6 +377,7 @@ This section lists the folder exclusions and the process exclusions that are del
- *%SystemDrive%*\PHP5433\php-cgi.exe
### Windows Server Update Services exclusions
+
This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
- *%systemroot%*\WSUS\WSUSContent
@@ -383,7 +388,7 @@ This section lists the folder exclusions that are delivered automatically when y
- *%systemroot%*\SoftwareDistribution\Download
-## Related topics
+## Related articles
- [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
index da95773da3..d771955c80 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
index a700977d08..4e5666fd45 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
index b95dce5844..ad4a8eee3e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
index 4371855830..9f668be613 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index 307d8fcd7d..3dfe9a2e82 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -202,6 +203,6 @@ On Windows Server 2016, Windows Defender Antivirus will automatically deliver th
## Additional resources
-- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s)
+- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( https://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s)
- [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS)
- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index acad6edc05..c9ade7db82 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: detect
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
audience: ITPro
ms.date: 10/02/2018
ms.reviewer:
@@ -142,7 +143,7 @@ See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for det
Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus.
-## Related topics
+## Related articles
-- [Next gen protection](windows-defender-antivirus-in-windows-10.md)
+- [Next-generation protection](windows-defender-antivirus-in-windows-10.md)
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
index c9aca52f0d..1bc4cdbd31 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@@ -9,10 +9,11 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
ms.reviewer:
manager: dansimp
+ms.custom: nextgen
---
# Enable cloud-delivered protection
diff --git a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
index 33b7f2e9ab..6173192baf 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
index a5cbbeb7a7..8285dbdc5e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -26,9 +27,9 @@ manager: dansimp
Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device.
-It can only be enabled in certain situations. See [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) for more information on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV products.
+It can only be enabled in certain situations. For more information about limited periodic scanning and how Microsoft Defender Antivirus works with other antivirus products, see [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md).
-**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a very limited subset of the Windows Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively.
+**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a limited subset of the Windows Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively.
## How to enable limited periodic scanning
@@ -42,15 +43,15 @@ If another antivirus product is installed and working correctly, Windows Defende
-Underneath any 3rd party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning.
+Underneath any third party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning.
-Sliding the swtich to **On** will show the standard Windows Defender AV options underneath the 3rd party AV product. The limited periodic scanning option will appear at the bottom of the page.
+Sliding the switch to **On** will show the standard Windows Defender AV options underneath the third party AV product. The limited periodic scanning option will appear at the bottom of the page.
-## Related topics
+## Related articles
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
index 805f9c697f..c238f05823 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -28,7 +29,7 @@ Windows Defender Antivirus allows you to determine if updates should (or should
You can use System Center Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Windows Defender Antivirus to check and download protection updates before running a scheduled scan.
-**Use Configuration Manager to check for protection updates before running a scan:**
+### Use Configuration Manager to check for protection updates before running a scan
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
@@ -36,23 +37,23 @@ You can use System Center Configuration Manager, Group Policy, PowerShell cmdlet
3. Click **OK**.
-4.[Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+4. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
-**Use Group Policy to check for protection updates before running a scan:**
+### Use Group Policy to check for protection updates before running a scan
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components > Windows Defender Antivirus > Scan**.
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Scan**.
5. Double-click **Check for the latest virus and spyware definitions before running a scheduled scan** and set the option to **Enabled**.
6. Click **OK**.
-**Use PowerShell cmdlets to check for protection updates before running a scan:**
+### Use PowerShell cmdlets to check for protection updates before running a scan
Use the following cmdlets:
@@ -60,9 +61,9 @@ Use the following cmdlets:
Set-MpPreference -CheckForSignaturesBeforeRunningScan
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index).
-**Use Windows Management Instruction (WMI) to check for protection updates before running a scan**
+### Use Windows Management Instruction (WMI) to check for protection updates before running a scan
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
@@ -70,20 +71,19 @@ Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com
CheckForSignaturesBeforeRunningScan
```
-See the following for more information:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
+For more information, see [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
## Check for protection updates on startup
You can use Group Policy to force Windows Defender Antivirus to check and download protection updates when the machine is started.
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**.
5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**.
@@ -91,21 +91,21 @@ You can use Group Policy to force Windows Defender Antivirus to check and downlo
You can also use Group Policy, PowerShell, or WMI to configure Windows Defender Antivirus to check for updates at startup even when it is not running.
