Merge branch 'master' into onboard-check

windows/security/threat-protection/TOC.md

@@ -17,6 +17,7 @@
 
 
 ### [Attack surface reduction]()
+#### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
 #### [Hardware-based isolation]()
 ##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
 
@@ -27,10 +28,10 @@
 ##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
 
 #### [Application control](windows-defender-application-control/windows-defender-application-control.md)
-#### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
-#### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
-#### [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
-#### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+#### [Exploit protection](microsoft-defender-atp/exploit-protection.md)
+#### [Network protection](microsoft-defender-atp/network-protection.md)
+#### [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
+#### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md)
 #### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
 
 ### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
@@ -58,37 +59,31 @@
 #### [Machines list]()
 ##### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
 ##### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
-##### [Alerts related to this machine](microsoft-defender-atp/investigate-machines.md#alerts-related-to-this-machine)
 
-##### [Machine timeline]()
-###### [View machine profile](microsoft-defender-atp/investigate-machines.md#machine-timeline)
-###### [Search for specific events](microsoft-defender-atp/investigate-machines.md#search-for-specific-events)
-###### [Filter events from a specific date](microsoft-defender-atp/investigate-machines.md#filter-events-from-a-specific-date)
-###### [Export machine timeline events](microsoft-defender-atp/investigate-machines.md#export-machine-timeline-events)
-###### [Navigate between pages](microsoft-defender-atp/investigate-machines.md#navigate-between-pages)
 
 #### [Take response actions]()
 ##### [Take response actions on a machine]()
 ###### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
+###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
+###### [Initiate Automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
+###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
 ###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
 ###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
 ###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
-###### [Remove app restriction](microsoft-defender-atp/respond-machine-alerts.md#remove-app-restriction)
 ###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
-###### [Release machine from isolation](microsoft-defender-atp/respond-machine-alerts.md#release-machine-from-isolation)
 ####### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
  
 ##### [Take response actions on a file]()
 ###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
 ###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
-###### [Remove file from quarantine](microsoft-defender-atp/respond-file-alerts.md#remove-file-from-quarantine)
-###### [Block files in your network](microsoft-defender-atp/respond-file-alerts.md#block-files-in-your-network)
-###### [Remove file from blocked list](microsoft-defender-atp/respond-file-alerts.md#remove-file-from-blocked-list)
+###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
+###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
 ###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
+###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
 ###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
 ###### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
 ###### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
-####### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
+###### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
 
 ##### [Investigate entities using Live response]()
 ###### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
@@ -105,21 +100,19 @@
 ### [Advanced hunting]()
 #### [Advanced hunting overview](microsoft-defender-atp/overview-hunting.md)
 #### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md)
-
-##### [Advanced hunting schema reference]()
-###### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md)
-###### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
-###### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
-###### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
-###### [LogonEvents table](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
-###### [MachineInfo table](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
-###### [MachineNetworkInfo table](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
-###### [MiscEvents table](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
-###### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
-###### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
-###### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
-
-##### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
+#### [Advanced hunting schema reference]()
+##### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md)
+##### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
+##### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
+##### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
+##### [LogonEvents table](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
+##### [MachineInfo table](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
+##### [MachineNetworkInfo table](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
+##### [MiscEvents table](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
+##### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
+##### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
+##### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
+#### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
 
 #### [Custom detections]()
 ##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
@@ -162,37 +155,27 @@
 ##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md)
 ##### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
 ##### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
-##### [Exploit protection](windows-defender-exploit-guard/evaluate-exploit-protection.md)
-##### [Network Protection](windows-defender-exploit-guard/evaluate-network-protection.md)
-##### [Controlled folder access](windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
-##### [Attack surface reduction](windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
+##### [Exploit protection](microsoft-defender-atp/evaluate-exploit-protection.md)
+##### [Network Protection](microsoft-defender-atp/evaluate-network-protection.md)
+##### [Controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md)
+##### [Attack surface reduction](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
 ##### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
 ##### [Evaluate next generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
 
 ### [Access the Windows Defender Security Center Community Center](microsoft-defender-atp/community.md)
 
 ## [Configure and manage capabilities]()
+
 ### [Configure attack surface reduction]()
 #### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
 
-### [Configure and manage capabilities](microsoft-defender-atp/onboard.md)
-#### [Microsoft Defender Advanced Threat Protection for Mac](windows-defender-antivirus/microsoft-defender-atp-mac.md)
-##### [Deploy Microsoft Defender Advanced Threat Protection for Mac]()
-###### [Microsoft Intune-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md)
-###### [JAMF-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md)
-###### [Deployment with a different Mobile Device Management (MDM) system](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md)
-###### [Manual deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md)
-##### [Update Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-updates.md)
-##### [Set preferences for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md)
-##### [Privacy for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md)
-##### [Resources for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-resources.md)
 
-#### [Hardware-based isolation]()
-##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
+### [Hardware-based isolation]()
+#### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
 
-##### [Application isolation]()
-###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
-###### [Application control](windows-defender-application-control/windows-defender-application-control.md)
+#### [Application isolation]()
+##### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
+##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
 
 #### [Device control]()
 ##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
@@ -201,24 +184,29 @@
 ###### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
 
 ###### [Memory integrity]()
-####### [Understand memory integrity](windows-defender-exploit-guard/memory-integrity.md)
-####### [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
-####### [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
+####### [Understand memory integrity](device-guard/memory-integrity.md)
+####### [Hardware qualifications](device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
+####### [Enable HVCI](device-guard/enable-virtualization-based-protection-of-code-integrity.md)
 
 #### [Exploit protection]()
-##### [Enable exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
-##### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
+##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
+##### [Import/export configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
 
-#### [Network protection](windows-defender-exploit-guard/enable-network-protection.md)
-#### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
+#### [Network protection](microsoft-defender-atp/enable-network-protection.md)
+#### [Controlled folder access](microsoft-defender-atp/enable-controlled-folders.md)
 
 #### [Attack surface reduction controls]()
-##### [Enable attack surface reduction rules](windows-defender-exploit-guard/enable-attack-surface-reduction.md)
-##### [Customize attack surface reduction](windows-defender-exploit-guard/customize-attack-surface-reduction.md)
+##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
+##### [Customize attack surface reduction](microsoft-defender-atp/customize-attack-surface-reduction.md)
+
 #### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
 
+
+
+
 ### [Configure next generation protection]()
 #### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
+
 #### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
 ##### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
 ##### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
@@ -309,6 +297,21 @@
 ##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
 ##### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
 
+
+### [Microsoft Defender Advanced Threat Protection for Mac](windows-defender-antivirus/microsoft-defender-atp-mac.md)
+#### [Deploy Microsoft Defender Advanced Threat Protection for Mac]()
+##### [Microsoft Intune-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md)
+##### [JAMF-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md)
+##### [Deployment with a different Mobile Device Management (MDM) system](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md)
+##### [Manual deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md)
+#### [Update Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-updates.md)
+#### [Set preferences for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md)
+#### [Privacy for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md)
+#### [Resources for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-resources.md)
+
+
+
+
 ### [Configure Secure score dashboard security controls](microsoft-defender-atp/secure-score-dashboard.md)
 
 ### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
@@ -415,15 +418,10 @@
 ####### [Get user related machines](microsoft-defender-atp/get-user-related-machines.md)
 
 ##### [How to use APIs - Samples]()
-###### [Advanced Hunting API]()
-####### [Schedule advanced Hunting using Microsoft Flow](microsoft-defender-atp/run-advanced-query-sample-ms-flow.md)
-####### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
-####### [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md)
-####### [Create custom Power BI reports](microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md)
-
-###### [Multiple APIs]()
-####### [PowerShell](microsoft-defender-atp/exposed-apis-full-sample-powershell.md)
-
+###### [Microsoft Flow](microsoft-defender-atp/api-microsoft-flow.md)
+###### [Power BI](microsoft-defender-atp/api-power-bi.md)
+###### [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md)
+###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
 ###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
 
 #### [Windows updates (KB) info]()
@@ -481,6 +479,7 @@
 #### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
 
 ### [Configure portal settings]()
+#### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
 #### [General]()
 ##### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md)
 ##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
@@ -510,7 +509,7 @@
 ##### [Onboarding machines](microsoft-defender-atp/onboard-configure.md)
 ##### [Offboarding machines](microsoft-defender-atp/offboard-machines.md)
   
-#### [Configure Windows Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
+#### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
 
 
 ## [Troubleshoot Microsoft Defender ATP]()
@@ -529,8 +528,8 @@
 #### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md)
 
 ### [Troubleshoot attack surface reduction]()
-#### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
-#### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
+#### [Network protection](microsoft-defender-atp/troubleshoot-np.md)
+#### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md)
  
 ### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
 

windows/security/threat-protection/device-control/control-usb-devices-using-intune.md

@@ -18,31 +18,30 @@ audience: ITPro
 
 **Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Windows Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices: 
+Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Windows Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices:
 
-1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling: 
-   - [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware. 
-   - The [Exploit Guard Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB.  
-   - [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in. 
-   
-2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events) 
-   - Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Windows Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).  
+1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
+   - [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware.
+   - The [Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB.  
+   - [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in.
+
+2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events)
+   - Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Windows Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
 
 3. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral:
-   - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination. 
-   - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices. 
+   - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination.
+   - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
 
 >[!Note]
 >These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Windows Defender ATP and Azure Information Protection.
 
-
 ## Prevent threats from removable storage
   
 Windows Defender ATP can help identify and block malicious files on allowed removable storage peripherals.
 
-### Enable Windows Defender Antivirus Scanning 
+### Enable Windows Defender Antivirus Scanning
 
-Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans. 
+Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans.
 
 - If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Windows Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
 - If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting.
@@ -55,32 +54,32 @@ Protecting authorized removable storage with Windows Defender Antivirus requires
 
 ### Block untrusted and unsigned processes on USB peripherals
 
-End-users might plug in removable devices that are infected with malware. 
-To prevent infections, a company can block USB files that are unsigned or untrusted. 
-Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral. 
-This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively. 
-With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards. 
+End-users might plug in removable devices that are infected with malware.
+To prevent infections, a company can block USB files that are unsigned or untrusted.
+Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral.
+This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively.
+With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards.
 Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files.
 
-These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). 
+These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
 
 1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
-2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. 
+2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
 
    ![Create device configuration profile](images/create-device-configuration-profile.png)
 
 3. Use the following settings:
 
-   - Name: Type a name for the profile 
-   - Description: Type a description 
-   - Platform: Windows 10 or later 
-   - Profile type: Endpoint protection 
+   - Name: Type a name for the profile
+   - Description: Type a description
+   - Platform: Windows 10 or later
+   - Profile type: Endpoint protection
 
    ![Create endpoint protection profile](images/create-endpoint-protection-profile.png)
 
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**. 
+4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**.
 
-5. For **Unsigned and untrusted processes that run from USB**, choose **Block**. 
+5. For **Unsigned and untrusted processes that run from USB**, choose **Block**.
 
    ![Block untrusted processes](images/block-untrusted-processes.png)
 
@@ -92,11 +91,11 @@ These settings require [enabling real-time protection](https://docs.microsoft.co
 
 DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. The following settings help to prevent DMA attacks:
 
-1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users. 
+1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users.
 
    Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring the [DMA Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-deviceenumerationpolicy). This is an additional control for peripherals that don't support device memory isolation (also known as DMA-remapping). Memory isolation allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral (memory sandboxing). In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
-   
-   Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default). 
+
+   Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).
 
 2. On Windows 10 systems that do not suppprt Kernel DMA Protection, you can:
 
@@ -107,10 +106,10 @@ DMA attacks can lead to disclosure of sensitive information residing on a PC, or
 
 To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender Advanced Threat Protection can help prevent installation and usage of USB drives and other peripherals.
 
-| Control  | Description |
-|----------|-------------|
-| Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types |
-| Prevent installation and usage of USB drives and other peripherals| Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types |
+ Control  | Description
+-|-
+ Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types
+ Prevent installation and usage of USB drives and other peripherals | Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types
 
 All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates:
 
@@ -120,18 +119,19 @@ All of the above controls can be set through the Intune [Administrative Template
 >Using Intune, you can apply device configuration policies to AAD user and/or device groups.
 The above policies can also be set through the [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) and the [Device Installation GPOs](https://docs.microsoft.com/previous-versions/dotnet/articles/bb530324(v=msdn.10)).
 
->[!Note]
->Always test and refine these settings with a pilot group of users and devices first before applying them in production.
+> [!Note]
+> Always test and refine these settings with a pilot group of users and devices first before applying them in production.
 For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/).
 
 ### Allow installation and usage of USB drives and other peripherals
 
-One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals. 
+One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals.
 
 >[!Note]
 >Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
->1.	Enable **prevent installation of devices not described by other policy settings** to all users.
->2.	Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
+>
+>1. Enable **prevent installation of devices not described by other policy settings** to all users.
+>2. Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
 To enforce the policy for already installed devices, apply the prevent policies that have this setting.
 
 When configuring the allow device installation policy, you will need to allow all parent attributes as well.  You can view the parents of a device by opening device manager and view by connection.
@@ -144,38 +144,39 @@ In this example, the following classesneeded to be added: HID, Keboard, and {36f
 
 If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device id that you want to add. For example,
 
-1.	Remove class USBDevice from the **allow installation of devices using drivers that match these device setup**
-2.	Add the VID/PID to allow in the **allow installation of device that match any of these device IDs**
+1. Remove class USBDevice from the **allow installation of devices using drivers that match these device setup**
+2. Add the VID/PID to allow in the **allow installation of device that match any of these device IDs**
 
->[!Note]
->How to locate the VID/PID: Using Device Manager; right click on the device and select properties.  Click details tab, click property drop down list, and choose hardware Ids. Right click the top ID value and select copy.
+> [!Note]
+> How to locate the VID/PID: Using Device Manager; right click on the device and select properties.  Click details tab, click property drop down list, and choose hardware Ids. Right click the top ID value and select copy.
 
 >Using PowerShell: Get-WMIObject -Class Win32_DiskDrive |
 Select-Object -Property *  
 >For the typical format for the USB ID please reference the following link; (https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers)
 
 ### Prevent installation and usage of USB drives and other peripherals
-If you want to prevent a device class or certain devices, you can use the prevent device installation policies. 
 
