diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png
index 454fe3df0a..8b003013f0 100644
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png and b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png
index 7f9774389c..bc2fdb105b 100644
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png and b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png differ
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 66995768bb..f3370a363a 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -73,8 +73,8 @@
#### [Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md)
-##### [Threat analytics](windows-defender-atp/threat-analytics.md)
-###### [Threat analytics for Spectre and Meltdown](windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+#### [Threat analytics](windows-defender-atp/threat-analytics.md)
+
#### [Advanced hunting](windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md)
##### [Query data using Advanced hunting](windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md)
###### [Advanced hunting reference](windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
index d6d7af1bda..5b2eef2194 100644
--- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
@@ -89,16 +89,6 @@ By default, members of the **Administrators** group, the System account, and ser
When non-administrators need to access a server using Remote Desktop, add the users to the **Remote Desktop Users** group rather than assining them this user right.
-### Vulnerability
-
->**Caution:** A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts.
-
-Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users log on to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any currently logged on account. They could escalate their privileges or create a denial-of-service (DoS) condition.
-
-### Countermeasure
-
-Do not assign the **Create a token object** user right to any users. Processes that require this user right should use the Local System account, which already includes it, instead of a separate user account with this user right assigned.
-
### Potential impact
None. Not Defined is the default domain policy configuration.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
index 4afd9a96e5..64037f0090 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@@ -33,6 +33,8 @@ Custom exclusions take precedence over automatic exclusions.
> [!TIP]
> Custom and duplicate exclusions do not conflict with automatic exclusions.
+
+
Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
## Opt out of automatic exclusions
@@ -45,6 +47,9 @@ In Windows Server 2016, the predefined exclusions delivered by Security intellig
> [!NOTE]
> This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect on exclusions.
+> [!TIP]
+> Since the predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path *different than the original one*, you would have to manually add the exclusions using the information [here](configure-extension-file-exclusions-windows-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) .
+
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
**Use Group Policy to disable the auto-exclusions list on Windows Server 2016:**
@@ -382,4 +387,4 @@ This section lists the folder exclusions that are delivered automatically when y
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
index b2bfc0807f..5d587e3b8d 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
@@ -41,7 +41,7 @@ System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection poi
Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][]
Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
-Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD.
+Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD.
1.
The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager (Current Branch) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_10_ClientApps.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_10_ClientApps.png
new file mode 100644
index 0000000000..40c268666e
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_10_ClientApps.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_11_Assignments.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_11_Assignments.png
new file mode 100644
index 0000000000..035a3c3b29
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_11_Assignments.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_12_DeviceInstall.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_12_DeviceInstall.png
new file mode 100644
index 0000000000..2ed2c65ff8
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_12_DeviceInstall.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_13_SystemPreferences.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_13_SystemPreferences.png
new file mode 100644
index 0000000000..517583aa77
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_13_SystemPreferences.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_14_SystemPreferencesProfiles.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_14_SystemPreferencesProfiles.png
new file mode 100644
index 0000000000..b12b0271fc
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_14_SystemPreferencesProfiles.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_15_ManagementProfileConfig.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_15_ManagementProfileConfig.png
new file mode 100644
index 0000000000..a70a369613
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_15_ManagementProfileConfig.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_16_PreferenceDomain.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_16_PreferenceDomain.png
new file mode 100644
index 0000000000..674bd944f4
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_16_PreferenceDomain.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_17_approvedKernelExtensions.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_17_approvedKernelExtensions.png
new file mode 100644
index 0000000000..f33c8959c0
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_17_approvedKernelExtensions.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_18_ConfigurationProfilesScope.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_18_ConfigurationProfilesScope.png
new file mode 100644
index 0000000000..35b3fda24e
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_18_ConfigurationProfilesScope.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_19_MicrosoftDefenderWDAVPKG.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_19_MicrosoftDefenderWDAVPKG.png
new file mode 100644
index 0000000000..18bbcb06d4