-**Use Group Policy to download updates when Windows Defender Antivirus is not present:**
+### Use Group Policy to download updates when Windows Defender Antivirus is not present
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. Using the **Group Policy Management Editor**, go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates**.
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Security Intelligence Updates**.
5. Double-click **Initiate security intelligence update on startup** and set the option to **Enabled**.
6. Click **OK**.
-**Use PowerShell cmdlets to download updates when Windows Defender Antivirus is not present:**
+### Use PowerShell cmdlets to download updates when Windows Defender Antivirus is not present
Use the following cmdlets:
@@ -113,43 +113,44 @@ Use the following cmdlets:
Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine
```
-See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+For more information, see [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to download updates when Windows Defender Antivirus is not present:**
+### Use Windows Management Instruction (WMI) to download updates when Windows Defender Antivirus is not present
-Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
+Use the [**Set** method of the **MSFT_MpPreference**](https://docs.microsoft.com/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
```WMI
SignatureDisableUpdateOnStartupWithoutEngine
```
-See the following for more information:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
+For more information, see [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
## Allow ad hoc changes to protection based on cloud-delivered protection
-Windows Defender AV can make changes to its protection based on cloud-delivered protection. This can occur outside of normal or scheduled protection updates.
+Windows Defender AV can make changes to its protection based on cloud-delivered protection. Such changes can occur outside of normal or scheduled protection updates.
If you have enabled cloud-delivered protection, Windows Defender AV will send files it is suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Windows Defender AV to automatically receive that protection update. Other important protection updates can also be applied.
-**Use Group Policy to automatically download recent updates based on cloud-delivered protection:**
+### Use Group Policy to automatically download recent updates based on cloud-delivered protection
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following:
- 1. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
- 2. Double-click **Allow notifications to disable definitions based reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**.
+
+5. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**.
+
+6. **Allow notifications to disable definitions-based reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**.
> [!NOTE]
> "Allow notifications to disable definitions based reports" enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work.
-## Related topics
+## Related articles
- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
index ca75fa1e6f..fabe399119 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -32,7 +33,7 @@ When the user returns to work and logs on to their PC, Windows Defender Antiviru
If Windows Defender Antivirus did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md).
-**Use Configuration Manager to configure catch-up protection updates:**
+### Use Configuration Manager to configure catch-up protection updates
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
@@ -45,7 +46,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie
4. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
-**Use Group Policy to enable and configure the catch-up update feature:**
+### Use Group Policy to enable and configure the catch-up update feature
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -59,7 +60,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie
6. Click **OK**.
-**Use PowerShell cmdlets to configure catch-up protection updates:**
+### Use PowerShell cmdlets to configure catch-up protection updates
Use the following cmdlets:
@@ -69,7 +70,7 @@ Set-MpPreference -SignatureUpdateCatchupInterval
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to configure catch-up protection updates:**
+### Use Windows Management Instruction (WMI) to configure catch-up protection updates
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
@@ -81,13 +82,11 @@ See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-
-
## Set the number of days before protection is reported as out-of-date
You can also specify the number of days after which Windows Defender Antivirus protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender Antivirus to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source.
-**Use Group Policy to specify the number of days before protection is considered out-of-date:**
+### Use Group Policy to specify the number of days before protection is considered out-of-date
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -106,8 +105,6 @@ You can also specify the number of days after which Windows Defender Antivirus p
4. Click **OK**.
-
-
## Set up catch-up scans for endpoints that have not been scanned for a while
You can set the number of consecutive scheduled scans that can be missed before Windows Defender Antivirus will force a scan.
@@ -120,7 +117,7 @@ The process for enabling this feature is:
This feature can be enabled for both full and quick scans.
-**Use Group Policy to enable and configure the catch-up scan feature:**
+### Use Group Policy to enable and configure the catch-up scan feature
1. Ensure you have set up at least one scheduled scan.
@@ -140,7 +137,7 @@ This feature can be enabled for both full and quick scans.
> [!NOTE]
> The Group Policy setting title refers to the number of days. The setting, however, is applied to the number of scans (not days) before the catch-up scan will be run.