-1.	Enable **Prevent installation of devices that match any of these device IDs**. 
-2.	Enable the **Prevent installation of devices that match these device setup classes policy**.
+If you want to prevent a device class or certain devices, you can use the prevent device installation policies.
 
->[!Note]
->The prevent device installation policies take precedence over the allow device installation policies. 
+1. Enable **Prevent installation of devices that match any of these device IDs**.
+2. Enable the **Prevent installation of devices that match these device setup classes policy**.
+
+> [!Note]
+> The prevent device installation policies take precedence over the allow device installation policies.
 
 ### Block installation and usage of removable storage
 
 1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
-2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. 
+2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
 
    ![Create device configuration profile](images/create-device-configuration-profile.png)
 
-3. Use the following settings: 
+3. Use the following settings:
 
-   - Name: Type a name for the profile 
-   - Description: Type a description 
-   - Platform: Windows 10 and later 
-   - Profile type: Device restrictions 
+   - Name: Type a name for the profile
+   - Description: Type a description
+   - Platform: Windows 10 and later
+   - Profile type: Device restrictions
 
    ![Create profile](images/create-profile.png)
 
@@ -211,34 +212,34 @@ The Microsoft Defender Advanced Threat Protection (ATP) baseline settings, repre
 
 ### Bluetooth
 
-Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed.  As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked. 
+Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed.  As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked.
 
 ![Bluetooth](images/bluetooth.png)
 
 ## Detect plug and play connected events
 
-You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations. 
-For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). 
+You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations.
+For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
 Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
 
-## Respond to threats 
+## Respond to threats
 
 Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
 
->[!NOTE]
->Always test and refine these settings with a pilot group of users and devices first before applying them in production. 
+> [!NOTE]
+> Always test and refine these settings with a pilot group of users and devices first before applying them in production.
 
-The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals. 
+The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals.
 For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog).
 
-| Control  | Description |
-|----------|-------------|
-| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage |
-| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals)   | Users can only install and use approved peripherals that report specific properties in their firmware |
-| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware |
+ Control | Description
+-|-
+ [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage
+ [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware
+ [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware
 
->[!NOTE]
->Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
+> [!NOTE]
+> Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
 
 ### Custom Alerts and Response Actions
 
@@ -267,6 +268,3 @@ Both machine and file level actions can be applied.
 - [Device Control PowerBI Template for custom reporting](https://github.com/microsoft/MDATP-PowerBI-Templates)
 - [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) 
 - [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure)
-
-
-

windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md

@@ -14,16 +14,16 @@ ms.date: 04/01/2019
 ms.reviewer: 
 ---
 
-# Enable virtualization-based protection of code integrity 
+# Enable virtualization-based protection of code integrity
 
 **Applies to**  
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. 
-Some applications, including device drivers, may be incompatible with HVCI. 
-This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. 
-If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. 
+This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
+Some applications, including device drivers, may be incompatible with HVCI.
+This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
+If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
 
 >[!NOTE]
 >HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*. AMD CPUs do not have MBE.
@@ -37,13 +37,13 @@ If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
 * HVCI also ensure your other Truslets, like Credential Guard have a valid certificate.
 * Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI.
 
-## How to turn on HVCI in Windows 10 
+## How to turn on HVCI in Windows 10
 
 To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options:
 - [Windows Security app](#windows-security-app)
 - [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune)
 - [Group Policy](#enable-hvci-using-group-policy)
-- [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/) 
+- [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
 - [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity)
 
 ### Windows Security app
@@ -52,7 +52,7 @@ HVCI is labeled **Memory integrity** in the Windows Security app and it can be a
 
 ### Enable HVCI using Intune
 
-Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp). 
+Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp).
 
 ### Enable HVCI using Group Policy
 
@@ -61,11 +61,11 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
 3. Double-click **Turn on Virtualization Based Security**.
 4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
 
-   ![Enable HVCI using Group Policy](images/enable-hvci-gp.png)
+   ![Enable HVCI using Group Policy](../images/enable-hvci-gp.png)
 
 5. Click **Ok** to close the editor.
 
-To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt. 
+To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt.
 
 ### Use registry keys to enable virtualization-based protection of code integrity
 
@@ -185,64 +185,64 @@ Windows 10 and Windows Server 2016 have a WMI class for related properties and f
 > [!NOTE]
 > Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803.
 
-The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. 
+The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled.
 
 #### AvailableSecurityProperties
 
 This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard.
 
-| Value  | Description |
-|--------|-------------|
-| **0.** | If present, no relevant properties exist on the device. |
-| **1.** | If present, hypervisor support is available.            |
-| **2.** | If present, Secure Boot is available.                   |
-| **3.** | If present, DMA protection is available.                |
-| **4.** | If present, Secure Memory Overwrite is available.       |
-| **5.** | If present, NX protections are available.               |
-| **6.** | If present, SMM mitigations are available.              |
-| **7.** | If present, Mode Based Execution Control is available.  |
+Value | Description
+-|-
+**0.** | If present, no relevant properties exist on the device.
+**1.** | If present, hypervisor support is available.
+**2.** | If present, Secure Boot is available.
+**3.** | If present, DMA protection is available.
+**4.** | If present, Secure Memory Overwrite is available.
+**5.** | If present, NX protections are available.
+**6.** | If present, SMM mitigations are available.
+**7.** | If present, Mode Based Execution Control is available.
 
 
 #### InstanceIdentifier
 
-A string that is unique to a particular device. Valid values are determined by WMI. 
+A string that is unique to a particular device. Valid values are determined by WMI.
 
 #### RequiredSecurityProperties
 
 This field describes the required security properties to enable virtualization-based security.
 
-| Value  | Description |
-|--------|-------------|
-| **0.** | Nothing is required.                                |
-| **1.** | If present, hypervisor support is needed.           |
-| **2.** | If present, Secure Boot is needed.                  |
-| **3.** | If present, DMA protection is needed.               |
-| **4.** | If present, Secure Memory Overwrite is needed.      |
-| **5.** | If present, NX protections are needed.              |
-| **6.** | If present, SMM mitigations are needed.             |
-| **7.** | If present, Mode Based Execution Control is needed. |
+Value | Description
+-|-
+**0.** | Nothing is required.
+**1.** | If present, hypervisor support is needed.
+**2.** | If present, Secure Boot is needed.
+**3.** | If present, DMA protection is needed.
+**4.** | If present, Secure Memory Overwrite is needed.
+**5.** | If present, NX protections are needed.
+**6.** | If present, SMM mitigations are needed.
+**7.** | If present, Mode Based Execution Control is needed.
 
-#### SecurityServicesConfigured 
+#### SecurityServicesConfigured
 
 This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.
 
-| Value  | Description |
-|--------|-------------|
-| **0.** | No services configured.                                           |
-| **1.** | If present, Windows Defender Credential Guard is configured.      |
-| **2.** | If present, HVCI is configured.                                   |
-| **3.** | If present, System Guard Secure Launch is configured.             |
+Value | Description
+-|-
+**0.** | No services configured.
+**1.** | If present, Windows Defender Credential Guard is configured.
+**2.** | If present, HVCI is configured.
+**3.** | If present, System Guard Secure Launch is configured.
 
 #### SecurityServicesRunning
 
 This field indicates whether the Windows Defender Credential Guard or HVCI service is running.
 
-| Value  | Description |
-|--------|-------------|
-| **0.** | No services running.                                         |
-| **1.** | If present, Windows Defender Credential Guard is running.    |
-| **2.** | If present, HVCI is running.                                 |
-| **3.** | If present, System Guard Secure Launch is running.           |
+Value | Description
+-|-
+**0.** | No services running.
+**1.** | If present, Windows Defender Credential Guard is running.
+**2.** | If present, HVCI is running.
+**3.** | If present, System Guard Secure Launch is running.
 
 #### Version
 
@@ -252,12 +252,11 @@ This field lists the version of this WMI class. The only valid value now is **1.
 
 This field indicates whether VBS is enabled and running.
 
-| Value  | Description |
-|--------|-------------|
-| **0.** | VBS is not enabled.                  |
-| **1.** | VBS is enabled but not running.      |
-| **2.** | VBS is enabled and running.          |
-
+Value  | Description
+-|-
+**0.** | VBS is not enabled.
+**1.** | VBS is enabled but not running.
+**2.** | VBS is enabled and running.
 
 #### PSComputerName
 
@@ -265,8 +264,7 @@ This field lists the computer name. All valid values for computer name.
 
 Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section.
 
-![Windows Defender Device Guard properties in the System Summary](images/dg-fig11-dgproperties.png)
-
+![Windows Defender Device Guard properties in the System Summary](../images/dg-fig11-dgproperties.png)
 
 ## Troubleshooting
 

windows/security/threat-protection/index.md

@@ -58,16 +58,16 @@ This built-in capability uses a game-changing risk-based approach to the discove
 <a name="asr"></a>
 
 **[Attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)**<br>
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. 
+The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
 
-- [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md) 
+- [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md)
 - [Application control](windows-defender-application-control/windows-defender-application-control.md)
 - [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-- [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
-- [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
-- [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
+- [Exploit protection](microsoft-defender-atp/exploit-protection.md)
+- [Network protection](microsoft-defender-atp/network-protection.md)
+- [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
 - [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
-- [Attack surface reduction rules](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+- [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
 
 <a name="ngp"></a>
 

windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md

@@ -0,0 +1,81 @@
+---
+title: Microsoft Defender ATP Flow connector
+ms.reviewer: 
+description: Microsoft Defender ATP Flow connector
+keywords: flow, supported apis, api, Microsoft flow, query, automation
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Microsoft Defender ATP Flow connector
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional Cyber defenders, forces SOC to work in the most efficient way and automation is a must. MS flow supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within few minutes.
+
+Microsoft Defender API has an official Flow Connector with a lot of capabilities: 
+
+![Image of edit credentials](images/api-flow-0.png)
+
+## Usage example
+
+The following example demonstrates how you can create a Flow that will be triggered any time a new Alert occurs on your tenant.
+
+- Login to [Microsoft Flow](https://flow.microsoft.com)
+
+- Go to: My flows > New > Automated 
+
+![Image of edit credentials](images/api-flow-1.png)
+
+- Choose a name for your Flow, Search for **Microsoft Defender ATP Triggers** as the trigger and choose the new Alerts trigger.
+
+![Image of edit credentials](images/api-flow-2.png)
+
+- Now you have a Flow that is triggered every time a new Alert occurs. 
+
+![Image of edit credentials](images/api-flow-3.png)
+
+All you need to do now, is to choose your next steps.
+Lets, for example, Isolate the machine if the Severity of the Alert is **High** and mail about it.
+The Alert trigger gives us only the Alert ID and the Machine ID. We can use the Connector to expand these entities.
+
+### Get the Alert entity using the connector 
+
+- Choose Microsoft Defender ATP for new step. 
+
+- Choose Alerts - Get single alert API.
+
+- Set the Alert Id from the last step as Input.
+
+![Image of edit credentials](images/api-flow-4.png)
+
+### Isolate the machine if the Alert's severity is High
+
+- Add **Condition** as a new step .
+
+- Check if Alert severity equals to **High**.
+
+- If yes, add Microsoft Defender ATP - Isolate machine action with the Machine Id and a comment.
+
+![Image of edit credentials](images/api-flow-5.png)
+
+Now you can add a new step for mailing about the Alert and the Isolation.
+There are multiple Email connectors that are very easy to use, e.g. Outlook, GMail, etc..
+Save your flow and that's all.
+
+- You can also create **scheduled** flow that will run Advanced Hunting queries and much more! 
+
+## Related topic
+- [Microsoft Defender ATP APIs](apis-intro.md)

windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md

@@ -1,8 +1,8 @@
 ---
-title: Advanced Hunting API
+title: Microsoft Defender ATP APIs connection to Power BI
 ms.reviewer: 
-description: Use this API to run advanced queries
-keywords: apis, supported apis, advanced hunting, query
+description: Create custom reports using Power BI
+keywords: apis, supported apis, Power BI, reports
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -17,24 +17,17 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Create custom reports using Power BI (user authentication)
+# Create custom reports using Power BI
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
-[!include[Prerelease information](prerelease.md)]
+In this section you will learn create a Power BI report on top of Microsoft Defender ATP APIs.
 
-Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before.
+The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs (e.g. Machine Actions, Alerts, etc..)
 
-In this section we share Power BI query sample to run a query using **user token**.
-
-If you want to use **application token** instead please refer to [this](run-advanced-query-sample-power-bi-app-token.md) tutorial.
-
-## Before you begin
-You first need to [create an app](exposed-apis-create-app-nativeapp.md).
-
-## Run a query
+## Connect Power BI to Advanced Hunting API
 
 - Open Microsoft Power BI
 
@@ -46,18 +39,15 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md).
 
     ![Image of open advanced editor](images/power-bi-open-advanced-editor.png)
 
-- Copy the below and paste it in the editor, after you update the values of Query
+- Copy the below and paste it in the editor:
 
-	```
+```
 	let 
+		AdvancedHuntingQuery = "MiscEvents | where ActionType contains 'Anti'",
 
-		Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId",
+		HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries",
 
-		FormattedQuery= Uri.EscapeDataString(Query),
-
-		AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries?key=" & FormattedQuery,
-
-		Response = Json.Document(Web.Contents(AdvancedHuntingUrl)),
+		Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])),
 
 		TypeMap = #table(
 			{ "Type", "PowerBiType" },
@@ -88,12 +78,10 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md).
 
 	in Table
 
-	```
+```
 
 - Click **Done**
 
-    ![Image of create advanced query](images/power-bi-create-advanced-query.png)
-
 - Click **Edit Credentials**
 
     ![Image of edit credentials](images/power-bi-edit-credentials.png)
@@ -108,13 +96,32 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md).
 
     ![Image of set credentials](images/power-bi-set-credentials-organizational-cont.png)
 
-- View the results of your query
+- Now the results of your query will appear as table and you can start build visualizations on top of it!
 