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_19_MicrosoftDefenderWDAVPKG.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_1_RegisterApp.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_1_RegisterApp.png
new file mode 100644
index 0000000000..3cc33ed139
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_1_RegisterApp.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_20_MicrosoftDefenderPackages.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_20_MicrosoftDefenderPackages.png
new file mode 100644
index 0000000000..2ce5ef24b8
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_20_MicrosoftDefenderPackages.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_21_MDMProfile1.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_21_MDMProfile1.png
new file mode 100644
index 0000000000..ec91e2e5ff
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_21_MDMProfile1.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_22_MDMProfileApproved.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_22_MDMProfileApproved.png
new file mode 100644
index 0000000000..4c2a62a20f
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_22_MDMProfileApproved.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_23_MDMStatus.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_23_MDMStatus.png
new file mode 100644
index 0000000000..b531be1c10
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_23_MDMStatus.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_24_StatusOnServer.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_24_StatusOnServer.png
new file mode 100644
index 0000000000..466c76234e
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_24_StatusOnServer.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_25_StatusOnClient.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_25_StatusOnClient.png
new file mode 100644
index 0000000000..e31a329e3b
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_25_StatusOnClient.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_26_Uninstall.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_26_Uninstall.png
new file mode 100644
index 0000000000..aa0d5c7caf
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_26_Uninstall.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_27_UninstallScript.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_27_UninstallScript.png
new file mode 100644
index 0000000000..200873d9d8
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_27_UninstallScript.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_28_AppInstall.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_28_AppInstall.png
new file mode 100644
index 0000000000..84c4fc4f59
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_28_AppInstall.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_29_AppInstallLogin.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_29_AppInstallLogin.png
new file mode 100644
index 0000000000..dede0a1038
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_29_AppInstallLogin.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_IntuneAppUtil.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_IntuneAppUtil.png
new file mode 100644
index 0000000000..1bc70e06c0
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_IntuneAppUtil.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_30_SystemExtension.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_30_SystemExtension.png
new file mode 100644
index 0000000000..40a57dee27
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_30_SystemExtension.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_31_SecurityPrivacySettings.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_31_SecurityPrivacySettings.png
new file mode 100644
index 0000000000..e6fc0ad449
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_31_SecurityPrivacySettings.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_3_ConfirmDeviceMgmt.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_3_ConfirmDeviceMgmt.png
new file mode 100644
index 0000000000..6771c71e42
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_3_ConfirmDeviceMgmt.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_4_ManagementProfile.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_4_ManagementProfile.png
new file mode 100644
index 0000000000..a52e252d2e
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_4_ManagementProfile.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_5_allDevices.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_5_allDevices.png
new file mode 100644
index 0000000000..1a84470e43
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_5_allDevices.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_6_SystemConfigurationProfiles.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_6_SystemConfigurationProfiles.png
new file mode 100644
index 0000000000..be6bc477b4
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_6_SystemConfigurationProfiles.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_7_DeviceStatusBlade.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_7_DeviceStatusBlade.png
new file mode 100644
index 0000000000..379f1bbddd
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_7_DeviceStatusBlade.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png
new file mode 100644
index 0000000000..2cb9a5a416
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_9_IntunePkgInfo.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_9_IntunePkgInfo.png
new file mode 100644
index 0000000000..4d848f6f96
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_9_IntunePkgInfo.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_Icon.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_Icon.png
new file mode 100644
index 0000000000..68b5f4381a
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_Icon.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_Icon_Bar.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_Icon_Bar.png
new file mode 100644
index 0000000000..6280f2d7d2
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_Icon_Bar.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
new file mode 100644
index 0000000000..18456c6af1
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
@@ -0,0 +1,489 @@
+---
+title: Microsoft Defender ATP for Mac
+description: Describes how to install and use Microsoft Defender ATP for Mac.
+keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Microsoft Defender ATP for Mac
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change.
+Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program.
+
+## Prerequisites
+You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine.
+
+You should also have access to Windows Defender Security Center.