-**Use PowerShell cmdlets to configure catch-up scans:**
+### Use PowerShell cmdlets to configure catch-up scans
Use the following cmdlets:
@@ -152,7 +149,7 @@ Set-MpPreference -DisableCatchupQuickScan
See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to configure catch-up scans:**
+### Use Windows Management Instruction (WMI) to configure catch-up scans
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
@@ -165,7 +162,7 @@ See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-**Use Configuration Manager to configure catch-up scans:**
+### Use Configuration Manager to configure catch-up scans
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
@@ -175,8 +172,7 @@ See the following for more information and allowed parameters:
4. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
-
-## Related topics
+## Related articles
- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
index 146b92de6f..0185b12a58 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
@@ -10,8 +10,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -33,7 +34,7 @@ You can schedule updates for your endpoints by:
You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic for more information.
-**Use Configuration Manager to schedule protection updates:**
+## Use Configuration Manager to schedule protection updates
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
@@ -47,7 +48,7 @@ You can also randomize the times when each endpoint checks and downloads protect
5. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
-**Use Group Policy to schedule protection updates:**
+## Use Group Policy to schedule protection updates
> [!IMPORTANT]
> By default, Windows Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default.
@@ -65,8 +66,7 @@ You can also randomize the times when each endpoint checks and downloads protect
3. Double-click the **Specify the time to check for security intelligence updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
-
-**Use PowerShell cmdlets to schedule protection updates:**
+## Use PowerShell cmdlets to schedule protection updates
Use the following cmdlets:
@@ -78,7 +78,7 @@ Set-MpPreference -SignatureUpdateInterval
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to schedule protection updates:**
+## Use Windows Management Instruction (WMI) to schedule protection updates
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
@@ -92,7 +92,7 @@ See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-## Related topics
+## Related articles
- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
index e5efd9c691..775068abed 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -24,6 +25,7 @@ manager: dansimp
There are two types of updates related to keeping Windows Defender Antivirus up to date:
1. Protection updates
+
2. Product updates
You can also apply [Windows security baselines](https://technet.microsoft.com/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection.
@@ -34,7 +36,6 @@ Windows Defender Antivirus uses both [cloud-delivered protection](utilize-micros
The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
-
## Product updates
Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
index 179c55aac4..94b9e04752 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -46,7 +47,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
2. Use a VBScript to create a script, then run it on each computer in your network.
3. Manually opt-in every computer on your network through the **Settings** menu.
-**Use Group Policy to opt-in to Microsoft Update:**
+### Use Group Policy to opt-in to Microsoft Update
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -54,18 +55,17 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
4. Click **Policies** then **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**.
6. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**.
-**Use a VBScript to opt-in to Microsoft Update**
+### Use a VBScript to opt-in to Microsoft Update
1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
2. Run the VBScript you created on each computer in your network.
-
-**Manually opt-in to Microsoft Update**
+### Manually opt-in to Microsoft Update
1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in.
2. Click **Advanced** options.
@@ -75,7 +75,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
You can configure Windows Defender Antivirus to only download protection updates when the PC is connected to a wired power source.
-**Use Group Policy to prevent security intelligence updates on battery power:**
+### Use Group Policy to prevent security intelligence updates on battery power
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -89,10 +89,7 @@ You can configure Windows Defender Antivirus to only download protection updates
2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power.
-
-
-
-## Related topics
+## Related articles
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Update and manage Windows Defender Antivirus in Windows 10](deploy-manage-report-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index acfa9717f3..5eb2cef516 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -14,6 +14,7 @@ ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
+ms.custom: nextgen
---
# Protect security settings with Tamper Protection
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
index 583e4365b4..8f6ebb3c64 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -34,52 +35,49 @@ With the setting set to **Enabled**:
With the setting set to **Disabled** or not configured:
-
+
>[!NOTE]
->Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+>Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app."
-In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning "Your system administrator has restricted access to this app.":
+
-
+## Use Group Policy to hide the Windows Defender AV interface from users
-**Use Group Policy to hide the Windows Defender AV interface from users:**
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
+3. Click **Administrative templates**.
-4. Click **Administrative templates**.
+4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
+5. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**.
-6. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**.
-
-
-Also see the [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topic for more options on preventing users form modifying protection on their PCs.
+See [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) for more options on preventing users form modifying protection on their PCs.