-    ![Image of query results](images/power-bi-query-results.png)
+- You can duplicate this table, rename it and edit the Advanced Hunting query inside to get any data you would like.
+
+## Connect Power BI to OData APIs
+
+- The only difference from the above example is the query inside the editor. 
+
+- Copy the below and paste it in the editor to pull all **Machine Actions** from your organization:
+
+```
+	let
+
+		Query = "MachineActions",
+
+		Source = OData.Feed("https://api.securitycenter.windows.com/api/" & Query, null, [Implementation="2.0", MoreColumns=true])
+	in
+		Source
+
+```
+
+- You can do the same for **Alerts** and **Machines**.
+
+- You also can use OData queries for queries filters, see [Using OData Queries](exposed-apis-odata-samples.md)
 
 ## Related topic
-- [Create custom Power BI reports with app authentication](run-advanced-query-sample-power-bi-app-token.md)
 - [Microsoft Defender ATP APIs](apis-intro.md)
 - [Advanced Hunting API](run-advanced-query-api.md)
-- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
-- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
+- [Using OData Queries](exposed-apis-odata-samples.md)

windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md

@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
+audience: ITPro
 author: levinec
 ms.author: ellevin
 ms.date: 05/07/2019
@@ -16,32 +17,28 @@ ms.reviewer:
 manager: dansimp
 ---
 
-# Reduce attack surfaces with attack surface reduction rules 
+# Reduce attack surfaces with attack surface reduction rules
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-
-Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019. 
-
+Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019.
 
 To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
 
-
 Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
 
-- Executable files and scripts used in Office apps or web mail that attempt to download or run files
-- Obfuscated or otherwise suspicious scripts
-- Behaviors that apps don't usually initiate during normal day-to-day work
+* Executable files and scripts used in Office apps or web mail that attempt to download or run files
+* Obfuscated or otherwise suspicious scripts
+* Behaviors that apps don't usually initiate during normal day-to-day work
 
-You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
+You can use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
 
-Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center. 
+Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center.
 
 For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
 
@@ -49,11 +46,11 @@ For information about configuring attack surface reduction rules, see [Enable at
 
 Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
 
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment.
 
-Here is an example query: 
+Here is an example query:
 
-```
+```PowerShell
 MiscEvents
 | where ActionType startswith 'Asr'
 ```
@@ -62,13 +59,13 @@ MiscEvents
 
 You can review the Windows event log to view events that are created when attack surface reduction rules fire:
 
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
 
 2. Type **Event Viewer** in the Start menu to open the Windows Event Viewer.
 
 3. Click **Import custom view...** on the left panel, under **Actions**.
-   
-4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md).
 
 5. Click **OK**.
 
@@ -82,13 +79,12 @@ Event ID | Description
 
 The "engine version" of attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all machines with Windows 10 installed.
 
-
 ## Attack surface reduction rules
 
 The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs:
 
-Rule name | GUID | File & folder exclusions
--|-|-
+ Rule name | GUID | File & folder exclusions
+-----------|------|--------------------------
 Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported
 Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported
 Block Office applications from creating executable content  | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported
@@ -111,8 +107,8 @@ Each rule description indicates which apps or file types the rule applies to. In
 
 This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and other popular webmail providers:
 
-- Executable files (such as .exe, .dll, or .scr) 
-- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+* Executable files (such as .exe, .dll, or .scr)
+* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
 
 This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
 
@@ -138,7 +134,7 @@ GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
 
 ### Block Office applications from creating executable content
 
-This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content. 
+This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.
 
 This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk.
 
@@ -154,7 +150,7 @@ GUID: 3B576869-A4EC-4529-8536-B80A7769E899
 
 Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection.
 
-This rule applies to Word, Excel, and PowerPoint. 
+This rule applies to Word, Excel, and PowerPoint.
 
 This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
 
@@ -166,12 +162,12 @@ GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
 
 ### Block JavaScript or VBScript from launching downloaded executable content
 
-Malware often uses JavaScript and VBScript scripts to launch other malicious apps. 
+Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
 
-Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. 
+Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers.
 
->[!IMPORTANT]
->File and folder exclusions don't apply to this attack surface reduction rule.
+> [!IMPORTANT]
+> File and folder exclusions don't apply to this attack surface reduction rule.
 
 This rule was introduced in:  Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
 
@@ -206,16 +202,16 @@ SCCM name: Block Win32 API calls from Office macros
 GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
 
 ### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- 
+
 This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or they're in a trusted list or exclusion list:
- 
-- Executable files (such as .exe, .dll, or .scr) 
 
->[!NOTE]
->You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+* Executable files (such as .exe, .dll, or .scr)
 
->[!IMPORTANT]
->The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
+> [!NOTE]
+> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+
+> [!IMPORTANT]
+> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
 >
 >You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
 
@@ -226,13 +222,13 @@ Intune name: Executables that don't meet a prevalence, age, or trusted list crit
 SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
 
 GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
- 
+
 ### Use advanced protection against ransomware
- 
+
 This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list.
 
->[!NOTE]
->You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+> [!NOTE]
+> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
 
 This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
 
@@ -241,14 +237,14 @@ Intune name: Advanced ransomware protection
 SCCM name: Use advanced protection against ransomware
 
 GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
- 
+
 ### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- 
+
 Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
 
- >[!NOTE]
- >In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
- 
+> [!NOTE]
+> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
+
 This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
 
 Intune name: Flag credential stealing from the Windows local security authority subsystem
@@ -261,26 +257,26 @@ GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 
 This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
 
->[!IMPORTANT]
->File and folder exclusions do not apply to this attack surface reduction rule.
+> [!IMPORTANT]
+> File and folder exclusions do not apply to this attack surface reduction rule.
 
->[!WARNING]
->Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
+> [!WARNING]
+> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
 
-This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
+This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019
 
 Intune name: Process creation from PSExec and WMI commands
 
 SCCM name: Not applicable
 
 GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
- 
+
 ### Block untrusted and unsigned processes that run from USB
- 
+
 With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:
- 
-- Executable files (such as .exe, .dll, or .scr) 
-- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+
+* Executable files (such as .exe, .dll, or .scr)
+* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
 
 This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
 
@@ -294,10 +290,10 @@ GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
 
 This rule prevents Outlook from creating child processes. It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
 
->[!NOTE]
->This rule applies to Outlook and Outlook.com only.
+> [!NOTE]
+> This rule applies to Outlook and Outlook.com only.
 
-This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019, SCCM CB 1810
+This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
 
 Intune name: Process creation from Office communication products (beta)
 
@@ -307,19 +303,21 @@ GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
 
 ### Block Adobe Reader from creating child processes
 
-Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes. 
+Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.
 
-This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019, SCCM CB 1810
+This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
 
 Intune name: Process creation from Adobe Reader (beta)
 
-SCCM name: Not applicable
+SCCM name: Not yet available
 
 GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
 ### Block persistence through WMI event subscription
 
-Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository. 
+Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository.
+
+This rule was introduced in: Windows 10 1903, Windows Server 1903
 
 Intune name: Block persistence through WMI event subscription
 
@@ -329,7 +327,6 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
 
 ## Related topics
 
-- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-- [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
-
+* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+* [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)

windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md

@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
+audience: ITPro
 author: levinec
 ms.author: ellevin
 ms.date: 04/02/2019
@@ -16,12 +17,11 @@ ms.reviewer:
 manager: dansimp
 ---
 
-
-# Use audit mode 
+# Use audit mode
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
 
@@ -33,25 +33,23 @@ To find the audited entries, go to **Applications and Services** > **Microsoft**
 
 You can use Windows Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
 
-This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. 
+This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
 
 You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.
 
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
 
-
-|Audit options | How to enable audit mode | How to view events |
-|- | - | - |
-|Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) |
-|Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer) |
-|Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) |
-|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) |
-
+ Audit options | How to enable audit mode | How to view events
+-|-|-
+Audit applies to all events | [Enable controlled folder access](enable-controlled-folders.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer)
+Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer)
+Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer)
+|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection.md#review-exploit-protection-events-in-windows-event-viewer)
 
 ## Related topics
 
-- [Protect devices from exploits](exploit-protection-exploit-guard.md) 
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) 
-- [Protect your network](network-protection-exploit-guard.md) 
-- [Protect important folders](controlled-folders-exploit-guard.md)
+* [Protect devices from exploits](exploit-protection.md)
+* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+* [Protect your network](network-protection.md)
+* [Protect important folders](controlled-folders.md)

windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md

@@ -1,8 +1,7 @@
 ---
-title: 
-ms.reviewer: 
-description: 
-keywords: 
+title: Configure attack surface reduction
+description: Configure attack surface reduction
+keywords: asr, attack surface reduction, windows defender, microsoft defender, antivirus, av
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -23,22 +22,21 @@ ms.date: 07/01/2018
 
 You can configure attack surface reduction with a number of tools, including:
 
-- Microsoft Intune
-- System Center Configuration Manager
-- Group Policy
-- PowerShell cmdlets
-
+* Microsoft Intune
+* System Center Configuration Manager
+* Group Policy
+* PowerShell cmdlets
 
 The topics in this section describe how to configure attack surface reduction. Each topic includes instructions for the applicable configuration tool (or tools).
 
 ## In this section
+
 Topic | Description
-:---|:---
+-|-
 [Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to preprare for and install Application Guard, including hardware and softeware requirements
 [Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and potect kernel mode processes
-[Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps
-[Network protection](../windows-defender-exploit-guard/enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains
-[Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)|How to protect valuable data from malicious apps
-[Attack surface reduction](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used for by exploit-seeking malware
+[Exploit protection](./enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps
+[Network protection](./enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains
+[Controlled folder access](./enable-controlled-folders.md)|How to protect valuable data from malicious apps
+[Attack surface reduction](./enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used for by exploit-seeking malware
 [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)|How to protect devices and data across a network
-

windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md

@@ -20,34 +20,36 @@ ms.topic: article
 # Optimize ASR rule deployment and detections
 
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-[Attack surface reduction (ASR) rules](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.
 
 ![Attack surface management card](images/secconmgmt_asr_card.png)<br>
 *Attack surface management card*
 
 The **Attack surface management** card is an entry point to tools in Microsoft 365 security center that you can use to:
 
-- Understand how ASR rules are currently deployed in your organization
-- Review ASR detections and identify possible incorrect detections
-- Analyze the impact of exclusions and generate the list of file paths to exclude
+* Understand how ASR rules are currently deployed in your organization
+* Review ASR detections and identify possible incorrect detections
+* Analyze the impact of exclusions and generate the list of file paths to exclude
 
 Selecting **Go to attack surface management** takes you to **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
 
 ![Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center](images/secconmgmt_asr_m365exlusions.png)<br>
 *Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center*
 
->[!NOTE]
->To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions)
+> [!NOTE]
+> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions)
 
-For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections) 
+For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
 
 # Related topics
-- [Ensure your machines are configured properly](configure-machines.md)
-- [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
-- [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
+
+* [Ensure your machines are configured properly](configure-machines.md)
+* [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
+* [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)

windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md

@@ -17,15 +17,13 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-
 # Configure machine proxy and Internet connectivity settings
 
 **Applies to:**
+
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
 
 The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service.
 
@@ -43,20 +41,19 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
 > [!NOTE]
 > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
 
-
 - Manual static proxy configuration:
   - Registry based configuration
   - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
 
-
-
 ## Configure the proxy server manually using a registry-based static proxy
+
 Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet.
 
-The static proxy is configurable through Group Policy (GP). The group policy can be found under: 
+The static proxy is configurable through Group Policy (GP). The group policy can be found under:
+
 - Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
-    - Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
-    ![Image of Group Policy setting](images/atp-gpo-proxy1.png)
+  - Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
+  ![Image of Group Policy setting](images/atp-gpo-proxy1.png)
 - **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**:
   - Configure the proxy:<br>
     ![Image of Group Policy setting](images/atp-gpo-proxy2.png)
@@ -68,6 +65,7 @@ The static proxy is configurable through Group Policy (GP). The group policy can
     ```text
     <server name or ip>:<port>
     ```
+
     For example: 10.0.0.6:8080
 
     The registry value `DisableEnterpriseAuthProxy` should be set to 1.
@@ -87,35 +85,39 @@ Use netsh to configure a system-wide static proxy.
     b. Right-click **Command prompt** and select **Run as administrator**.
 
 2. Enter the following command and press **Enter**:
-   ```
+
+   ```PowerShell
    netsh winhttp set proxy <proxy>:<port>
    ```
+
    For example: netsh winhttp set proxy 10.0.0.6:8080
 
 To reset the winhttp proxy, enter the following command and press **Enter**
-```
+
+```PowerShell
 netsh winhttp reset proxy
 ```
+
 See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/windows-server/networking/technologies/netsh/netsh-contexts) to learn more.
 
 ## Enable access to Microsoft Defender ATP service URLs in the proxy server
+
 If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443:
 
->[!NOTE]
-> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later. 
+> [!NOTE]
+> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later.
 
-Service location | Microsoft.com DNS record
-:---|:---
+ Service location | Microsoft.com DNS record
+-|-
 Common URLs for all locations | ```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```ctldl.windowsupdate.com``` <br>```events.data.microsoft.com```<br>```notify.windows.com```
 European Union | ```eu.vortex-win.data.microsoft.com```<br>```eu-v20.events.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br>```winatp-gw-weu.microsoft.com```
 United Kingdom | ```uk.vortex-win.data.microsoft.com``` <br>```uk-v20.events.data.microsoft.com```<br>```winatp-gw-uks.microsoft.com```<br>```winatp-gw-ukw.microsoft.com```
 United States | ```us.vortex-win.data.microsoft.com```<br> ```us-v20.events.data.microsoft.com```<br>```winatp-gw-cus.microsoft.com``` <br>```winatp-gw-eus.microsoft.com```
 
-
-
 If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
 
-## Microsoft Defender ATP service backend IP range 
+## Microsoft Defender ATP service backend IP range
+
 If you network devices don't support the URLs white-listed in the prior section, you can use the following information.
 
 Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:
@@ -128,13 +130,11 @@ Microsoft Defender ATP is built on Azure cloud, deployed in the following region
 - \+\<Region Name="uksouth">
 - \+\<Region Name="ukwest">
 
-
 You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653).
 