+
+### System Requirements
+Microsoft Defender ATP for Mac system requirements:
+- macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra)
+- Disk space during preview: 1GB
+- The following URLs must be accessible from the Mac device:
+ - ```https://fresno.blob.core.windows.net/preview/macos/wdav.pkg ```
+ - ```https://cdn.x.cp.wd.microsoft.com/ ```
+ - ```https://eu-cdn.x.cp.wd.microsoft.com/ ```
+ - ```https://wu-cdn.x.cp.wd.microsoft.com/ ```
+ - ```https://x.cp.wd.microsoft.com/ ```
+ - ```https://asia.x.cp.wd.microsoft.com/ ```
+ - ```https://australia.x.cp.wd.microsoft.com/ ```
+ - ```https://europe.x.cp.wd.microsoft.com/ ```
+ - ```https://unitedkingdom.x.cp.wd.microsoft.com/ ```
+ - ```https://unitedstates.x.cp.wd.microsoft.com/ ```
+
+## Installation and configuration overview
+There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.
+In general you'll need to take the following steps:
+- [Register macOS devices](#register-macos-devices) with Windows Defender ATP
+- Deploy Microsoft Defender ATP for Mac using any of the following deployment methods and tools:
+ - [Microsoft Intune based deployment](#microsoft-intune-based-deployment)
+ - [JAMF based deployment](#jamf-based-deployment)
+ - [Manual deployment](#manual-deployment)
+
+## Register macOS devices
+To onboard your devices for Microsoft Defender ATP for Mac, you must register the devices with Windows Defender ATP and provide consent to submit telemetry.
+
+Use the following URL to give consent to submit telemetry: ```https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=f9eb614c-7a8e-422a-947d-2059e657d855&response_type=code&sso_reload=true```
+
+> [!NOTE]
+> You may get an error that a page on ```https://ppe.fresno.wd.microsoft.com``` cannot be opened. Disregard the error as it does not affect the onboarding process.
+
+
+
+
+## Deploy Microsoft Defender ATP for Mac
+Use any of the supported methods to deploy Microsoft Defender ATP for Mac
+
+## Microsoft Intune based deployment
+
+### Download installation and onboarding packages
+Download the installation and onboarding packages from Windows Defender Security Center:
+1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
+2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
+3. In Section 2 of the page, click **Download installation package**. Save it as wdav.pkg to a local directory.
+4. In Section 2 of the page, click **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
+5. Download IntuneAppUtil from https://docs.microsoft.com/en-us/intune/lob-apps-macos.
+
+ 
+
+6. From a command prompt, verify that you have the three files.
+ Extract the contents of the .zip files:
+
+ ```
+ mavel-macmini:Downloads test$ ls -l
+ total 721688
+ -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil
+ -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
+ -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
+ mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
+ Archive: WindowsDefenderATPOnboardingPackage.zip
+ warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
+ inflating: intune/kext.xml
+ inflating: intune/WindowsDefenderATPOnboarding.xml
+ inflating: jamf/WindowsDefenderATPOnboarding.plist
+ mavel-macmini:Downloads test$
+ ```
+7. Make IntuneAppUtil an executable:
+
+ ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil```
+
+8. Create the wdav.pkg.intunemac package from wdav.pkg:
+
+ ```
+ mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"
+ Microsoft Intune Application Utility for Mac OS X
+ Version: 1.0.0.0
+ Copyright 2018 Microsoft Corporation
+
+ Creating intunemac file for /Users/test/Downloads/wdav.pkg
+ Composing the intunemac file output
+ Output written to ./wdav.pkg.intunemac.
+
+ IntuneAppUtil successfully processed "wdav.pkg",
+ to deploy refer to the product documentation.
+ ```
+
+### Client Machine Setup
+You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp).
+
+1. You'll be asked to confirm device management.
+
+
+
+2. Click the **Continue** button, and your Management Profile is displayed as verified:
+
+
+
+You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned.
+
+3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine:
+
+
+
+### Create System Configuration profiles
+1. In Intune open the **Manage > Device configuration** blade. Click **Manage > Profiles > Create Profile**.
+2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Click **Configure**.
+3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above.
+4. Click **OK**.
+
+ 
+
+5. **Click Manage > Assignments**. In the **Include** tab, click **Assign to All Users & All devices**.
+7. Repeat these steps with the second profile.
+8. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file.
+9. Click **Manage > Assignments**. In the Include tab, click **Assign to All Users & All devices**.
+
+After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade:
+
+
+
+### Publish application
+
+1. In Intune, open the **Manage > Client apps** blade. Click **Apps > Add**.
+2. Select **App type=Other/Line-of-business app**.