## Prevent users from pausing a scan
-You can prevent users from pausing scans. This can be helpful to ensure scheduled or on-demand scans are not interrupted by users.
+You can prevent users from pausing scans, which can be helpful to ensure scheduled or on-demand scans are not interrupted by users.
+### Use Group Policy to prevent users from pausing a scan
-**Use Group Policy to prevent users from pausing a scan:**
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
+3. Click **Administrative templates**.
-4. Click **Administrative templates**.
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Scan**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Scan**.
-
-6. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**.
-
-
-## Related topics
+5. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**.
+## Related articles
- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+
- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)
+
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
index 41a8f3094f..16f606bbae 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Monitor and report on Windows Defender Antivirus protection
-description: Use Configuration Manager or SIEM tools to consume reports, and monitor Windows Defender AV with PowerShell and WMI.
+description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Windows Defender AV with PowerShell and WMI.
keywords: siem, monitor, report, windows defender av
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -22,24 +23,22 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-There are a number of ways you can review protection status and alerts, depending on the management tool you are using for Windows Defender Antivirus.
-
-You can use System Center Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).
+With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use System Center Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).
Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender Antivirus issues, including protection updates and real-time protection settings.
+If you have a third-party security information and event management (SIEM) server, you can also consume [Windows Defender client events](https://msdn.microsoft.com/library/windows/desktop/aa964766(v=vs.85).aspx).
-If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client events](https://msdn.microsoft.com/library/windows/desktop/aa964766(v=vs.85).aspx).
+Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security auditing](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md).
-Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security audting](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md).
-
-These events can be centrally aggregated using the [Windows event collector](https://msdn.microsoft.com/library/windows/desktop/bb427443(v=vs.85).aspx). It is common practice for SIEMs to have connectors for Windows events. This technique allows for correlation of all security events from the machine in the SIEM.
+These events can be centrally aggregated using the [Windows event collector](https://msdn.microsoft.com/library/windows/desktop/bb427443(v=vs.85).aspx). Often, SIEM servers have connectors for Windows events, allowing you to correlate all security events in your SIEM server.
You can also [monitor malware events using the Malware Assessment solution in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-malware).
For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, management, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref2).
-## Related topics
+## Related articles
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+
- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
index 68c4accc82..f99aa7584f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 11/16/2018
ms.reviewer:
manager: dansimp
@@ -32,7 +33,7 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y
> [!NOTE]
> You can also use the dedicated command-line tool [mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to restore quarantined files in Windows Defender AV.
-## Related topics
+## Related articles
- [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
- [Review scan results](review-scan-results-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
index 1c07b37c51..78fed4d5d4 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -25,18 +26,17 @@ manager: dansimp
After an Windows Defender Antivirus scan completes, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results.
-**Use Microsoft Intune to review scan results:**
+## Use Microsoft Intune to review scan results
1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
2. Click the scan results in **Device actions status**.
-**Use Configuration Manager to review scan results:**
+## Use Configuration Manager to review scan results
See [How to monitor Endpoint Protection status](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection).
-
-**Use the Windows Security app to review scan results:**
+## Use the Windows Security app to review scan results
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -45,10 +45,7 @@ See [How to monitor Endpoint Protection status](https://docs.microsoft.com/sccm/
- Click **See full history** for any of the sections to see previous detections and the action taken. You can also clear the list.
- Information about the last scan is displayed at the bottom of the page.
-
-
-
-**Use PowerShell cmdlets to review scan results:**
+## Use PowerShell cmdlets to review scan results
The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same threat, each detection will be listed separately, based on the time of each detection:
@@ -70,15 +67,12 @@ Get-MpThreat
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to review scan results:**
+## Use Windows Management Instruction (WMI) to review scan results
Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) classes.
-
-
-
-## Related topics
+## Related articles
- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
index 4c62952e60..66db88455e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -38,49 +39,40 @@ A full scan can be useful on endpoints that have encountered a malware threat to
>[!NOTE]
>By default, quick scans run on mounted removable devices, such as USB drives.
-**Use Configuration Manager to run a scan:**
+## Use Configuration Manager to run a scan
See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
-**Use the mpcmdrun.exe command-line utility to run a scan:**
+## Use the mpcmdrun.exe command-line utility to run a scan
Use the following `-scan` parameter:
```DOS
mpcmdrun.exe -scan -scantype 1
```
-
-
-
See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths.