->[!NOTE]
+> [!NOTE]
 > As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
 
-
 ## Verify client connectivity to Microsoft Defender ATP service URLs
 
 Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs.
@@ -151,11 +151,13 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
 
 4. Enter the following command and press **Enter**:
 
-    ```
+    ```PowerShell
     HardDrivePath\WDATPConnectivityAnalyzer.cmd
     ```
+
     Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example
-    ```
+
+    ```PowerShell
     C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd
     ```
 
@@ -163,13 +165,14 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
 
 6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. <br><br>
    The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP  services. For example:
+
    ```text
    Testing URL : https://xxx.microsoft.com/xxx
    1 - Default proxy: Succeeded (200)
    2 - Proxy auto discovery (WPAD): Succeeded (200)
    3 - Proxy disabled: Succeeded (200)
    4 - Named proxy: Doesn't exist
-   5 - Command line proxy: Doesn't exist              
+   5 - Command line proxy: Doesn't exist
    ```
 
 If at least one of the connectivity options returns a (200) status, then the Microsoft Defender ATP client can communicate with the tested URL properly using this connectivity method. <br><br>
@@ -177,9 +180,10 @@ If at least one of the connectivity options returns a (200) status, then the Mic
 However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
 
 > [!NOTE]
-> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
+> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
 > When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
 
 ## Related topics
+
 - [Onboard Windows 10 machines](configure-endpoints.md)
 - [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md

@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
+audience: ITPro
 author: levinec
 ms.author: ellevin
 audience: ITPro
@@ -21,7 +22,7 @@ manager: dansimp
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the System Center Configuration Manager (SCCM) and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
 
@@ -35,9 +36,9 @@ Controlled folder access is especially useful in helping to protect your documen
 
 With Controlled folder access in place, a notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
 
-The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
+The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
 
-You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
 Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.
 
@@ -49,7 +50,7 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time
 
 Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
 
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
 
 Here is an example query
 
@@ -62,13 +63,13 @@ MiscEvents
 
 You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app:
 
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
 
 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
 
 1. On the left panel, under **Actions**, click **Import custom view...**.
 
-1. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+1. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md).
 
 1. Click **OK**.
 
@@ -83,7 +84,7 @@ Event ID | Description
 ## In this section
 
 Topic | Description
----|---
+-|-
 [Evaluate controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
-[Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network
-[Customize controlled folder access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders.
+[Enable controlled folder access](enable-controlled-folders.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network
+[Customize controlled folder access](customize-controlled-folders.md) | Add additional protected folders, and allow specified apps to access protected folders.

windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md

@@ -26,7 +26,7 @@ ms.topic: article
 Create custom detection rules from [Advanced hunting](overview-hunting.md) queries to automatically check for threat indicators and generate alerts whenever these indicators are found.
 
 >[!NOTE]
->To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.  For the detection rule to work properly and create alerts, the query must return in each row a set of MachineId, ReportId, EventTime which match to an actual event in advanced hunting.
 
 1. In the navigation pane, select **Advanced hunting**.
 

windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md

@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
+audience: ITPro
 author: levinec
 ms.author: ellevin
 ms.date: 05/13/2019
@@ -20,10 +21,10 @@ manager: dansimp
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
 
@@ -33,21 +34,20 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
 
 ## Exclude files and folders
 
-You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running. 
+You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running.
 
->[!WARNING]
->This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
+> [!WARNING]
+> This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
 
 An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules.
 
 An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
 
-Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). 
+Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
 If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
 
-
-Rule description | GUID 
--|:-:|-
+Rule description | GUID
+-|-|-
 Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
 Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
 Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
@@ -62,19 +62,19 @@ Block process creations originating from PSExec and WMI commands | d1e49aac-8f56
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
 Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
-Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b 
+Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b
 
-See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
+See the [attack surface reduction](attack-surface-reduction.md) topic for details on each rule.
 
 ### Use Group Policy to exclude files and folders
 
-1.  On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-3.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
+3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
 
-4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. 
+4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
 
 ### Use PowerShell to exclude files and folders
 
@@ -85,10 +85,10 @@ See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) to
     Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"
     ```
 
-Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list. 
+Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list.
 
->[!IMPORTANT]
->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
+> [!IMPORTANT]
+> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
 
 ### Use MDM CSPs to exclude files and folders
 
@@ -100,7 +100,6 @@ See the [Windows Security](../windows-defender-security-center/windows-defender-
 
 ## Related topics
 
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-
+* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)

windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md

@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
+audience: ITPro
 author: levinec
 ms.author: ellevin
 ms.date: 05/13/2019
@@ -20,19 +21,19 @@ manager: dansimp
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
 
 This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
 
-- [Add additional folders to be protected](#protect-additional-folders)
-- [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders)
+* [Add additional folders to be protected](#protect-additional-folders)
+* [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders)
 
->[!WARNING]
->Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files.
+> [!WARNING]
+> Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files.
 >
->This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender-exploit-guard.md) to fully assess the feature's impact.
+> This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender.md) to fully assess the feature's impact.
 
 ## Protect additional folders
 
@@ -42,7 +43,7 @@ You can add additional folders to be protected, but you cannot remove the defaul
 
 Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
 
-You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). 
+You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
 
 You can use the Windows Security app or Group Policy to add and remove additional protected folders.
 
@@ -55,14 +56,14 @@ You can use the Windows Security app or Group Policy to add and remove additiona
 3. Under the **Controlled folder access** section, click **Protected folders**
 
 4. Click **Add a protected folder** and follow the prompts to add apps.
- 
+
 ### Use Group Policy to protect additional folders
 
-1.  On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-2.  In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
 
-3.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
 
 4. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder.
 
@@ -77,10 +78,10 @@ You can use the Windows Security app or Group Policy to add and remove additiona
 
 Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Security app.
 
-![Screenshot of a PowerShell window with the cmdlet above entered](images/cfa-allow-folder-ps.png)
+![Screenshot of a PowerShell window with the cmdlet above entered](../images/cfa-allow-folder-ps.png)
 
->[!IMPORTANT]
->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
+> [!IMPORTANT]
+> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
 
 ### Use MDM CSPs to protect additional folders
 
@@ -88,17 +89,16 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m
 
 ## Allow specific apps to make changes to controlled folders
 
-You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature. 
+You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature.
 
->[!IMPORTANT]
->By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
->You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
+> [!IMPORTANT]
+> By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
+> You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
 
 When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access.
 
 An allowed application or service only has write access to a controlled folder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
 
-
 ### Use the Windows Defender Security app to allow specific apps
 
 1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -109,15 +109,15 @@ An allowed application or service only has write access to a controlled folder a
 
 4. Click **Add an allowed app** and follow the prompts to add apps.
 
-    ![Screenshot of how to add an allowed app button](images/cfa-allow-app.png)
+    ![Screenshot of how to add an allowed app button](../images/cfa-allow-app.png)
 
 ### Use Group Policy to allow specific apps
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-3.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
 
 4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
 
@@ -135,22 +135,24 @@ An allowed application or service only has write access to a controlled folder a
     ```PowerShell
     Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe"
     ```
+
    Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app.
 
-![Screenshot of a PowerShell window with the above cmdlet entered](images/cfa-allow-app-ps.png)
+![Screenshot of a PowerShell window with the above cmdlet entered](../images/cfa-allow-app-ps.png)
 
->[!IMPORTANT]
->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
+> [!IMPORTANT]
+> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
 
 ### Use MDM CSPs to allow specific apps
 
-Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. 
+Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders.
 
 ## Customize the notification
 
 See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
 
 ## Related topics
-- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
-- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) 
-- [Evaluate attack surface reduction rules](evaluate-windows-defender-exploit-guard.md)
+
+* [Protect important folders with controlled folder access](controlled-folders.md)
+* [Enable controlled folder access](enable-controlled-folders.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)

windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md

@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
+audience: ITPro
 author: levinec
 ms.author: ellevin
 ms.date: 03/26/2019
@@ -20,18 +21,18 @@ manager: dansimp
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
- 
+
 You configure these settings using the Windows Security app on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
 
- This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
+This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
 
 It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
 
->[!WARNING]
->Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network.
+> [!WARNING]
+> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network.
 
 ## Exploit protection mitigations
 
@@ -39,87 +40,87 @@ All mitigations can be configured for individual apps. Some mitigations can also
 
 You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table.
 
-Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On". 
+Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On".
 
 The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults.
 
 For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
 
 Mitigation | Description | Can be applied to | Audit mode available
-- | - | - | :-:
-Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level  | [!include[Check mark no](images/svg/check-no.svg)]
-Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level  | [!include[Check mark no](images/svg/check-no.svg)]
-Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level  | [!include[Check mark no](images/svg/check-no.svg)]
-Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level  | [!include[Check mark no](images/svg/check-no.svg)]
-Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
+-|-|-|-
+Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level  | [!include[Check mark no](../images/svg/check-no.svg)]
+Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level  | [!include[Check mark no](../images/svg/check-no.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level  | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level  | [!include[Check mark no](../images/svg/check-no.svg)]
+Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
 
->[!IMPORTANT]
->If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
+> [!IMPORTANT]
+> If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
 >
 >
->Enabled in **Program settings** | Enabled in **System settings** | Behavior
->:-: | :-: | :-:
->[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings**
->[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings**
->[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings**
->[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option
+> Enabled in **Program settings** | Enabled in **System settings** | Behavior
+> -|-|-
+> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
+> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
+> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
+> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
 >
 >
->  
->- **Example 1**  
->    
+>
+> * **Example 1**  
+>
 >    Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
->    
+>
 >    Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
->    
->The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
->  
->  
->- **Example 2**
->  
+>
+> The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
+>
+>
+> * **Example 2**
+>
 >    Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
 >
->    Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**. 
+>    Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
 >
 >    Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
 >
->The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. 
+>The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
 >CFG will be enabled for *miles.exe*.
 
->[!NOTE]
->If you have found any issues in this article, you can report it directly to a Windows Server/Windows Client partner or use the Microsoft technical support numbers for your country.
+> [!NOTE]
+> If you have found any issues in this article, you can report it directly to a Windows Server/Windows Client partner or use the Microsoft technical support numbers for your country.
 
 ### Configure system-level mitigations with the Windows Security app
 
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-      
+
 3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
-   - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
-   - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
-   - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
+   * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+   * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+   * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
 
      >[!NOTE]
      >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting.
 
-     Changing some settings may require a restart.     
+     Changing some settings may require a restart.
 
 4. Repeat this for all the system-level mitigations you want to configure.
 
@@ -127,15 +128,14 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
 
    1. If the app you want to configure is already listed, click it and then click **Edit**
    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
-        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
-        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-		        
+        * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+        * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
 6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 
 7. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
 
-
-You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations. 
+You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations.
 
 Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
 
@@ -151,33 +151,34 @@ Exporting the configuration as an XML file allows you to copy the configuration
  You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
 
 ```PowerShell
-Get-ProcessMitigation -Name processName.exe 
+Get-ProcessMitigation -Name processName.exe
 ```
 
->[!IMPORTANT]
->System-level mitigations that have not been configured will show a status of `NOTSET`. 
+> [!IMPORTANT]
+> System-level mitigations that have not been configured will show a status of `NOTSET`.
 >
->For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. 
+> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
 >
->For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. 
+> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
 >
->The default setting for each system-level mitigation can be seen in the Windows Security.
+> The default setting for each system-level mitigation can be seen in the Windows Security.
 
 Use `Set` to configure each mitigation in the following format:
 
  ```PowerShell
 Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
 ```
+
 Where:
 
-- \<Scope>:
-    - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
-    - `-System` to indicate the mitigation should be applied at the system level
+* \<Scope>:
+    * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
+    * `-System` to indicate the mitigation should be applied at the system level
 - \<Action>:
-    - `-Enable` to enable the mitigation
-    - `-Disable` to disable the mitigation
-- \<Mitigation>:
-    - The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
+    * `-Enable` to enable the mitigation
+    * `-Disable` to disable the mitigation
+* \<Mitigation>:
+    * The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
 
   For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
 
@@ -185,8 +186,8 @@ Where:
   Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation
   ```
 
-  >[!IMPORTANT]
-  >Separate each mitigation option with commas.
+  > [!IMPORTANT]
+  > Separate each mitigation option with commas.
 
   If you wanted to apply DEP at the system level, you'd use the following command:
 
@@ -202,8 +203,7 @@ Where:
   Set-Processmitigation -Name test.exe -Remove -Disable DEP
   ```
 
-
-  You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below. 
+ You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below.
 
  For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command:
 
@@ -215,11 +215,10 @@ You can disable audit mode by using the same command but replacing `-Enable` wit
 
 ### PowerShell reference table
 
-This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. 
+This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
 
 <a id="cmdlets-table"></a>
 
-
 Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
 - | - | - | -
 Control flow guard (CFG) | System and app-level |   CFG,   StrictCFG,   SuppressExports  | Audit not available
@@ -228,39 +227,36 @@ Force randomization for images (Mandatory ASLR) | System and app-level |   Force
 Randomize memory allocations (Bottom-Up ASLR) | System and app-level |   BottomUp,   HighEntropy  | Audit not available
 Validate exception chains (SEHOP) | System and app-level |   SEHOP,   SEHOPTelemetry  | Audit not available
 Validate heap integrity | System and app-level |   TerminateOnError  | Audit not available
-Arbitrary code guard (ACG) | App-level only |   DynamicCode  |   AuditDynamicCode 
-Block low integrity images | App-level only |   BlockLowLabel  |   AuditImageLoad 
-Block remote images | App-level only |   BlockRemoteImages  | Audit not available 
-Block untrusted fonts | App-level only |   DisableNonSystemFonts  |   AuditFont,   FontAuditOnly 
-Code integrity guard | App-level only |   BlockNonMicrosoftSigned,   AllowStoreSigned  |   AuditMicrosoftSigned,   AuditStoreSigned 
+Arbitrary code guard (ACG) | App-level only |   DynamicCode  |   AuditDynamicCode
+Block low integrity images | App-level only |   BlockLowLabel  |   AuditImageLoad
+Block remote images | App-level only |   BlockRemoteImages  | Audit not available
+Block untrusted fonts | App-level only |   DisableNonSystemFonts  |   AuditFont,   FontAuditOnly
+Code integrity guard | App-level only |   BlockNonMicrosoftSigned,   AllowStoreSigned  |   AuditMicrosoftSigned,   AuditStoreSigned
 Disable extension points | App-level only |   ExtensionPoint  | Audit not available
 Disable Win32k system calls | App-level only |   DisableWin32kSystemCalls  |   AuditSystemCall
 Do not allow child processes | App-level only |   DisallowChildProcessCreation  |   AuditChildProcess
-Export address filtering (EAF) | App-level only |   EnableExportAddressFilterPlus,   EnableExportAddressFilter  <a href="#r1" id="t1">\[1\]</a> | Audit not available 
-Import address filtering (IAF) | App-level only |   EnableImportAddressFilter  | Audit not available 
-Simulate execution (SimExec) | App-level only |   EnableRopSimExec  | Audit not available 
-Validate API invocation (CallerCheck) | App-level only |   EnableRopCallerCheck  | Audit not available 
+Export address filtering (EAF) | App-level only |   EnableExportAddressFilterPlus,   EnableExportAddressFilter  <a href="#r1" id="t1">\[1\]</a> | Audit not available
+Import address filtering (IAF) | App-level only |   EnableImportAddressFilter  | Audit not available
+Simulate execution (SimExec) | App-level only |   EnableRopSimExec  | Audit not available
+Validate API invocation (CallerCheck) | App-level only |   EnableRopCallerCheck  | Audit not available
 Validate handle usage | App-level only |   StrictHandle  | Audit not available
-Validate image dependency integrity | App-level only |   EnforceModuleDepencySigning  | Audit not available 
-Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available 
-
-
+Validate image dependency integrity | App-level only |   EnforceModuleDepencySigning  | Audit not available
+Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available
 
 <a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process:
 