+3. Select **file=wdav.pkg.intunemac**. Click **OK** to upload.
+4. Click **Configure** and add the required information.
+5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value.
+
+ 
+
+6. Click **OK** and **Add**.
+
+ 
+
+7. It will take a while to upload the package. After it's done, click the name and then go to **Assignments** and **Add group**.
+
+ 
+
+8. Change **Assignment type=Required**.
+9. Click **Included Groups**. Select M**ake this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
+
+ 
+
+10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade:
+
+ 
+
+### Verify client machine state
+1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**.
+
+ 
+ 
+
+2. Verify the three profiles listed there:
+ 
+
+3. The **Management Profile** should be the Intune system profile.
+4. wdav-config and wdav-kext are system configuration profiles that we added in Intune.
+5. You should also see the Microsoft Defender icon in the top-right corner:
+
+ 
+
+## JAMF based deployment
+### Prerequsites
+You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow.
+
+
+### Download installation and onboarding packages
+Download the installation and onboarding packages from Windows Defender Security Center:
+1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
+2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
+3. In Section 2 of the page, click **Download installation package**. Save it as wdav.pkg to a local directory.
+4. In Section 2 of the page, click **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
+
+ 
+
+5. From a command prompt, verify that you have the two files.
+ Extract the contents of the .zip files:
+
+ ```
+ mavel-macmini:Downloads test$ ls -l
+ total 721160
+ -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
+ -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
+ mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
+ Archive: WindowsDefenderATPOnboardingPackage.zip
+ warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
+ inflating: intune/kext.xml
+ inflating: intune/WindowsDefenderATPOnboarding.xml
+ inflating: jamf/WindowsDefenderATPOnboarding.plist
+ mavel-macmini:Downloads test$
+ ```
+
+### Create JAMF Policies
+You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines.
+
+#### Configuration Profile
+The configuration profile contains one custom settings payload that includes:
+
+- Microsoft Defender ATP for Mac onboarding information
+- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run
+
+
+1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File.
+
+ >[!NOTE]
+ > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain.
+
+ 
+
+#### Approved Kernel Extension
+
+To approve the kernel extension:
+1. In **Computers > Configuration Profiles** click **Options > Approved Kernel Extensions**.
+2. Use **UBF8T346G9** for Team Id.
+
+
+
+#### Configuration Profile's Scope
+Configure the appropriate scope to specify the machines that will receive this configuration profile.
+
+In the Configuration Profiles, click **Scope > Targets**. Select the appropriate Target computers.
+
+
+
+Save the **Configuration Profile**.
+
+Use the **Logs** tab to monitor deployment status for each enrolled machine.
+
+#### Package
+1. Create a package in **Settings > Computer Management > Packages**.
+
+ 
+
+2. Upload wdav.pkg to the Distribution Point.
+3. In the **filename** field, enter the name of the package. For example, wdav.pkg.
+
+#### Policy
+Your policy should contain a single package for Microsoft Defender.
+
+
+
+Configure the appropriate scope to specify the computers that will receive this policy.
+
+After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine.
+
+### Client machine setup
+You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment.
+
+> [!NOTE]
+> After a computer is enrolled, it will show up in the Computers inventory (All Computers).
+
+1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and click **Approve** on the MDM Profile.
+
+
+
+
+After some time, the machine's User Approved MDM status will change to Yes.
+
+
+
+You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned.
+
+
+### Deployment
+Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected.
+
+#### Status on server
+You can monitor the deployment status in the Logs tab:
+ - **Pending** means that the deployment is scheduled but has not yet happened
+ - **Completed** means that the deployment succeeded and is no longer scheduled
+
+
+
+
+#### Status on client machine
+After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile.
+
+
+
+After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
+
+
+
+You can monitor policy installation on a machine by following the JAMF's log file:
+
+```
+mavel-mojave:~ testuser$ tail -f /var/log/jamf.log
+Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found.
+Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"...
+Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV
+Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender...
+Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender.
+Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches...
+Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found.
+```
+
+You can also check the onboarding status:
+```
+mavel-mojave:~ testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
+uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
+orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
+orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
+orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
+```
+
+- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set.
+
+- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed.