-
-
-**Use Microsoft Intune to run a scan:**
+## Use Microsoft Intune to run a scan
1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
2. Select **...More** and then select **Quick Scan** or **Full Scan**.
-**Use the Windows Security app to run a scan:**
+## Use the Windows Security app to run a scan
See [Run a scan in the Windows Security app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints.
-
-
-**Use PowerShell cmdlets to run a scan:**
+## Use PowerShell cmdlets to run a scan
Use the following cmdlet:
```PowerShell
Start-MpScan
```
-
-
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to run a scan:**
+## Use Windows Management Instruction (WMI) to run a scan
Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/library/dn455324(v=vs.85).aspx#methods) class.
@@ -88,8 +80,7 @@ See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-## Related topics
-
+## Related articles
- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md)
- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
index bf6852066d..e49771c6ae 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 12/10/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
index f8a9335f5f..e6b6bf10d0 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
@@ -9,11 +9,12 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
+ms.custom: nextgen
---
# Specify the cloud-delivered protection level
@@ -27,9 +28,7 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi
>[!NOTE]
>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
-
-
-**Use Intune to specify the level of cloud-delivered protection:**
+## Use Intune to specify the level of cloud-delivered protection
1. Sign in to the [Azure portal](https://portal.azure.com).
2. Select **All services > Intune**.
@@ -46,13 +45,15 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles)
-**Use Configuration Manager to specify the level of cloud-delivered protection:**
+## Use Configuration Manager to specify the level of cloud-delivered protection
-1. See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
+See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
-**Use Group Policy to specify the level of cloud-delivered protection:**
+## Use Group Policy to specify the level of cloud-delivered protection
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx).
+
+2. Right-click the Group Policy Object you want to configure, and then click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
@@ -60,20 +61,19 @@ For more information about Intune device profiles, including how to create and c
5. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**.
-1. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
- 1. **Default Windows Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files.
- 2. **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives).
- 3. **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives).
- 4. **Zero tolerance blocking level** blocks all unknown executables.
+6. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
+ - **Default Windows Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files.
+ - **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives).
+ - **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives).
+ - **Zero tolerance blocking level** blocks all unknown executables.
+
+ > [!WARNING]
+ > While unlikely, setting this switch to **High** or **High +** may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection).
- > [!WARNING]
- > While unlikely, setting this switch to **High** or **High +** may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection).
-6. Click **OK**.
+7. Click **OK**.
-
-
-## Related topics
+## Related articles
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
index 787e3d4728..d123f26a35 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.reviewer:
manager: dansimp
---
@@ -34,7 +35,7 @@ For common error codes and event IDs related to the Windows Defender Antivirus s
There are three steps to troubleshooting these problems:
-1. Confirm that you have met all pre-requisites
+1. Confirm that you have met all prerequisites
2. Check your connectivity to the Windows Defender cloud-based service
3. Submit support logs
@@ -42,9 +43,9 @@ There are three steps to troubleshooting these problems:
>It typically takes 3 days for devices to start appearing in Update Compliance.
-## Confirm pre-requisites
+## Confirm prerequisites
-In order for devices to properly show up in Update Compliance, you have to meet certain pre-requisites for both the Update Compliance service and for Windows Defender Antivirus:
+In order for devices to properly show up in Update Compliance, you have to meet certain prerequisites for both the Update Compliance service and for Windows Defender Antivirus:
>[!div class="checklist"]
>- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](windows-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance.
@@ -55,7 +56,7 @@ In order for devices to properly show up in Update Compliance, you have to meet
“You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options"
-If the above pre-requisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us.
+If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us.
> [!div class="nextstepaction"]
> [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data-update-compliance.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
index a371aaca96..8b02e56f61 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/11/2018
ms.reviewer:
manager: dansimp
@@ -46,7 +47,7 @@ You can directly view the event log, or if you have a third-party security infor
The table in this section lists the main Windows Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error.
-**To view a Windows Defender Antivirus event**
+## To view a Windows Defender Antivirus event
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender Antivirus**.