 ```PowerShell
-Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll 
+Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
 ```
 
-
 ## Customize the notification
 
 See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
 
 ## Related topics
 
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Protect devices from exploits](exploit-protection.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)

windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md

@@ -0,0 +1,87 @@
+---
+title: Compare the features in Exploit protection with EMET
+keywords: emet, enhanced mitigation experience toolkit, configuration, exploit, compare, difference between, versus, upgrade, convert
+description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+author: levinec
+ms.author: ellevin
+ms.date: 08/08/2018
+ms.reviewer: 
+manager: dansimp
+---
+
+# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender
+
+**Applies to:**
+
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+> [!IMPORTANT]
+> If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP.
+>
+> You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+
+This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Microsoft Defender ATP.
+
+Exploit protection in Microsoft Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
+
+EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques.
+
+After July 31, 2018, it will not be supported.
+
+For more information about the individual features and mitigations available in Microsoft Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
+
+* [Protect devices from exploits](exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+
+## Mitigation comparison
+
+The mitigations available in EMET are included in Windows Defender, under the [exploit protection feature](exploit-protection.md).
+
+The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.  
+
+Mitigation | Available in Windows Defender | Available in EMET
+-|-|-
+Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]<br />As "Memory Protection Check"
+Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]<br/>As "Load Library Check"
+Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)]<br />Included natively in Windows 10<br/>See  [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection<br/>See  [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+
+> [!NOTE]
+> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender as part of enabling the anti-ROP mitigations for a process.
+>
+> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
+
+## Related topics
+
+* [Protect devices from exploits with Windows Defender](exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)

windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md

@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
+audience: ITPro
 author: levinec
 ms.author: ellevin
 ms.date: 05/13/2019
@@ -18,7 +19,7 @@ manager: dansimp
 
 # Enable attack surface reduction rules
 
-[Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. 
+[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
 
 Each ASR rule contains three settings:
 
@@ -30,11 +31,11 @@ To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We r
 
 You can enable attack surface reduction rules by using any of these methods:
 
-- [Microsoft Intune](#intune) 
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [System Center Configuration Manager (SCCM)](#sccm)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
 
 Enterprise-level management such as Intune or SCCM is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
 
@@ -42,20 +43,20 @@ Enterprise-level management such as Intune or SCCM is recommended. Enterprise-le
 
 You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
 
->[!WARNING]
->Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
-> 
->If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
-
->[!IMPORTANT]
->File and folder exclusions do not apply to the following ASR rules:
+> [!WARNING]
+> Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
 >
->- Block process creations originating from PSExec and WMI commands
->- Block JavaScript or VBScript from launching downloaded executable content
+> If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
+
+> [!IMPORTANT]
+> File and folder exclusions do not apply to the following ASR rules:
+>
+> * Block process creations originating from PSExec and WMI commands
+> * Block JavaScript or VBScript from launching downloaded executable content
 
 You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
 
-ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). 
+ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
 
 The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
 
@@ -66,8 +67,8 @@ The following procedures for enabling ASR rules include instructions for how to
 2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
 
 3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
-	
-   *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path*	
+
+   *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path*
 
 4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
 
@@ -75,7 +76,7 @@ The following procedures for enabling ASR rules include instructions for how to
 
 Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
 
-The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). 
+The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules).
 
 OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
 
@@ -83,9 +84,9 @@ Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A776
 
 The values to enable, disable, or enable in audit mode are:
 
--  Disable = 0
--  Block (enable ASR rule) = 1
--  Audit = 2
+* Disable = 0
+* Block (enable ASR rule) = 1
+* Audit = 2
 
 Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
 
@@ -95,8 +96,8 @@ OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExc
 
 Value: c:\path|e:\path|c:\Whitelisted.exe
 
->[!NOTE]
->Be sure to enter OMA-URI values without spaces.
+> [!NOTE]
+> Be sure to enter OMA-URI values without spaces.
 
 ## SCCM
 
@@ -105,12 +106,12 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
 1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
 1. Choose which rules will block or audit actions and click **Next**.
 1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**. 
+1. After the policy is created, click **Close**.
 
 ## Group Policy
 
->[!WARNING]
->If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
+> [!WARNING]
+> If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
 
 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
@@ -119,15 +120,17 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
 3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
 
 4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section:
-   - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
-       -  Disable = 0
-       -  Block (enable ASR rule) = 1
-       -  Audit = 2
 
-     ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png)
+   * Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
+
+       * Disable = 0
+       * Block (enable ASR rule) = 1
+       * Audit = 2
+
+     ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png)
+
+5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
 
-5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. 
- 
 ## PowerShell
 
 >[!WARNING]
@@ -141,32 +144,32 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
     Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
     ```
 
-	To enable ASR rules in audit mode, use the following cmdlet:
+    To enable ASR rules in audit mode, use the following cmdlet:
 
-	```PowerShell
-	Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
+    ```PowerShell
+    Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
     ```
 
-	To turn off ASR rules, use the following cmdlet:
+    To turn off ASR rules, use the following cmdlet:
 
-	```PowerShell
-	Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Disabled
+    ```PowerShell
+    Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Disabled
     ```
 
-	>[!IMPORTANT]
-	>You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list. 
-	>
-	>In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode:
-	>
-	>```PowerShell
-	>Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID 1>,<rule ID 2>,<rule ID 3>,<rule ID 4> -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
-	>```
+    > [!IMPORTANT]
+    > You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list.
+    >
+    > In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode:
+    >
+    > ```PowerShell
+    > Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID 1>,<rule ID 2>,<rule ID 3>,<rule ID 4> -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
+    > ```
 
-	You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. 
+    You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
 
-	>[!WARNING]
-	>`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
-	>You can obtain a list of rules and their current state by using `Get-MpPreference`
+    > [!WARNING]
+    > `Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
+    > You can obtain a list of rules and their current state by using `Get-MpPreference`
 
 3. To exclude files and folders from ASR rules, use the following cmdlet:
 
@@ -174,14 +177,13 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
     Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"
     ```
 
-	Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list. 
-
-	>[!IMPORTANT]
-	>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
+    Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list.
 
+    > [!IMPORTANT]
+    > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
 
 ## Related topics
 
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
-- [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
+* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+* [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
+* [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)

windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md

@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
+audience: ITPro
 author: levinec
 ms.author: ellevin
 ms.date: 05/13/2019
@@ -20,24 +21,25 @@ manager: dansimp
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-[Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is included with Windows 10 and Windows Server 2019.
+[Controlled folder access](controlled-folders.md) helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is included with Windows 10 and Windows Server 2019.
 
 You can enable controlled folder access by using any of these methods:
 
-- [Windows Security app](#windows-security-app)
-- [Microsoft Intune](#intune) 
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Windows Security app](#windows-security-app)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [System Center Configuration Manager (SCCM)](#sccm)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
 
 [Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
 
 Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
-- Windows Defender Antivirus **Configure local administrator merge behavior for lists**
-- System Center Endpoint Protection **Allow users to add exclusions and overrides**
+
+* Windows Defender Antivirus **Configure local administrator merge behavior for lists**
+* System Center Endpoint Protection **Allow users to add exclusions and overrides**
 
 For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
 
@@ -49,9 +51,9 @@ For more information about disabling local list merging, see [Prevent or allow u
 
 3. Set the switch for **Controlled folder access** to **On**.
 
->[!NOTE]
->If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
->If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
+> [!NOTE]
+> If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
+> If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
 
 >If you are protecting user profile data, we recommend that the user profile should be on the default Windows installation drive.
 
@@ -60,21 +62,21 @@ For more information about disabling local list merging, see [Prevent or allow u
 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
 1. Click **Device configuration** > **Profiles** > **Create profile**.
 1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
-   ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) 
-1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. 
-1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**. 
+   ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
+1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
+1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.
 
-   ![Enable controlled folder access in Intune](images/enable-cfa-intune.png)
+   ![Enable controlled folder access in Intune](../images/enable-cfa-intune.png)
 
-   >[!NOTE]
-   >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. 
+   > [!NOTE]
+   > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
 
-1. Click **OK** to save each open blade and click **Create**. 
+1. Click **OK** to save each open blade and click **Create**.
 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
 
-## MDM 
+## MDM
 
-Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders. 
+Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
 
 ## SCCM
 
@@ -82,28 +84,28 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
 2. Click **Home** > **Create Exploit Guard Policy**.
 3. Enter a name and a description, click **Controlled folder access**, and click **Next**.
 4. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
-   >[!NOTE]
-   >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
+   > [!NOTE]
+   > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
 5. Review the settings and click **Next** to create the policy.
-6. After the policy is created, click **Close**. 
+6. After the policy is created, click **Close**.
 
 ## Group Policy
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
+3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
 
-6. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
-    - **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
-    - **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
-    - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
+4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
+    * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
+    * **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
+    * **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
 
-      ![Screenshot of group policy option with Enabled and then Enable selected in the drop-down](images/cfa-gp-enable.png)
+      ![Screenshot of group policy option with Enabled and then Enable selected in the drop-down](../images/cfa-gp-enable.png)
 
->[!IMPORTANT]
->To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
+> [!IMPORTANT]
+> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
 
 ## PowerShell
 
@@ -121,6 +123,6 @@ Use `Disabled` to turn the feature off.
 
 ## Related topics
 
-- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
-- [Customize controlled folder access](customize-controlled-folders-exploit-guard.md) 
-- [Evaluate Microsoft Defender ATP](evaluate-windows-defender-exploit-guard.md)
+* [Protect important folders with controlled folder access](controlled-folders.md)
+* [Customize controlled folder access](customize-controlled-folders.md)
+* [Evaluate Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md)

windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md

@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
+audience: ITPro
 author: levinec
 ms.author: ellevin
 ms.date: 05/09/2019
@@ -20,93 +21,93 @@ manager: dansimp
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-[Exploit protection](exploit-protection-exploit-guard.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
+[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
 
-Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. 
+Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
 
 You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
 
 You can enable each mitigation separately by using any of these methods:
 
-- [Windows Security app](#windows-security-app)
-- [Microsoft Intune](#intune) 
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Windows Security app](#windows-security-app)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [System Center Configuration Manager (SCCM)](#sccm)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
 
-They are configured by default in Windows 10. 
+They are configured by default in Windows 10.
 
-You can set each mitigation to on, off, or to its default value. 
+You can set each mitigation to on, off, or to its default value.
 Some mitigations have additional options.
 
-You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines. 
+You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines.
 
 ## Windows Security app
 
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-      
+
 3. Go to **Program settings** and choose the app you want to apply mitigations to:
 
     1. If the app you want to configure is already listed, click it and then click **Edit**
     2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
-        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
-        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-		        
+        * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+        * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 
-5. Repeat this for all the apps and mitigations you want to configure. 
+5. Repeat this for all the apps and mitigations you want to configure.
 
-3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
-    - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
-    - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
-    - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
+6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
+    * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+    * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+    * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
 
-5. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+7. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
 
 If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
 
 Enabled in **Program settings** | Enabled in **System settings** | Behavior
-:-: | :-: | :-:
-[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings**
-[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings**
-[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings**
-[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option
+-|-|-
+[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
+[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
+[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
+[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
+
+**Example 1**
 
-**Example 1**  
-   
 Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
 
 Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
- 
+
 The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
 
 **Example 2**
 
 Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
 
-Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**. 
+Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
 
 Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
 
-The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. 
+The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
 CFG will be enabled for *miles.exe*.
 
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-      
+
 3. Go to **Program settings** and choose the app you want to apply mitigations to:
 
     1. If the app you want to configure is already listed, click it and then click **Edit**
     2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
-        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
-        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-		        
+        * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+        * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 
 5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
@@ -116,11 +117,11 @@ CFG will be enabled for *miles.exe*.
 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
 1. Click **Device configuration** > **Profiles** > **Create profile**.
 1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
-   ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) 
+   ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
 1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.  
 1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:  
-   ![Enable network protection in Intune](images/enable-ep-intune.png)
-1. Click **OK** to save each open blade and click **Create**. 
+   ![Enable network protection in Intune](../images/enable-ep-intune.png)
+1. Click **OK** to save each open blade and click **Create**.
 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
 
 ## MDM
@@ -134,50 +135,51 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
 1. Enter a name and a description, click **Exploit protection**, and click **Next**.
 1. Browse to the location of the exploit protection XML file and click **Next**.
 1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**. 
+1. After the policy is created, click **Close**.
 
 ## Group Policy
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-1.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-1.  Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
+1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
 
-6. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
+1. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
 
 ## PowerShell
 
 You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
 
 ```PowerShell
-Get-ProcessMitigation -Name processName.exe 
+Get-ProcessMitigation -Name processName.exe
 ```
 
->[!IMPORTANT]
->System-level mitigations that have not been configured will show a status of `NOTSET`. 
+> [!IMPORTANT]
+> System-level mitigations that have not been configured will show a status of `NOTSET`.
 >
->For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. 
+> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
 >
->For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. 
+> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
 >
->The default setting for each system-level mitigation can be seen in the Windows Security.
+> The default setting for each system-level mitigation can be seen in the Windows Security.
 
 Use `Set` to configure each mitigation in the following format:
 
 ```PowerShell
 Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
 ```
+
 Where:
 
-- \<Scope>:
-    - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
-    - `-System` to indicate the mitigation should be applied at the system level
-- \<Action>:
-    - `-Enable` to enable the mitigation
-    - `-Disable` to disable the mitigation
-- \<Mitigation>:
-    - The mitigation's cmdlet along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
+* \<Scope>:
+  * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
+    * `-System` to indicate the mitigation should be applied at the system level
+* \<Action>:
+  * `-Enable` to enable the mitigation
+  * `-Disable` to disable the mitigation
+* \<Mitigation>:
+  * The mitigation's cmdlet along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
 
 For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
 
@@ -185,8 +187,8 @@ For example, to enable the Data Execution Prevention (DEP) mitigation with ATL t
 Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation
 ```
 
->[!IMPORTANT]
->Separate each mitigation option with commas.
+> [!IMPORTANT]
+> Separate each mitigation option with commas.
 
