diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 7e98cba59b..b4bbe78a9d 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -8,11 +8,14 @@ ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: dulcemontemayor
-ms.author: dansimp
+ms.author: v-tea
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.reviewer:
+ms.custom:
+- CI 120967
+- CSSTroubleshooting
---
# Manage Windows Defender Credential Guard
@@ -154,14 +157,25 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
- **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
- - **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: 0x1, 0
- - The first variable: 0x1 means Windows Defender Credential Guard is configured to run. 0x0 means it's not configured to run.
- - The second variable: 0 means it's configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
+ - **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0**
+ - The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run.
+ - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**.
- **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
- **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
+ - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
+ - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**.
+ - You can use Windows Powershell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated Powershell window and run the following command:
+
+ ```powershell
+ (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
+ ```
+
+ This command generates the following output:
+ - **0**: Windows Defender Credential Guard is disabled (not running)
+ - **1**: Windows Defender Credential Guard is enabled (running)
+ > [!NOTE]
+ > Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running.
## Disable Windows Defender Credential Guard
@@ -221,7 +235,7 @@ You can also disable Windows Defender Credential Guard by using the [HVCI and Wi
```
DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
```
-> [!IMPORTANT]
+> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
index 182bb5e356..4c9046ca63 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
@@ -29,8 +29,8 @@ Directory enables enforcing Device compliance and Conditional Access policies
based on device risk levels. Microsoft Defender ATP is a Mobile Threat Defense
(MTD) solution that you can deploy to leverage this capability via Intune.
-For more information on how to setup Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and
-Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android).
+For more information about how to set up Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and
+Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
## Configure custom indicators
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index b0cad379e8..2251cef5dc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -108,13 +108,18 @@ The result will be that DEP will be enabled for *test.exe*. DEP will not be enab
## Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
+
2. Click **Device configuration** > **Profiles** > **Create profile**.
-3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
- 
+
+3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
+ 
+
4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
-5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
- 
+
+5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
+
6. Click **OK** to save each open blade and click **Create**.
+
7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
## MDM
@@ -124,19 +129,26 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
## Microsoft Endpoint Configuration Manager
1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-1. Click **Home** > **Create Exploit Guard Policy**.
-1. Enter a name and a description, click **Exploit protection**, and click **Next**.
-1. Browse to the location of the exploit protection XML file and click **Next**.
-1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+
+2. Click **Home** > **Create Exploit Guard Policy**.
+
+3. Enter a name and a description, click **Exploit protection**, and click **Next**.
+
+4. Browse to the location of the exploit protection XML file and click **Next**.
+
+5. Review the settings and click **Next** to create the policy.
+
+6. After the policy is created, click **Close**.
## Group Policy
1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-2. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
-3. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
+
+4. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
## PowerShell
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-updated.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-updated.png
new file mode 100644
index 0000000000..0e2d2fd929
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-updated.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane-updated.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane-updated.png
new file mode 100644
index 0000000000..88d8fb23d2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane-updated.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
index 249d6de806..8ee9cd8e12 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
@@ -29,12 +29,20 @@ Managing incidents is an important part of every cybersecurity operation. You ca
Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details.
-
+
-You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress.
+You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress.
-
+> [!TIP]
+> For additional visibility at-a-glance, automatic incident naming, currently in public preview, generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. This allows you to quickly understand the scope of the incident.
+>
+> For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
+>
+> Incidents that existed prior the rollout of automatic incident naming will not have their name changed.
+>
+> Learn more about [turning on preview features](preview.md#turn-on-preview-features).
+
## Assign incidents
If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index a1d0887eda..3555d2490e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -94,7 +94,7 @@ From the flyout, you can do any of the following:
- [**Exception options**](tvm-security-recommendation.md#file-for-exception) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet.
>[!NOTE]
->When a change is made on a device, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center.
+>When a change is made on a device, it typically takes two hours for the data to be reflected in the Microsoft Defender Security Center. However, it may sometimes take longer.
### Investigate changes in machine exposure or impact
diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
index f215fda3db..0a72f9fa7d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
@@ -63,6 +63,17 @@ You can choose to limit the list of incidents shown based on their status to see
### Data sensitivity
Use this filter to show incidents that contain sensitivity labels.
+## Incident naming
+
+To understand the incident's scope at-a-glance, automatic incident naming, currently in public preview, generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories.
+
+For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
+
+> [!NOTE]
+> Incidents that existed prior the rollout of automatic incident naming will not have their name changed.
+
+Learn more about [turning on preview features](preview.md#turn-on-preview-features).
+
## Related topics
- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue)
- [Manage incidents](manage-incidents.md)