+
+### Uninstalling Microsoft Defender ATP for Mac
+#### Uninstalling with a script
+
+Create a script in **Settings > Computer Management > Scripts**.
+
+
+
+For example, this script removes Microsoft Defender ATP from the /Applications directory:
+
+```
+echo "Is WDAV installed?"
+ls -ld '/Applications/Microsoft Defender.app' 2>/dev/null
+
+echo "Uninstalling WDAV..."
+rm -rf '/Applications/Microsoft Defender.app'
+
+echo "Is WDAV still installed?"
+ls -ld '/Applications/Microsoft Defender.app' 2>/dev/null
+
+echo "Done!"
+```
+
+#### Uninstalling with a policy
+Your policy should contain a single script:
+
+
+
+Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy.
+
+### Check onboarding status
+
+You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded:
+
+```
+/Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+'
+```
+
+This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered.
+
+## Manual deployment
+
+### Download installation and onboarding packages
+Download the installation and onboarding packages from Windows Defender Security Center:
+1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
+2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
+3. In Section 2 of the page, click **Download installation package**. Save it as wdav.pkg to a local directory.
+4. In Section 2 of the page, click **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
+
+ 
+
+5. From a command prompt, verify that you have the two files.
+ Extract the contents of the .zip files:
+
+ ```
+ mavel-macmini:Downloads test$ ls -l
+ total 721152
+ -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip
+ -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
+ mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
+ Archive: WindowsDefenderATPOnboardingPackage.zip
+ inflating: WindowsDefenderATPOnboarding.py
+ ```
+
+### Application installation
+To complete this process, you must have admin privileges on the machine.
+
+1. Download the wdav.pkg from: https://fresno.blob.core.windows.net/preview/macos/wdav.pkg.
+
+2. Navigate to the downloaded wdav.pkg in Finder and open it.
+
+ 
+
+3. Click **Continue**, agree with the License terms, and enter the password when prompted.
+
+ 
+
+ > [!IMPORTANT]
+ > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed.
+
+ 
+
+4. Click **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Click **Allow**:
+
+ 
+
+
+The installation will proceed.
+
+> [!NOTE]
+> If you don't click **Allow**, the installation will fail after 5 minutes. You can restart it again at any time.
+
+### Client configuration
+1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac.
+
+ The client machine is not associated with orgId. Note that the orgid is blank.
+
+ ```
+ mavel-mojave:wdavconfig testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
+ uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
+ orgid :
+ ```
+2. Install the configuration file on a client machine:
+
+ ```
+ mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py
+ Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password)
+ ```
+
+3. Verify that the machine is now associated with orgId:
+
+ ```
+ mavel-mojave:wdavconfig testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
+ uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
+ orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8
+ ```
+After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
+
+ 
+
+## Uninstallation
+### Removing Microsoft Defender ATP from Mac devices
+To remove Microsoft Defender ATP from your macOS devices:
+
+- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**.
+
+Or, from a command line:
+
+- ```sudo rm -rf '/Applications/Microsoft Defender ATP'```
+
+## Known issues
+- Microsoft Defender ATP is not yet optimized for performance or disk space.
+- Centrally managed uninstall using Intune/JAMF is still in development. To uninstall (as a workaround an uninstall action has to be completed on each client device).
+- Geo preference for telemetry traffic is not yet supported. Cloud traffic (definition updates) routed to US only.
+- Full Windows Defender ATP integration is not yet available
+- Not localized yet
+- There might be accessibility issues
+
+### Installation issues
+If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. You can also contact xplatpreviewsupport@microsoft.com for support on onboarding issues.
+
+
+For feedback on the preview, contact: mdatpfeedback@microsoft.com.
+
+
+
diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
index 2ee928baee..7bbb3edc4c 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
@@ -76,6 +76,11 @@ Application Guard functionality is turned off by default. However, you can quick
Application Guard and its underlying dependencies are all installed.
**To install by using PowerShell**
+
+>[!NOTE]
+>Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only.
+
+
1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**.