@@ -54,9 +55,6 @@ The table in this section lists the main Windows Defender Antivirus event IDs an
4. In the details pane, view the list of individual events to find your event.
5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
-
-
-
| Event ID: 1000 |
@@ -361,7 +359,7 @@ Message:
Description:
-For more information please see the following:
+For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -434,7 +432,7 @@ Message:
Description:
|
-Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
+Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information, see the following:
- User: <Domain>\<User>
- Name: <Threat name>
@@ -452,7 +450,7 @@ Windows Defender Antivirus has taken action to protect this machine from malware
- Quarantine: The resource was quarantined
- Remove: The resource was deleted
- Allow: The resource was allowed to execute/exist
-- User defined: User defined action which is normally one from this list of actions that the user has specified
+- User defined: User-defined action that is normally one from this list of actions that the user has specified
- No action: No action
- Block: The resource was blocked from executing
@@ -486,7 +484,7 @@ Message:
Description:
|
-Windows Defender Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
+Windows Defender Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information, see the following:
- User: <Domain>\<User>
- Name: <Threat name>
@@ -505,7 +503,7 @@ Windows Defender Antivirus has encountered an error when taking action on malwar
- Quarantine: The resource was quarantined
- Remove: The resource was deleted
- Allow: The resource was allowed to execute/exist
-- User defined: User defined action which is normally one from this list of actions that the user has specified
+- User defined: User-defined action that is normally one from this list of actions that the user has specified
- No action: No action
- Block: The resource was blocked from executing
@@ -545,7 +543,7 @@ Message:
Description:
|
-Windows Defender Antivirus has restored an item from quarantine. For more information please see the following:
+Windows Defender Antivirus has restored an item from quarantine. For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -589,7 +587,7 @@ Message:
Description:
|
-Windows Defender Antivirus has encountered an error trying to restore an item from quarantine. For more information please see the following:
+Windows Defender Antivirus has encountered an error trying to restore an item from quarantine. For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -636,7 +634,7 @@ Message:
Description:
|
-Windows Defender Antivirus has deleted an item from quarantine.
For more information please see the following:
+Windows Defender Antivirus has deleted an item from quarantine.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -680,7 +678,7 @@ Description:
|
Windows Defender Antivirus has encountered an error trying to delete an item from quarantine.
-For more information please see the following:
+For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -729,7 +727,7 @@ Description:
Windows Defender Antivirus has removed history of malware and other potentially unwanted software.
-- Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
+- Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
- User: <Domain>\<User>
|
@@ -760,7 +758,7 @@ Description:
Windows Defender Antivirus has encountered an error trying to remove history of malware and other potentially unwanted software.
-- Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
+- Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
- User: <Domain>\<User>
- Error Code: <Error code>
Result code associated with threat status. Standard HRESULT values.
@@ -793,7 +791,7 @@ Message:
Description:
|
-Windows Defender Antivirus has detected a suspicious behavior.
For more information please see the following:
+Windows Defender Antivirus has detected a suspicious behavior.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -870,7 +868,7 @@ Message:
Description:
|
-Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
+Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -951,7 +949,7 @@ Message:
Description:
|
-Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
For more information please see the following:
+Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -999,7 +997,7 @@ UAC
- Quarantine: The resource was quarantined
- Remove: The resource was deleted
- Allow: The resource was allowed to execute/exist
-- User defined: User defined action which is normally one from this list of actions that the user has specified
+- User defined: User-defined action that is normally one from this list of actions that the user has specified
- No action: No action
- Block: The resource was blocked from executing
@@ -1012,7 +1010,7 @@ Description of the error.
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version>
NOTE:
-Whenever Windows Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:
+Whenever Windows Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services that the malware might have changed:
- Default Internet Explorer or Microsoft Edge setting
- User Access Control settings
- Chrome settings
@@ -1078,7 +1076,7 @@ Message:
Description:
|
-Windows Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:
+Windows Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -1126,7 +1124,7 @@ UAC
- Quarantine: The resource was quarantined
- Remove: The resource was deleted
- Allow: The resource was allowed to execute/exist
-- User defined: User defined action which is normally one from this list of actions that the user has specified
+- User defined: User-defined action that is normally one from this list of actions that the user has specified
- No action: No action
- Block: The resource was blocked from executing
@@ -1173,7 +1171,7 @@ Message:
Description:
|
-Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:
+Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -1221,7 +1219,7 @@ UAC
- Quarantine: The resource was quarantined
- Remove: The resource was deleted
- Allow: The resource was allowed to execute/exist
-- User defined: User defined action which is normally one from this list of actions that the user has specified
+- User defined: User-defined action that is normally one from this list of actions that the user has specified
- No action: No action
- Block: The resource was blocked from executing
@@ -1323,7 +1321,7 @@ Windows Defender Antivirus client is up and running in a healthy state.
|
|
- Note This event will only be logged if the following policy is set: ThreatFileHashLogging unsigned.