 If you wanted to apply DEP at the system level, you'd use the following command:
 
@@ -202,8 +204,7 @@ If you need to restore the mitigation back to the system default, you need to in
 Set-Processmitigation -Name test.exe -Remove -Disable DEP
 ```
 
-This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. 
-
+This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
 
 Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
 - | - | - | -
@@ -213,39 +214,35 @@ Force randomization for images (Mandatory ASLR) | System and app-level |   Force
 Randomize memory allocations (Bottom-Up ASLR) | System and app-level |   BottomUp,   HighEntropy  | Audit not available
 Validate exception chains (SEHOP) | System and app-level |   SEHOP,   SEHOPTelemetry  | Audit not available
 Validate heap integrity | System and app-level |   TerminateOnHeapError  | Audit not available
-Arbitrary code guard (ACG) | App-level only |   DynamicCode  |   AuditDynamicCode 
-Block low integrity images | App-level only |   BlockLowLabel  |   AuditImageLoad 
-Block remote images | App-level only |   BlockRemoteImages  | Audit not available 
-Block untrusted fonts | App-level only |   DisableNonSystemFonts  |   AuditFont,   FontAuditOnly 
-Code integrity guard | App-level only |   BlockNonMicrosoftSigned,   AllowStoreSigned  |   AuditMicrosoftSigned,   AuditStoreSigned 
+Arbitrary code guard (ACG) | App-level only |   DynamicCode  |   AuditDynamicCode
+Block low integrity images | App-level only |   BlockLowLabel  |   AuditImageLoad
+Block remote images | App-level only |   BlockRemoteImages  | Audit not available
+Block untrusted fonts | App-level only |   DisableNonSystemFonts  |   AuditFont,   FontAuditOnly
+Code integrity guard | App-level only |   BlockNonMicrosoftSigned,   AllowStoreSigned  |   AuditMicrosoftSigned,   AuditStoreSigned
 Disable extension points | App-level only |   ExtensionPoint  | Audit not available
 Disable Win32k system calls | App-level only |   DisableWin32kSystemCalls  |   AuditSystemCall
 Do not allow child processes | App-level only |   DisallowChildProcessCreation  |   AuditChildProcess
-Export address filtering (EAF) | App-level only |   EnableExportAddressFilterPlus,   EnableExportAddressFilter  <a href="#r1" id="t1">\[1\]</a> | Audit not available 
-Import address filtering (IAF) | App-level only |   EnableImportAddressFilter  | Audit not available 
-Simulate execution (SimExec) | App-level only |   EnableRopSimExec  | Audit not available 
-Validate API invocation (CallerCheck) | App-level only |   EnableRopCallerCheck  | Audit not available 
+Export address filtering (EAF) | App-level only |   EnableExportAddressFilterPlus,   EnableExportAddressFilter  <a href="#r1" id="t1">\[1\]</a> | Audit not available
+Import address filtering (IAF) | App-level only |   EnableImportAddressFilter  | Audit not available
+Simulate execution (SimExec) | App-level only |   EnableRopSimExec  | Audit not available
+Validate API invocation (CallerCheck) | App-level only |   EnableRopCallerCheck  | Audit not available
 Validate handle usage | App-level only |   StrictHandle  | Audit not available
-Validate image dependency integrity | App-level only |   EnforceModuleDepencySigning  | Audit not available 
-Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available 
-
-
+Validate image dependency integrity | App-level only |   EnforceModuleDepencySigning  | Audit not available
+Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available
 
 <a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process:
 
 ```PowerShell
-Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll 
+Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
 ```
 
-
 ## Customize the notification
 
 See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
 
-
 ## Related topics
 
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)

windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md

@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
+audience: ITPro
 author: levinec
 ms.author: ellevin
 ms.reviewer: 
@@ -20,31 +21,29 @@ manager: dansimp
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-[Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. 
+[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
 You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it.  
 
 You can enable network protection by using any of these methods:
 
-- [Microsoft Intune](#intune) 
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [System Center Configuration Manager (SCCM)](#sccm)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
 
 ## Intune
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-2. Click **Device configuration** > **Profiles** > **Create profile**.
-3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
-   ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) 
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
-  
-   ![Enable network protection in Intune](images/enable-np-intune.png)
-
-5. Click **OK** to save each open blade and click **Create**. 
-6. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
+1. Click **Device configuration** > **Profiles** > **Create profile**.
+1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
+   ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
+1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.  
+   ![Enable network protection in Intune](../images/enable-np-intune.png)
+1. Click **OK** to save each open blade and click **Create**.
+1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
 
 ## MDM
 
@@ -57,60 +56,58 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://d
 1. Enter a name and a description, click **Network protection**, and click **Next**.
 1. Choose whether to block or audit access to suspicious domains and click **Next**.
 1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**. 
+1. After the policy is created, click **Close**.
 
-## Group Policy 
+## Group Policy
 
-You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer. 
+You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer.
 
-1.  On a standalone computer, click **Start**, type and then click **Edit group policy**.
+1. On a standalone computer, click **Start**, type and then click **Edit group policy**.
 
     -Or-
-    
+
     On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-3.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
 
 4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following:
-    - **Block** - Users will not be able to access malicious IP addresses and domains
-    - **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
-    - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
+    * **Block** - Users will not be able to access malicious IP addresses and domains
+    * **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
+    * **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
 
->[!IMPORTANT]
->To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
+> [!IMPORTANT]
+> To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
 
 You can confirm network protection is enabled on a local computer by using Registry editor:
 
 1. Click **Start** and type **regedit** to open **Registry Editor**.
 1. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
-1. Click **EnableNetworkProtection** and confirm the value: 
-   - 0=Off
-   - 1=On
-   - 2=Audit
+1. Click **EnableNetworkProtection** and confirm the value:
+   * 0=Off
+   * 1=On
+   * 2=Audit
 
 ## PowerShell
 
 1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
 
-    ```
+    ```PowerShell
     Set-MpPreference -EnableNetworkProtection Enabled
     ```
 
 You can enable the feature in audit mode using the following cmdlet:
 
-```
+```PowerShell
 Set-MpPreference -EnableNetworkProtection AuditMode
 ```
 
 Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off.
 
-
 ## Related topics
 
-- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-- [Network protection](network-protection-exploit-guard.md)
-- [Evaluate network protection](evaluate-network-protection.md)
-- [Troubleshoot network protection](troubleshoot-np.md)
+* [Network protection](network-protection.md)
+* [Evaluate network protection](evaluate-network-protection.md)
+* [Troubleshoot network protection](troubleshoot-np.md)

windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md

@@ -19,25 +19,30 @@ ms.topic: conceptual
 ---
 
 # Evaluate Microsoft Defender ATP 
+
 [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
 
 You can evaluate Microsoft Defender Advanced Threat Protection in your organization by [starting your free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp).
 
-You can also evaluate the different security capabilities in Microsoft Defender ATP by using the following instructions. 
+You can also evaluate the different security capabilities in Microsoft Defender ATP by using the following instructions.
 
 ## Evaluate attack surface reduction
+
 These capabilities help prevent attacks and exploitations from infecting your organization.
-- [Evaluate attack surface reduction](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
-- [Evaluate exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
-- [Evaluate network protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
-- [Evaluate controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
+
+- [Evaluate attack surface reduction](./evaluate-attack-surface-reduction.md)
+- [Evaluate exploit protection](./evaluate-exploit-protection.md)
+- [Evaluate network protection](./evaluate-exploit-protection.md)
+- [Evaluate controlled folder access](./evaluate-controlled-folder-access.md)
 - [Evaluate application guard](../windows-defender-application-guard/test-scenarios-wd-app-guard.md)
 - [Evaluate network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
 
 ## Evaluate next generation protection
+
 Next gen protections help detect and block the latest threats.
+
 - [Evaluate antivirus](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
 
-
 ## See Also
+
 [Get started with Microsoft Defender Advanced Threat Protection](get-started.md)

windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md

@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
+audience: ITPro
 author: levinec
 ms.author: ellevin
 ms.date: 04/02/2019
@@ -20,14 +21,14 @@ manager: dansimp
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
 
 This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization.
 
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
 ## Use audit mode to measure impact
 
@@ -43,42 +44,27 @@ Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
 
 This enables all attack surface reduction rules in audit mode.
 
->[!TIP]
->If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
-You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction-exploit-guard.md).
+> [!TIP]
+> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction.md).
 
 ## Review attack surface reduction events in Windows Event Viewer
 
 To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
 
-
-| Event ID | Description |
-|----------|-------------|
-|5007      | Event when settings are changed |
-| 1121     | Event when an attack surface reduction rule fires in block mode |
-| 1122     | Event when an attack surface reduction rule fires in audit mode |
+ Event ID | Description
+-|-
+ 5007 | Event when settings are changed
+ 1121 | Event when an attack surface reduction rule fires in block mode
+ 1122 | Event when an attack surface reduction rule fires in audit mode
 
 ## Customize attack surface reduction rules
 
-During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
+During your evaluation, you may wish to configure each rule individually or exclude certain files and processes from being evaluated by the feature.
 
 See the [Customize attack surface reduction rules](customize-attack-surface-reduction.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
 
 ## Related topics
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
-- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
-
-
-
-
-
-
-
-
-
-
-
-
-
 
+* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+* [Use audit mode to evaluate Windows Defender](audit-windows-defender.md)

windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md

@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
+audience: ITPro
 author: levinec
 ms.author: ellevin
 ms.date: 11/16/2018
@@ -20,16 +21,16 @@ manager: dansimp
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-[Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
+[Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
 
 It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
 
 This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.
 
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
 ## Use audit mode to measure impact
 
@@ -43,27 +44,28 @@ To enable audit mode, use the following PowerShell cmdlet:
 Set-MpPreference -EnableControlledFolderAccess AuditMode
 ```
 
->[!TIP]
->If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
-You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders-exploit-guard.md).
+> [!TIP]
+> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
 
 ## Review controlled folder access events in Windows Event Viewer
 
 The following controlled folder access events appear in Windows Event Viewer under Microsoft/Windows/Windows Defender/Operational folder.
 
-| Event ID | Description |
-| --- | --- |
-| 5007     | Event when settings are changed |
-| 1124     | Audited controlled folder access event |
-| 1123     | Blocked controlled folder access event |
+Event ID | Description
+-|-
+ 5007 | Event when settings are changed
+ 1124 | Audited controlled folder access event
+ 1123 | Blocked controlled folder access event
 
 ## Customize protected folders and apps
 
-During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files. 
+During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
 
-See [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
+See [Protect important folders with controlled folder access](controlled-folders.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
 
 ## Related topics
-- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
-- [Evaluate Microsoft Defender ATP](evaluate-windows-defender-exploit-guard.md)
-- [Use audit mode](audit-windows-defender-exploit-guard.md)
+
+* [Protect important folders with controlled folder access](controlled-folders.md)
+* [Evaluate Microsoft Defender ATP]../(microsoft-defender-atp/evaluate-atp.md)
+* [Use audit mode](audit-windows-defender.md)

windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md

@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
+audience: ITPro
 author: levinec
 ms.author: ellevin
 ms.date: 04/02/2019
@@ -20,70 +21,69 @@ manager: dansimp
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-[Exploit protection](exploit-protection-exploit-guard.md) helps protect devices from malware that uses exploits to spread and infect other devices. 
+[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices.
 It consists of a number of mitigations that can be applied to either the operating system or an individual app.
-Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. 
+Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection.
 
-This topic helps you enable exploit protection in audit mode and review related events in Event Viewer. 
+This topic helps you enable exploit protection in audit mode and review related events in Event Viewer.
 You can enable audit mode for certain app-level mitigations to see how they will work in a test environment.
 This lets you see a record of what *would* have happened if you had enabled the mitigation in production.
 You can make sure it doesn't affect your line-of-business apps, and see which suspicious or malicious events occur.
 
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
 
 ## Enable exploit protection in audit mode
 
-You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell. 
+You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell.
 
 ### Windows Security app
 
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-      
+
 3. Go to **Program settings** and choose the app you want to apply mitigations to:
 
     1. If the app you want to configure is already listed, click it and then click **Edit**
     2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
-        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
-        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-		        
+        * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+        * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 
 5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
 
 ### PowerShell
 
-To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet. 
+To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet.
 
 Configure each mitigation in the following format:
 
