Merge branch 'master' into deploy

2025-06-25 07:13:37 +00:00 · 2020-03-03 15:15:50 -08:00
parent 10d1f78161 1b62147853
commit 751ab279b1
121 changed files with 2579 additions and 2605 deletions
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@ -3375,7 +3375,7 @@ This security group has not changed since Windows Server 2008.

 ### <a href="" id="bkmk-serveroperators"></a>Server Operators

-Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Memebers of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved.
+Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved.

 By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups, Administrators and Domain Admins, in the domain, and the Enterprise Admins group. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table.

--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@ -35,7 +35,7 @@ ms.reviewer:
 The Microsoft PIN reset services enables you to help users recover who have forgotten their PIN.  Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.

 >[!IMPORTANT]
-> The Microsoft PIN Reset service only works with Windows 10, version 1709 to 1809 with **Enterprise Edition**.  The feature works with **Pro** edition with Windows 10, version 1903 and newer.
+> The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809.  The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and newer.

 ### Onboarding the Microsoft PIN reset service to your Intune tenant

--- a/windows/security/threat-protection/intelligence/criteria.md
+++ b/windows/security/threat-protection/intelligence/criteria.md
@ -38,7 +38,7 @@ Microsoft classifies most malicious software into one of the following categorie

 * **Downloader:** A type of malware that downloads other malware onto your device. It must connect to the internet to download files.

-* **Dropper:** A type of malware that installs other malware files onto your device. Unlike a downloader, a dropper doesn’t have to connect to the internet to drop malicious files. The dropped files are typically embedded in the dropper itself.
+* **Dropper:** A type of malware that installs other malware files onto your device. Unlike a downloader, a dropper doesn't have to connect to the internet to drop malicious files. The dropped files are typically embedded in the dropper itself.

 * **Exploit:** A piece of code that uses software vulnerabilities to gain access to your device and perform other tasks, such as installing malware. [See more information about exploits](exploits-malware.md).

@ -84,7 +84,7 @@ Software that exhibits lack of choice might:

 Software must not mislead or coerce you into making decisions about your device. This is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:

-* Display exaggerated claims about your device’s health.
+* Display exaggerated claims about your device's health.

 * Make misleading or inaccurate claims about files, registry entries, or other items on your device.

--- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
+++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
@ -2,7 +2,7 @@
 title: Top scoring in industry tests (AV-TEST, AV Comparatives, SE Labs, MITRE ATT&CK)
 ms.reviewer: 
 description: Microsoft Defender ATP consistently achieves high scores in independent tests. View the latest scores and analysis.
-keywords: av-test, av-comparatives, SE labs, MITRE ATT&CK, antivirus test, av testing, security product testing, security industry tests, industry antivirus tests, best antivirus, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows Defender Antivirus, Windows 10, Microsoft Defender Antivirus, WDAV, MDATP, Microsoft Threat Protection, security, malware, av, antivirus, scores, next generation protection
+keywords: Windows Defender Antivirus, av reviews, antivirus test, av testing, latest av scores, detection scores, security product testing, security industry tests, industry antivirus tests, best antivirus, av-test, av-comparatives, SE labs, MITRE ATT&CK, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows 10, Microsoft Defender Antivirus, WDAV, MDATP, Microsoft Threat Protection, security, malware, av, antivirus, scores, next generation protection
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
@ -50,7 +50,7 @@ The AV-TEST Product Review and Certification Report tests on three categories: p

 ### AV-Comparatives: Protection rating of 99.9% in the latest test

-Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system’s performance.
+Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance.

 - Business Security Test 2019 (August — September): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-august-september-2019-factsheet/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) <sup>**Latest**</sup>

@ -94,7 +94,7 @@ MITRE tested the ability of products to detect techniques commonly used by the t

 ## To what extent are tests representative of protection in the real world?

-Independent security industry tests aim to evaluate the best antivirus and security products in an unbiased manner. However, it is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the evaluations highlighted in this topic. For example, in an average month Microsoft's security products identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats.
+Independent security industry tests aim to evaluate the best antivirus and security products in an unbiased manner. However, it is important to remember that Microsoft sees a wider and broader set of threats beyond what's tested in the evaluations highlighted in this topic. For example, in an average month Microsoft's security products identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats.

 The capabilities within Microsoft Defender ATP provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses) that are not factored into industry antivirus tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Microsoft Defender ATP creates a partial picture of how Microsoft's security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Microsoft Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively Microsoft's security suite protects customers in the real world.

--- a/windows/security/threat-protection/microsoft-defender-atp/images/event-details.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/event-details.png
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
@ -144,6 +144,13 @@ More details about certain events are provided in the **Additional information**

 You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine.

+#### Event details
+Select an event to view relevant details about that event. A panel displays to show general event information. When applicable and data is available, a graph showing related entities and their relationships are also shown.
+
+To further inspect the event and related events, you can quickly run an [advanced hunting](advanced-hunting-overview.md) query by selecting **Hunt for related events**. The query will return the selected event and the list of other events that occurred around the same time on the same endpoint.
+
+![Image of the event details panel](images/event-details.png)
+
 ### Security recommendations

 **Security recommendations** are generated from Microsoft Defender ATP's [Threat & Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. See [Security recommendation](tvm-security-recommendation.md) for details.
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
@ -45,7 +45,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
 3. Set the deployment method to **Mobile Device Management / Microsoft Intune**.
    
    >[!NOTE]
-    >JamF falls under **Mobile Device Management**. 
+    >Jamf falls under **Mobile Device Management**. 
        