2. Right-click **Windows PowerShell**, and then click **Run as administrator**.
diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index 5904aa5d30..60825d01ab 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -70,8 +70,8 @@
### [Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md)
-#### [Threat analytics](threat-analytics.md)
-#### [Threat analytics for Spectre and Meltdown](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+### [Threat analytics](threat-analytics.md)
+
### [Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
index 9ed8d6f32a..6e0dd42396 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
@@ -40,7 +40,7 @@ For tenants created on or after Windows 10, version 1809 the automated investiga
>[!NOTE]
> - The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine.
->- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overrite it.
+>- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
## Block file
@@ -91,6 +91,14 @@ When you enable this feature, you'll be able to incorporate data from Office 365
To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
+## Microsoft Threat Experts
+This feature is currently on public preview. When you enable this feature, you'll receive targeted attack notifications from Microsoft Threat Experts through your Windows Defender ATP portal's alerts dashboard and via email if you configure it.
+
+>[!NOTE]
+>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
+
+
+
## Microsoft Cloud App Security
Enabling this setting forwards Windows Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md
index f518883f9b..8e6edc791b 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md
@@ -81,27 +81,49 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
c. Remember to use the ID number from the **Open a support ticket** tab page and include it to the details you will provide in the subsequent Customer Services and Support (CSS) pages.
- **Step 2: Open a support ticket**
-
- >[!NOTE]
- >To experience the full Microsoft Threat Experts preview capability in Windows Defender ATP, you need to have a Premier customer service and support account. However, you will not be charged for the Experts-on-demand service during the preview.
-
+ **Step 2: Open a support ticket**
+ >[!NOTE]
+ >To experience the full Microsoft Threat Experts preview capability in Windows Defender ATP, you need to have a Premier customer service and support account. However, you will not be charged for the Experts-on-demand service during the preview.
+
a. In the **New support request** customer support page, select the following from the dropdown menu and then click **Next**:
- - **Select the product family**: **Security**
- - **Select a product**: **Microsoft Threat Experts**
- - **Select a category that best describes the issue**: **Windows Defender ATP**
- - **Select a problem that best describes the issue**: Choose according to your inquiry category
+ **Select the product family**: **Security**
+ **Select a product**: **Microsoft Threat Experts**
+ **Select a category that best describes the issue**: **Windows Defender ATP**
+ **Select a problem that best describes the issue**: Choose according to your inquiry category
- b. Fill out the fields with the necessary information about the issue and use the auto-generated ID when you open a Customer Services and Support (CSS) ticket. Then, click **Next**.
+ b. Fill out the fields with the necessary information about the issue and use the auto-generated ID when you open a Customer Services and Support (CSS) ticket. Then, click **Next**.
- c. In the **Select a support plan** page, select **Professional No Charge**.
+ c. In the **Select a support plan** page, select **Professional No Charge**.
- d. The severity of your issue has been pre-selected by default, per the support plan, **Professional No Charge**, that you'll use for this public preview. Select the time zone by which you'd like to receive the correspondence. Then, click **Next**.
+ d. The severity of your issue has been pre-selected by default, per the support plan, **Professional No Charge**, that you'll use for this public preview. Select the time zone by which you'd like to receive the correspondence. Then, click **Next**.
- e. Verify your contact details and add another if necessary. Then, click **Next**.
+ e. Verify your contact details and add another if necessary. Then, click **Next**.
- f. Review the summary of your support request, and update if necessary. Make sure that you read and understand the **Microsoft Services Agreement** and **Privacy Statement**. Then, click **Submit**. You will see the confirmation page indicating the response time and your support request number.
+ f. Review the summary of your support request, and update if necessary. Make sure that you read and understand the **Microsoft Services Agreement** and **Privacy Statement**. Then, click **Submit**. You will see the confirmation page indicating the response time and your support request number.
+
+## Sample questions to ask Microsoft Threat Experts
+**Alert information**
+- We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?
+- We’ve observed two similar attacks which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
+- I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Windows Defender see these attempts? What type of sign-ins are being monitored?
+- Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”.
+
+**Possible machine compromise**
+- Can you please help answer why we see “Unknown process observed?” This is seen quite frequently on many machines and we would appreciate input on whether this is related to malicious activity.
+- Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?
+
+**Threat intelligence details**
+- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Windows Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you please send me a link?
+- I recently saw a [social media reference e.g. Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection WDATP provides against this threat actor?
+
+**Microsoft Threat Experts’ alert communications**
+- Can your incident response team help us address the targeted attack notification that we got?