+Note: This event will only be logged if the following policy is set: ThreatFileHashLogging unsigned.
|
@@ -2452,7 +2450,7 @@ Message:
Description:
|
-Windows Defender Antivirus configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
+Windows Defender Antivirus configuration has changed. If this is an unexpected event, you should review the settings as this may be the result of malware.
- Old value: <Old value number>
Old antivirus configuration value.
@@ -2893,7 +2891,7 @@ Run a full system scan.
This error indicates that an offline scan is required.
| | | Resolution |
-Run offline Windows Defender Antivirus. You can read about how to do this in the offline Windows Defender Antivirus article.
+Run offline Windows Defender Antivirus. You can read about how to do this in the offline Windows Defender Antivirus article.
|
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
index b7114cd1fd..84d8ca6968 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -26,22 +27,21 @@ You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).
In general, you can use the following procedure to configure or change Windows Defender Antivirus group policy settings:
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
-4. Click **Administrative templates**.
+3. Click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus**.
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus**.
-6. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
+5. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+6. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides links to the appropriate topic in this documentation library (where applicable).
-
-Location | Setting | Documented in topic
+Location | Setting | Article
---|---|---
Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
Client interface | Display additional text to clients when they need to perform an action | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
@@ -88,10 +88,10 @@ Reporting | Configure time out for detections requiring additional action | Not
Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
Root | Turn off Windows Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly)
Root | Define addresses to bypass proxy server | Not used
-Root | Define proxy auto-config (.pac) for connecting to the network | Not used
+Root | Define proxy autoconfig (.pac) for connecting to the network | Not used
Root | Define proxy server for connecting to the network | Not used
Root | Configure local administrator merge behavior for lists | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Root | Allow antimalware service to startup with normal priority | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
+Root | Allow antimalware service to start up with normal priority | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
Root | Allow antimalware service to remain running always | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
Root | Turn off routine remediation | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
Root | Randomize scheduled task times | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
@@ -126,7 +126,7 @@ Scan | Specify the time of day to run a scheduled scan | [Configure scheduled sc
Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Security intelligence updates | Allow security intelligence updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
Security intelligence updates | Allow security intelligence updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-Security intelligence updates | Allow notifications to disable definitions based repots to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+Security intelligence updates | Allow notifications to disable definitions-based reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Allow real-time security intelligence updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Define file shares for downloading security intelligence updates | [Manage Windows Defender Antivirus protection and security intelligence updates](manage-protection-updates-windows-defender-antivirus.md)
@@ -143,12 +143,8 @@ Threats | Specify threat alert levels at which default action should not be take
Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
-
-
-
-
-
-## Related topics
+## Related articles
- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
index 0a6c5dc31a..6ed604307a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -31,7 +32,7 @@ See the [Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use
For Microsoft Intune, consult the [Microsoft Intune library](https://docs.microsoft.com/intune/introduction-intune) and [Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
-## Related topics
+## Related articles
- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
index bd4a22592f..326511d75c 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -38,7 +39,7 @@ You can [configure which settings can be overridden locally with local policy ov
PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
-**Use Windows Defender Antivirus PowerShell cmdlets:**
+## Use Windows Defender Antivirus PowerShell cmdlets
1. Click **Start**, type **powershell**, and press **Enter**.
2. Click **Windows PowerShell** to open the interface.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
index c0e86e1a2b..0e88dfd58b 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index 5553e762b8..e1d2d9c8e9 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -9,10 +9,11 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
ms.reviewer:
manager: dansimp
+ms.custom: nextgen
---
# Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection
@@ -21,7 +22,7 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Microsoft next-gen technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.
+Microsoft next-generation technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.
Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 717e08d7d4..369ebfe876 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
index 6327898e26..d1ec034818 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
@@ -14,6 +14,7 @@ ms.author: deniseb
ms.date: 10/14/2019
ms.reviewer:
manager: dansimp
+ms.custom: nextgen
---
# Next-generation protection in Windows 10 and Windows Server 2016
@@ -33,8 +34,7 @@ Next-generation protection includes services that use machine learning together
>- [Cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
>- Fast learning (including [block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md))
>- [Potentially unwanted application blocking](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
-
-> [!NOTE]
+>
> For more information regarding what's new in each Windows version, please refer to [What's new in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp).
## Minimum system requirements
@@ -44,7 +44,7 @@ Windows Defender Antivirus is your main vehicle for next-generation protection,
- [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
- [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components)
-## Configuring Next-generation services
+## Configuring next-generation services
You can use the following to configure and manage next-generation services in Windows 10 while running Windows Defender Antivirus:
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
index e106d82384..4187645c2e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -28,7 +29,7 @@ You can use Windows Defender Offline if you suspect a malware infection, or you
In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Security app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
-## Pre-requisites and requirements
+## prerequisites and requirements
Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10.
@@ -92,7 +93,7 @@ You can run a Windows Defender Offline scan with the following:
-**Use PowerShell cmdlets to run an offline scan:**
+### Use PowerShell cmdlets to run an offline scan
Use the following cmdlets:
@@ -102,7 +103,7 @@ Start-MpWDOScan
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to run an offline scan:**
+### Use Windows Management Instruction (WMI) to run an offline scan
Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class to run an offline scan.
@@ -116,7 +117,7 @@ See the following for more information:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-**Use the Windows Defender Security app to run an offline scan:**
+### Use the Windows Defender Security app to run an offline scan
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -135,7 +136,7 @@ See the following for more information:
Windows Defender Offline scan results will be listed in the [Scan history section of the Windows Security app](windows-defender-security-center-antivirus.md#detection-history).
-## Related topics
+## Related articles
- [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
index 6333dad0ae..5935c90319 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
@@ -40,7 +41,7 @@ See the [Windows Security topic](/windows/threat-protection/windows-defender-sec
>[!NOTE]
>The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
-**Review virus and threat protection settings in the Windows Security app:**
+## Review virus and threat protection settings in the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -66,7 +67,6 @@ Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | De
4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Windows Defender Offline scan
5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option
-
## Common tasks
This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the Windows Security app.
@@ -75,7 +75,9 @@ This section describes how to perform some of the most common tasks when reviewi
> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured.
-**Run a scan with the Windows Security app**
+
+### Run a scan with the Windows Security app
+
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -85,7 +87,9 @@ This section describes how to perform some of the most common tasks when reviewi
4. Click **Run a new advanced scan** to specify different types of scans, such as a full scan.
-**Review the security intelligence update version and download the latest updates in the Windows Security app**
+
+### Review the security intelligence update version and download the latest updates in the Windows Security app
+
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -97,8 +101,7 @@ This section describes how to perform some of the most common tasks when reviewi
4. Click **Check for updates** to download new protection updates (if there are any).
-
-**Ensure Windows Defender Antivirus is enabled in the Windows Security app**
+### Ensure Windows Defender Antivirus is enabled in the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -114,7 +117,9 @@ This section describes how to perform some of the most common tasks when reviewi
-**Add exclusions for Windows Defender Antivirus in the Windows Security app**
+
+### Add exclusions for Windows Defender Antivirus in the Windows Security app
+
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -126,7 +131,8 @@ This section describes how to perform some of the most common tasks when reviewi
5. Click the plus icon to choose the type and set the options for each exclusion.
-**Review threat detection history in the Windows Defender Security Center app**
+
+### Review threat detection history in the Windows Defender Security Center app
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -136,7 +142,9 @@ This section describes how to perform some of the most common tasks when reviewi
4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).
-**Set ransomware protection and recovery options**
+
+### Set ransomware protection and recovery options
+
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -147,8 +155,7 @@ This section describes how to perform some of the most common tasks when reviewi
5. To set up ransomware recovery options, click **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack.
-
-## Related topics
+## Related articles
- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
index 63342cb030..aa8c80886a 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
@@ -44,7 +44,7 @@ Application Guard has been created to target several types of systems:
|Article |Description |
|------|------------|
-|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the pre-requisites necessary to install and use Application Guard.|
+|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.|
|[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
|[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
|[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.|
|