-
 ```PowerShell
 Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
 ```
 
 Where:
 
-- \<Scope>:
-    - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
-- \<Action>:
-    - `-Enable` to enable the mitigation
-    - `-Disable` to disable the mitigation
-- \<Mitigation>:
-    - The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
+* \<Scope>:
+  * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
+* \<Action>:
+  * `-Enable` to enable the mitigation
+    * `-Disable` to disable the mitigation
+* \<Mitigation>:
+  * The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
 
-| Mitigation | Audit mode cmdlet |
-| - | - |
-|Arbitrary code guard (ACG) |  AuditDynamicCode |
-|Block low integrity images |  AuditImageLoad   |
-|Block untrusted fonts | AuditFont,   FontAuditOnly |
-|Code integrity guard |   AuditMicrosoftSigned,   AuditStoreSigned |
-|Disable Win32k system calls  |   AuditSystemCall |
-|Do not allow child processes |   AuditChildProcess |
+ Mitigation | Audit mode cmdlet
+-|-
+ Arbitrary code guard (ACG) | AuditDynamicCode
+ Block low integrity images | AuditImageLoad
+ Block untrusted fonts | AuditFont, FontAuditOnly
+ Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned
+ Disable Win32k system calls | AuditSystemCall
+ Do not allow child processes | AuditChildProcess
 
 For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command:
 
@@ -98,21 +98,21 @@ You can disable audit mode by replacing `-Enable` with `-Disable`.
 To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.
 
 Feature | Provider/source | Event ID | Description
-:-|:-|:-:|:-
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit
+-|-|-|-
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit
 
 ## Related topics
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
-- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
-- [Enable network protection](enable-network-protection.md)
-- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md)
-- [Enable attack surface reduction](enable-attack-surface-reduction.md)
 
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
+* [Enable network protection](enable-network-protection.md)
+* [Enable controlled folder access](enable-controlled-folders.md)
+* [Enable attack surface reduction](enable-attack-surface-reduction.md)

windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md

@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
+audience: ITPro
 author: levinec
 ms.author: ellevin
 ms.date: 05/10/2019
@@ -20,15 +21,14 @@ manager: dansimp
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-[Network protection](network-protection-exploit-guard.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+[Network protection](network-protection.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
 
 This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain.
 
-
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work.
 
 ## Enable network protection in audit mode
 
@@ -51,10 +51,10 @@ You might want to do this to make sure it doesn't affect line-of-business apps o
 
 The network connection will be allowed and a test message will be displayed.
 
-![Example notification that says Connection blocked: Your IT administrator caused Windows Security to block this network connection. Contact your IT help desk.](images/np-notif.png)
- 
+![Example notification that says Connection blocked: Your IT administrator caused Windows Security to block this network connection. Contact your IT help desk.](../images/np-notif.png)
+
 ## Review network protection events in Windows Event Viewer
- 
+
 To review apps that would have been blocked, open Event Viewer and filter for Event ID 1125 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
 
 | Event ID | Provide/Source | Description |
@@ -63,10 +63,8 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev
 |1125 | Windows Defender (Operational) | Event when a network connection is audited |
 |1126 | Windows Defender (Operational) | Event when a network connection is blocked |
 
-
 ## Related topics
 
-- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-- [Network protection](network-protection-exploit-guard.md)
-- [Enable network protection](enable-network-protection.md)
-- [Troubleshoot network protection](troubleshoot-np.md)
+* [Network protection](network-protection.md)
+* [Enable network protection](enable-network-protection.md)
+* [Troubleshoot network protection](troubleshoot-np.md)

windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md

@@ -43,6 +43,13 @@ When you access the evaluation lab for the first time, you'll find an introducti
 
 It's a good idea to read the guide before starting the evaluation process so that you can conduct a thorough assessment of the platform.
 
+>[!NOTE]
+>- Each environment is provisioned with only three test machines.
+>- Each machine will be available for only three days from the day of activation.
+>- When you've used up these three machines, no new machines are provided.
+Deleting a machine does not refresh the available test machine count.
+>- Given the limited resources, it’s advisable to use the machines carefully.
+
 
 ## Evaluation setup 
 When you add a machine to your environment, Microsoft Defender ATP sets up a well-configured machine with connection details. The machine will be configured with the most up to date version of Windows 10 and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals.
@@ -78,7 +85,11 @@ Automated investigation settings will be dependent on tenant settings. It will b
 3. Select **Add machine**.
 
     >[!WARNING]
-    > The evaluation environment can only be provisioned up to three test machines. Each machine will only be available for three days from the day of activation. 
+    >- Each environment is provisioned with only three test machines.
+    >- Each machine will be available for only three days from the day of activation.
+    >- When you've used up these three machines, no new machines are provided.
+        Deleting a machine does not refresh the available test machine count.
+    >- Given the limited resources, it’s advisable to use the machines carefully.
 
    ![Image of add machine](images/evaluation-add-machine.png)
 

windows/security/threat-protection/microsoft-defender-atp/event-views.md

@@ -11,9 +11,11 @@ ms.sitesec: library
 ms.pagetype: security
 ms.date: 04/16/2018
 ms.localizationpriority: medium
+audience: ITPro
 author: levinec
 ms.author: ellevin
 ms.date: 03/26/2019
+manager: dansimp
 ---
 
 # View attack surface reduction events
@@ -28,7 +30,7 @@ Reviewing the events is also handy when you are evaluating the features, as you
 
 This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
 
-You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). 
+You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
 
 ## Use custom views to review attack surface reduction capabilities
 
@@ -36,45 +38,43 @@ You can create custom views in the Windows Event Viewer to only see events for s
 
 The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page.
 
-You can also manually navigate to the event area that corresponds to the feature. 
+You can also manually navigate to the event area that corresponds to the feature.
 
 ### Import an existing XML custom view
 
 1. Create an empty .txt file and copy the XML for the custom view you want to use into the .txt file. Do this for each of the custom views you want to use. Rename the files as follows (ensure you change the type from .txt to .xml):
-    -  Controlled folder access events custom view: *cfa-events.xml*
-    -  Exploit protection events custom view: *ep-events.xml*
-    -  Attack surface reduction events custom view: *asr-events.xml*
-    -  Network/ protection events custom view: *np-events.xml*
+    - Controlled folder access events custom view: *cfa-events.xml*
+    - Exploit protection events custom view: *ep-events.xml*
+    - Attack surface reduction events custom view: *asr-events.xml*
+    - Network/ protection events custom view: *np-events.xml*
 
 1. Type **event viewer** in the Start menu and open **Event Viewer**.
 
-3. Click **Action** > **Import Custom View...**
+1. Click **Action** > **Import Custom View...**
 
-    ![Animation highlighting Import custom view on the left of the Even viewer window](images/events-import.gif)
+    ![Animation highlighting Import custom view on the left of the Even viewer window](../images/events-import.gif)
 
-4. Navigate to where you extracted XML file for the custom view you want and select it. 
+1. Navigate to where you extracted XML file for the custom view you want and select it.
 
-4. Click **Open**.
-
-5. This will create a custom view that filters to only show the events related to that feature.
+1. Click **Open**.
 
+1. This will create a custom view that filters to only show the events related to that feature.
 
 ### Copy the XML directly
 
-
 1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
 
-3. On the left panel, under **Actions**, click **Create Custom View...**
+1. On the left panel, under **Actions**, click **Create Custom View...**
 
-    ![Animation highlighting the create custom view option on the Event viewer window](images/events-create.gif)
+    ![Animation highlighting the create custom view option on the Event viewer window](../images/events-create.gif)
 
-4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
+1. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
 
-5.  Paste the XML code for the feature you want to filter events from into the XML section.
+1. Paste the XML code for the feature you want to filter events from into the XML section.
 
-4. Click **OK**. Specify a name for your filter.
+1. Click **OK**. Specify a name for your filter.
 
-5. This will create a custom view that filters to only show the events related to that feature.
+1. This will create a custom view that filters to only show the events related to that feature.
 
 ### XML for attack surface reduction rule events
 
@@ -131,7 +131,6 @@ You can also manually navigate to the event area that corresponds to the feature
 
 ## List of attack surface reduction events
 
-
 All attack surface reductiond events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
 
 You can access these events in Windows Event viewer:
@@ -140,7 +139,7 @@ You can access these events in Windows Event viewer:
 2. Expand **Applications and Services Logs > Microsoft > Windows** and then go to the folder listed under **Provider/source** in the table below.
 3. Double-click on the sub item to see events. Scroll through the events to find the one you are looking.
 
-   ![Animation showing using Event Viewer](images/event-viewer.gif)
+   ![Animation showing using Event Viewer](../images/event-viewer.gif)
 
 Feature | Provider/source | Event ID | Description
 :-|:-|:-:|:-
@@ -171,13 +170,13 @@ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 24 | ROP Sim
 Exploit protection | WER-Diagnostics | 5 | CFG Block
 Exploit protection | Win32K (Operational) | 260 | Untrusted Font
 Network protection | Windows Defender (Operational) | 5007 | Event when settings are changed
-Network protection | Windows Defender (Operational) | 1125 | Event when Network protection fires in Audit-mode 
-Network protection | Windows Defender (Operational) | 1126 | Event when Network protection fires in Block-mode 
+Network protection | Windows Defender (Operational) | 1125 | Event when Network protection fires in Audit-mode
+Network protection | Windows Defender (Operational) | 1126 | Event when Network protection fires in Block-mode
 Controlled folder access | Windows Defender (Operational) | 5007 | Event when settings are changed
 Controlled folder access | Windows Defender (Operational) | 1124 | Audited Controlled folder access event
 Controlled folder access | Windows Defender (Operational) | 1123 | Blocked Controlled folder access event
 Controlled folder access | Windows Defender (Operational) | 1127 | Blocked Controlled folder access sector write block event
 Controlled folder access | Windows Defender (Operational) | 1128 | Audited Controlled folder access sector write block event
 Attack surface reduction | Windows Defender (Operational) | 5007 | Event when settings are changed
-Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode 
-Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode 
+Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode
+Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode

windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md

@@ -0,0 +1,137 @@
+---
+title: Apply mitigations to help prevent attacks through vulnerabilities
+keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
+description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+author: levinec
+ms.author: ellevin
+ms.date: 04/02/2019
+ms.reviewer: 
+manager: dansimp
+---
+
+# Protect devices from exploits
+
+**Applies to:**
+
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server 2016, version 1803.
+
+> [!TIP]
+> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+
+Exploit protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
+
+You can [enable exploit protection](enable-exploit-protection.md) on an individual machine, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple devices at once.
+
+When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+
+You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how exploit protection would impact your organization if it were enabled.
+
+Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Exploit protection](emet-exploit-protection.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10.
+
+> [!IMPORTANT]
+> If you are currently using EMET you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+
+> [!WARNING]
+> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender.md) before deploying the configuration across a production environment or the rest of your network.
+
+## Review exploit protection events in the Microsoft Security Center
+
+Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
+
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how exploit protection settings could affect your environment.
+
+Here is an example query:
+
+```PowerShell
+MiscEvents
+| where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
+```
+
+## Review exploit protection events in Windows Event Viewer
+
+You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:
+
+Provider/source | Event ID | Description
+-|-|-
+Security-Mitigations | 1 | ACG audit
+Security-Mitigations | 2 | ACG enforce
+Security-Mitigations | 3 | Do not allow child processes audit
+Security-Mitigations | 4 | Do not allow child processes block
+Security-Mitigations | 5 | Block low integrity images audit
+Security-Mitigations | 6 | Block low integrity images block
+Security-Mitigations | 7 | Block remote images audit
+Security-Mitigations | 8 | Block remote images block
+Security-Mitigations | 9 | Disable win32k system calls audit
+Security-Mitigations | 10 | Disable win32k system calls block
+Security-Mitigations | 11 | Code integrity guard audit
+Security-Mitigations | 12 | Code integrity guard block
+Security-Mitigations | 13 | EAF audit
+Security-Mitigations | 14 | EAF enforce
+Security-Mitigations | 15 | EAF+ audit
+Security-Mitigations | 16 | EAF+ enforce
+Security-Mitigations | 17 | IAF audit
+Security-Mitigations | 18 | IAF enforce
+Security-Mitigations | 19 | ROP StackPivot audit
+Security-Mitigations | 20 | ROP StackPivot enforce
+Security-Mitigations | 21 | ROP CallerCheck audit
+Security-Mitigations | 22 | ROP CallerCheck enforce
+Security-Mitigations | 23 | ROP SimExec audit
+Security-Mitigations | 24 | ROP SimExec enforce
+WER-Diagnostics | 5 | CFG Block
+Win32K | 260 | Untrusted Font
+
+## Mitigation comparison
+
+The mitigations available in EMET are included natively in Windows 10 (starting with version 1709) and Windows Server 2016 (starting with version 1803), under [Exploit protection](exploit-protection.md).
+
+The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.
+
+Mitigation | Available under Exploit protection | Available in EMET
+-|-|-
+Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]<br />As "Memory Protection Check"
+Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]<br/>As "Load Library Check"
+Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)]<br />Included natively in Windows 10<br/>See  [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection<br/>See  [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+
+> [!NOTE]
+> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process.
+>
+> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
+
+## Related topics
+
+* [Protect devices from exploits](exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)

windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md

@@ -117,4 +117,3 @@ $response
 - [Microsoft Defender ATP APIs](apis-intro.md)
 - [Advanced Hunting API](run-advanced-query-api.md)
 - [Advanced Hunting using Python](run-advanced-query-sample-python.md)
-- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)

windows/security/threat-protection/microsoft-defender-atp/get-started.md

@@ -1,74 +0,0 @@
----
-title: Get started with Microsoft Defender Advanced Threat Protection
-ms.reviewer: 
-description: Learn about the minimum requirements and initial steps you need to take to get started with Microsoft Defender ATP.
-keywords: get started, minimum requirements, setup, subscription, features, data storage, privacy, user access
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: conceptual
-ms.date: 11/20/2018
----
-
-# Get started with Microsoft Defender Advanced Threat Protection
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->[!TIP]
->- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
->- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
-
-Learn about the minimum requirements and initial steps you need to take to get started with Microsoft Defender ATP.
-
-The following capabilities are available across multiple products that make up the Microsoft Defender ATP platform.
-
-**Threat & Vulnerability Management**<br>
-Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. This infrastructure correlates endpoint detection and response (EDR) insights with endpoint vulnerabilities real-time, thus reducing organizational vulnerability exposure and increasing threat resilience. 
-
-**Attack surface reduction**<br>
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. 
-
-**Next generation protection**<br>
-To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
-
-**Endpoint detection and response**<br>
-Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. 
-
-**Auto investigation and remediation**<br>
-In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. 
-
-**Secure score**<br>
-Microsoft Defender ATP provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network.
-
-**Microsoft Threat Experts**<br>
-Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender ATP that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
-
-**Advanced hunting**<br>
-Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Microsoft Defender Security Center. 
-
-**Management and APIs**<br>
-Integrate Microsoft Defender Advanced Threat Protection into your existing workflows.
-
-**Microsoft threat protection**<br>
-Bring the power of Microsoft Threat Protection to your organization.
-
-## In this section 
-Topic | Description 
-:---|:---
-[Minimum requirements](minimum-requirements.md) | Learn about the requirements for onboarding machines to the platform. 
-[Validate licensing and complete setup](licensing.md) | Get guidance on how to check that licenses have been provisioned to your organization and how to access the portal for the first time.
-[Preview features](preview.md) | Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
-[Data storage and privacy](data-storage-privacy.md) | Explains the data storage and privacy details related to Microsoft Defender ATP.
-[Assign user access to the portal](assign-portal-access.md) | Set permissions to manage who can access the portal. You can set basic permissions or set granular permissions using role-based access control (RBAC).
-[Evaluate Microsoft Defender ATP](evaluate-atp.md) | Evaluate the various capabilities in Microsoft Defender ATP and test features out.
-[Access the Microsoft Defender Security Center Community Center](community.md) | The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. 

windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md

@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
+audience: ITPro
 author: levinec
 ms.author: ellevin
 ms.date: 04/30/2018
@@ -20,13 +21,11 @@ manager: dansimp
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
 
-It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-
-Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection. 
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection.
 
 You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
 
@@ -34,7 +33,7 @@ You can also convert and import an existing EMET configuration XML file into an
 
 This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
 
-The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
+The [Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
 
 ## Create and export a configuration file
 
@@ -50,14 +49,14 @@ When you have configured exploit protection to your desired state (including bot
 
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
 
-    ![Highlight of the Exploit protection settings option in the Windows Security app](images/wdsc-exp-prot.png)
-        
+    ![Highlight of the Exploit protection settings option in the Windows Security app](../images/wdsc-exp-prot.png)
+
 3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
 
-![Highlight of the Export Settings option](images/wdsc-exp-prot-export.png)
+![Highlight of the Export Settings option](../images/wdsc-exp-prot-export.png)
 
->[!NOTE]
->When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
+> [!NOTE]
+> When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
 
 ### Use PowerShell to export a configuration file
 
@@ -65,7 +64,7 @@ When you have configured exploit protection to your desired state (including bot
 2. Enter the following cmdlet:
 
     ```PowerShell
-    Get-ProcessMitigation -RegistryConfigFilePath filename.xml 
+    Get-ProcessMitigation -RegistryConfigFilePath filename.xml
     ```
 
 Change `filename` to any name or location of your choosing.
@@ -74,7 +73,7 @@ Example command
 **Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml**
 
 > [!IMPORTANT]
-> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location. 
+> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
 
 ## Import a configuration file
 
@@ -84,12 +83,11 @@ After importing, the settings will be instantly applied and can be reviewed in t
 
 ### Use PowerShell to import a configuration file
 
-
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
 
     ```PowerShell
-    Set-ProcessMitigation -PolicyFilePath filename.xml 
+    Set-ProcessMitigation -PolicyFilePath filename.xml
     ```
 
 Change `filename` to the location and name of the exploit protection XML file.
@@ -97,11 +95,9 @@ Change `filename` to the location and name of the exploit protection XML file.
 Example command
 **Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml**
 
-
->[!IMPORTANT]
+> [!IMPORTANT]
 >
->Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
-
+> Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
 
 ## Convert an EMET configuration file to an exploit protection configuration file
 
@@ -109,14 +105,13 @@ You can convert an existing EMET configuration file to the new format used by ex
 
 You can only do this conversion in PowerShell.
 
->[!WARNING]
+> [!WARNING]
 >
->You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work.
+> You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work.
 >
->However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file. 
+> However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file.
 >
->You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
-
+> You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
 
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
@@ -127,46 +122,45 @@ You can only do this conversion in PowerShell.
 
 Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use.
 
->[!IMPORTANT]
+> [!IMPORTANT]
 >
->If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured:
+> If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured:
 >
 > 1. Open the PowerShell-converted XML file in a text editor.
 > 2. Search for `ASLR ForceRelocateImages="false"` and change it to `ASLR ForceRelocateImages="true"` for each app that you want Mandatory ASLR to be enabled.
 
-
 ## Manage or deploy a configuration
 
 You can use Group Policy to deploy the configuration you've created to multiple machines in your network.
 
 > [!IMPORTANT]
-> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location. 
+> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location.
 
 ### Use Group Policy to distribute the configuration
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
+3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
 
-    ![Screenshot of the group policy setting for exploit protection](images/exp-prot-gp.png)
+    ![Screenshot of the group policy setting for exploit protection](../images/exp-prot-gp.png)
 
-6. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**. 
+4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
 
-7. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples:
-    - C:\MitigationSettings\Config.XML
-    -  \\\Server\Share\Config.xml
-    -  https://localhost:8080/Config.xml
-    - C:\ExploitConfigfile.xml
+5. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples:
 
-8. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). 
+    * C:\MitigationSettings\Config.XML
+    * \\\Server\Share\Config.xml
+    * https://localhost:8080/Config.xml
+    * C:\ExploitConfigfile.xml
 
+6. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
 
 ## Related topics
 
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Protect devices from exploits](exploit-protection.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)

windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md

@@ -1,38 +0,0 @@
----
-title: Incidents queue in Microsoft Defender ATP
-description:
-keywords: incidents, aggregate, investigations, queue, ttp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: conceptual
----
-
-# Incidents in Microsoft Defender ATP
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-When a cybersecurity threat is emerging, or a potential attacker is deploying its tactics, techniques/tools, and procedures (TTPs) on the network, Microsoft Defender ATP will quickly trigger alerts and launch matching automatic investigations. 
-
-Microsoft Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.
- 
-
-## In this section
-
-Topic | Description 
-:---|:---
-[View and organize the Incidents queue](view-incidents-queue.md)|  See the list of incidents and learn how to apply filters to limit the list and get a more focused view.
-[Manage incidents](manage-incidents.md) | Learn how to manage incidents by assigning it, updating its status, or setting its classification and other actions.
-[Investigate incidents](investigate-incidents.md)|  See associated alerts, manage the incident, see alert metadata, and visualizations to help you investigate an incident.
-
-

windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md

@@ -1,84 +0,0 @@
----
-title: Manage allowed/blocked lists
-description: Create indicators for a file hash, IP address, URLs or domains that define the detection, prevention, and exclusion of entities.
-keywords: manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
----
-
-# Manage allowed/blocked lists
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](prerelease.md)]
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-
-
-Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.
-
-On the top navigation you can:
-- Import a list
-- Add an indicator 
-- Customize columns to add or remove columns 
-- Export the entire list in CSV format
-- Select the items to show per page
-- Navigate between pages
-- Apply filters 
-
-## Create an indicator
-1. In the navigation pane, select **Settings** > **Allowed/blocked list**.  
-
-2. Select the tab of the type of entity you'd like to create an indicator for. You can choose any of the following entities: 
-   - File hash
-   - IP address
-   - URLs/Domains
-  
-3. Click **Add indicator**.
-
-4. For each attribute specify the following details:
-   - Indicator - Specify the entity details and define the expiration of the indicator.
-   - Action - Specify the action to be taken and provide a description.
-   - Scope - Define the scope of the machine group.
-    
-5. Review the details in the Summary tab, then click **Save**.
-
-
->[!NOTE]
->Blocking IPs, domains, or URLs is currently available on limited preview only.
->This requires sending your custom list to [network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection) to be enforced which is an option that will be generally available soon. 
->As it is not yet generally available, when Automated investigations finds this indicator during an investigation it will use the allowed/block list as the basis of its decision to automatically remediate (blocked list) or skip (allowed list) the entity.
-
-
-## Manage indicators
-1. In the navigation pane, select **Settings** > **Allowed/blocked list**.  
-
-2. Select the tab of the entity type you'd like to manage.  
-
-3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list.
-
-## Import a list
-You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details. 
-
-Download the sample CSV to know the supported column attributes. 
-
-
-## Related topics
-- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md)
-
-
-
-
-

windows/security/threat-protection/microsoft-defender-atp/network-protection.md

@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
+audience: ITPro
 author: levinec
 ms.author: ellevin
 ms.date: 04/30/2019
@@ -20,40 +21,40 @@ manager: dansimp
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. 
+Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
 
 It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
 
 Network protection is supported beginning with Windows 10, version 1709.
 
->[!TIP]
->You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> [!TIP]
+> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
 Network protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
 
 When network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
 
-You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network protection would impact your organization if it were enabled.
+You can also use [audit mode](audit-windows-defender.md) to evaluate how Network protection would impact your organization if it were enabled.
 
 ## Requirements
 
 Network protection requires Windows 10 Pro, Enterprise E3, E5 and Windows Defender AV real-time protection.
 
 Windows 10 version | Windows Defender Antivirus
-- | -
+-|-
 Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
 
 ## Review network protection events in the Microsoft Defender ATP Security Center
 
-Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). 
+Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
 
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
 
-Here is an example query 
+Here is an example query
 
-```
+```PowerShell
 MiscEvents
 | where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
 ```
@@ -62,7 +63,7 @@ MiscEvents
 