+- I received this targeted attack notification from Microsoft Threat Experts. We don’t have our own incident response team. What can we do now, and how can we contain the incident?
+- I received a targeted attack notification from Microsoft Threat Experts. What data can you provide to us that we can pass on to our incident response team?
+
+ >[!NOTE]
+ >Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However, the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s Detection and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response team to address issues that requires an incident response.
## Scenario
diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md
deleted file mode 100644
index 225465fee0..0000000000
--- a/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: Threat analytics for Spectre and Meltdown
-description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization.
-keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 09/03/2018
----
-
-# Threat analytics for Spectre and Meltdown
-**Applies to:**
-- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-The **Threat analytics** dashboard provides insight on how emerging threats affect your organization. It provides information that's specific for your organization.
-
-[Spectre and Meltdown](https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/) is a new class of exploits that take advantage of critical vulnerabilities in the CPU processors, allowing attackers running user-level, non-admin code to steal data from kernel memory. These exploits can potentially allow arbitrary non-admin code running on a host machine to harvest sensitive data belonging to other apps or system processes, including apps on guest VMs.
-
-Mitigating these vulnerabilities involves a complex multivendor update. It requires updates to Windows and Microsoft browsers using the [January 2018 Security Updates from Microsoft](https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/858123b8-25ca-e711-a957-000d3a33cf99) and updates to processor microcode using fixes released by OEM and CPU vendors.
-
-## Prerequisites
-Note the following requirements and limitations of the charts and what you might be able to do to improve visibility of the mitigation status of machines in your network:
-
-- Only active machines running Windows 10 are checked for OS mitigations.
-- When checking for microcode mitgations, Windows Defender ATP currently checks for updates applicable to Intel CPU processors only.
-- To determine microcode mitigation status, machines must enable Windows Defender Antivirus and update to Security intelligence version 1.259.1545.0 or above.
-- To be covered under the overall mitigation status, machines must have both OS and microcode mitigation information.
-
-## Assess organizational risk with Threat analytics
-
-Threat analytics helps you continually assess and control risk exposure to Spectre and Meltdown. Use the charts to quickly identify machines for the presence or absence of the following mitigations:
-
-- **OS mitigation**: Identifies machines that have installed the January 2018 Security Updates from Microsoft and have not explicitly disabled any of the OS mitigations provided with these updates
-- **Microcode mitigation**: Identifies machines that have installed the necessary microcode updates or those that do not require them
-- **Overall mitigation status**: Identifies the completeness by which machines have mitigated against the Spectre and Meltdown exploits
-
-
-To access Threat analytics, from the navigation pane select **Dashboards** > **Threat analytics**.
-
-Click a section of each chart to get a list of the machines in the corresponding mitigation status.
-
-## Related topics
-- [Threat analytics](threat-analytics.md)
-- [Overview of Secure Score in Windows Defender Security Center](overview-secure-score-windows-defender-advanced-threat-protection.md)
-- [Configure the security controls in Secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md
index 63f5cf2f30..ae5f7b984d 100644
--- a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md
@@ -14,14 +14,13 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 12/08/2017
---
# Indicator resource type
**Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prereleaseinformation](prerelease.md)]
+[!include[Prerelease information](prerelease.md)]
Method|Return Type |Description
:---|:---|:---
diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md
index 6e5a650a0c..a3f36f7725 100644
--- a/windows/security/threat-protection/windows-platform-common-criteria.md
+++ b/windows/security/threat-protection/windows-platform-common-criteria.md
@@ -9,7 +9,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 10/8/2018
+ms.date: 3/20/2019
---
# Common Criteria Certifications
@@ -22,6 +22,7 @@ Microsoft is committed to optimizing the security of its products and services.
The Security Target describes security functionality and assurance measures used to evaluate Windows.
+ - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf)
- [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf)
- [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
- [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf)
@@ -58,6 +59,7 @@ These documents describe how to configure Windows to replicate the configuration
**Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2**
+ - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf)
- [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf)
- [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
- [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf)
@@ -134,6 +136,7 @@ These documents describe how to configure Windows to replicate the configuration
An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team.
+ - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
- [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
- [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
- [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