 You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain:
 
-1. [Copy the XML directly](event-views-exploit-guard.md).
+1. [Copy the XML directly](event-views.md).
 
 2. Click **OK**.
 
@@ -71,12 +72,10 @@ You can review the Windows event log to see events that are created when network
    Event ID | Description
    -|-
    5007 | Event when settings are changed
-   1125 | Event when network protection fires in audit mode 
-   1126 | Event when network protection fires in block mode 
+   1125 | Event when network protection fires in audit mode
+   1126 | Event when network protection fires in block mode
 
-   ## Related topics
+## Related topics
 
-Topic | Description 
----|---
 [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
 [Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.

windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt

@@ -27,10 +27,10 @@
 #### [Application control]()
 ##### [Windows Defender Application Guard](../windows-defender-application-control/windows-defender-application-control.md)
 
-#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
-#### [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md)
-#### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
-#### [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection.md)
+#### [Network protection](../windows-defender-exploit-guard/network-protection.md)
+#### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders.md)
+#### [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction.md)
 #### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md)
 
 
@@ -196,8 +196,8 @@
 #### [Network protection](../windows-defender-exploit-guard/enable-network-protection.md)
 
 #### [Controlled folder access]()
-##### [Enable controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
-##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md)
+##### [Enable controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders.md)
+##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders.md)
 
 #### [Attack surface reduction controls]()
 ##### [Enable attack surface reduction rules](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)
@@ -413,15 +413,10 @@
 ####### [Get user related machines](get-user-related-machines.md)
 
 ##### [How to use APIs - Samples]()
-###### [Advanced Hunting API]()
-####### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md)
-####### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
-####### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
-####### [Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md)
-
-###### [Multiple APIs]()
-####### [PowerShell](exposed-apis-full-sample-powershell.md)
-
+###### [Microsoft Flow](api-microsoft-flow.md)
+###### [Power BI](api-power-bi.md)
+###### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
+###### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
 ###### [Using OData Queries](exposed-apis-odata-samples.md)
 
 #### [API for custom alerts]()

windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md

@@ -2,7 +2,7 @@
 title: Overview of attack surface reduction
 ms.reviewer: 
 description: Learn about the attack surface reduction capability in Microsoft Defender ATP
-keywords: 
+keywords: asr, attack surface reduction, microsoft defender atp, microsoft defender, antivirus, av, windows defender
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -21,16 +21,16 @@ ms.topic: conceptual
 # Overview of attack surface reduction
 
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization. 
+Reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
 
-| Article | Description |
-|------------|-------------|
-| [Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. |
-| [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. |
-| [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. |
-| [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) | 
-| [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) |
-| [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus)  |
-| [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. |
+Article | Description
+-|-
+[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites.
+[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run.
+[Exploit protection](./exploit-protection.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions.
+[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) | 
+[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus)
+[Attack surface reduction](./attack-surface-reduction.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus)
+[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering.

windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md

@@ -22,7 +22,7 @@ ms.topic: conceptual
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 >[!NOTE]    
->  Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
+>  Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks.
 
 The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
 

windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md

@@ -202,7 +202,7 @@ In general, if you know of a specific threat name, CVE, or KB, you can identify
 
 
 ## Related topic
-- [**Beta** Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md)
+- [Create custom Power BI reports](api-power-bi.md)
 
 
 

windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md

@@ -16,6 +16,7 @@ audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ---
+
 # Configure Microsoft Defender Security Center settings
 
 **Applies to:**
@@ -34,4 +35,3 @@ Permissions | Manage portal access using RBAC as well as machine groups.
 APIs | Enable the threat intel and SIEM integration.
 Rules | Configure suppressions rules and automation settings.
 Machine management | Onboard and offboard machines.
-

windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md

@@ -157,6 +157,20 @@ When you select this action, a fly-out will appear. From the fly-out, you can re
 
 If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a **Collect file** button in the same location. If a file has not been seen in the organization in the past 30 days, **Collect file** will be disabled.
 
+## Check activity details in Action center
+
+The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the following details:
+
+- Investigation package collection
+- Antivirus scan
+- App restriction
+- Machine isolation
+
+All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed.
+
+![Image of action center with information](images/action-center-details.png)
+
+
 ## Deep analysis
 
 Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.

windows/security/threat-protection/microsoft-defender-atp/response-actions.md

@@ -1,39 +0,0 @@
----
-title: Take response actions on files and machines in Microsoft Defender ATP
-description: Take response actions on files and machines by stopping and quarantining files, blocking a file, isolating machines, or collecting an investigation package.
-keywords: respond, stop and quarantine, block file, deep analysis, isolate machine, collect investigation package, action center
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
----
-
-# Take response actions in Microsoft Defender ATP
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responseactions-abovefoldlink) 
-
-You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization.
-
->[!NOTE]
-> The machine related response actions are only available for machines on Windows 10 (version 1703 or higher), Windows Server, version 1803 and Windows Server 2019.
-
-## In this section
-Topic | Description
-:---|:---
-[Take response actions on a machine](respond-machine-alerts.md)| Isolate machines or collect an investigation package.
-[Take response actions on a file](respond-file-alerts.md)| Stop and quarantine files or block a file from your network.