 4. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
 5. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@ -19,6 +19,15 @@ ms.topic: conceptual

 # What's new in Microsoft Defender Advanced Threat Protection for Mac

+## 100.86.91
+
+> [!CAUTION]
+> To ensure the most complete protection for your macOS devices and in alignment with Apple stopping delivery of macOS native security updates to OS versions older than [current – 2], MDATP for Mac deployment and updates will no longer be supported on macOS Sierra [10.12]. MDATP for Mac updates and enhancements will be delivered to devices running versions Catalina [10.15], Mojave [10.14], and High Sierra [10.13]. 
+>
+> If you already have MDATP for Mac deployed to your Sierra [10.12] devices, please upgrade to the latest macOS version to eliminate risks of losing protection.
+
+- Performance improvements & bug fixes
+
 ## 100.83.73

 - Added more controls for IT administrators around [management of exclusions](mac-preferences.md#exclusion-merge-policy), [management of threat type settings](mac-preferences.md#threat-type-settings-merge-policy), and [disallowed threat actions](mac-preferences.md#disallowed-threat-actions)
@ -37,9 +46,9 @@ ms.topic: conceptual

 - Fixed an issue where Microsoft Defender ATP for Mac was sometimes interfering with Time Machine
 - Added a new switch to the command-line utility for testing the connectivity with the backend service
-```bash
-$ mdatp --connectivity-test
-```
+  ```bash
+  $ mdatp --connectivity-test
+  ```
 - Added ability to view the full threat history in the user interface (can be accessed from the **Protection history** view)
 - Performance improvements & bug fixes

@ -60,12 +69,12 @@ $ mdatp --connectivity-test

 - Added support for macOS Catalina

-> [!CAUTION]
-> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
->
-> The mechanism for granting this consent depends on how you deployed Microsoft Defender ATP:
->
-> - For manual deployments, see the updated instructions in the [Manual deployment](mac-install-manually.md#how-to-allow-full-disk-access) topic.
-> - For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md#privacy-preferences-policy-control) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
+  > [!CAUTION]
+  > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
+  >
+  > The mechanism for granting this consent depends on how you deployed Microsoft Defender ATP:
+  >
+  > - For manual deployments, see the updated instructions in the [Manual deployment](mac-install-manually.md#how-to-allow-full-disk-access) topic.
+  > - For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md#privacy-preferences-policy-control) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.

 - Performance improvements & bug fixes
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
@ -62,7 +62,7 @@ In general you need to take the following steps:
    - [Manual deployment](linux-install-manually.md)
  - Third-party management tools:
    - [Deploy using Puppet configuration management tool](linux-install-with-puppet.md)
-    - [Deploy using Ansbile configuration management tool](linux-install-with-ansible.md)
+    - [Deploy using Ansible configuration management tool](linux-install-with-ansible.md)

 ### System requirements

@ -92,6 +92,9 @@ The following table lists the services and their associated URLs that your netwo
 | United Kingdom                           | unitedkingdom.x.cp.wd.microsoft.com <br/> uk-v20.events.data.microsoft.com |
 | United States                            | unitedstates.x.cp.wd.microsoft.com  <br/> us-v20.events.data.microsoft.com |

+> [!NOTE]
+> For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server) 
+
 Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
 - Transparent proxy
 - Manual static proxy configuration
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@ -1,8 +1,8 @@
 ---
-title: Configure Windows Defender Antivirus exclusions on Windows Server 2016
+title: Configure Windows Defender Antivirus exclusions on Windows Server 2016 or 2019
 ms.reviewer: 
 manager: dansimp
-description: Windows Server 2016 includes automatic exclusions, based on server role. You can also add custom exclusions.
+description: Windows Servers 2016 and 2019 include automatic exclusions, based on server role. You can also add custom exclusions.
 keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Windows Defender Antivirus
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@ -22,48 +22,47 @@ ms.custom: nextgen

 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

-Windows Defender Antivirus on Windows Server 2016 computers automatically enrolls you in certain exclusions, as defined by your specified server role. See [the end of this topic](#list-of-automatic-exclusions) for a list of these exclusions.
+Windows Defender Antivirus on Windows Server 2016 or 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).

-These exclusions will not appear in the standard exclusion lists shown in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
-
-You can still add or remove custom exclusions (in addition to the server role-defined automatic exclusions) as described in these exclusion-related topics:
+> [!NOTE]
+> Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.

+In addition to server role-defined automatic exclusions, you can add or remove custom exclusions. To do that, refer to these articles:
 - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)

-Custom exclusions take precedence over automatic exclusions.
+## A few points to keep in mind

-> [!TIP]
-> Custom and duplicate exclusions do not conflict with automatic exclusions.
+- Custom exclusions take precedence over automatic exclusions.

-Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
+- Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
+
+- Custom and duplicate exclusions do not conflict with automatic exclusions.
+
+- Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.

 ## Opt out of automatic exclusions

-In Windows Server 2016, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt out of the automatic exclusions delivered in Security intelligence updates.
+In Windows Server 2016 and 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. 

 > [!WARNING]
-> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 roles.
+> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 or 2019 roles.

-> [!NOTE]
-> This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect on exclusions.
-
-> [!TIP]
-> Since the predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path *different than the original one*, you would have to manually add the exclusions using the information [here](configure-extension-file-exclusions-windows-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) .
+Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-windows-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) .

 You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.

 ### Use Group Policy to disable the auto-exclusions list on Windows Server 2016

-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). Right-click the Group Policy Object you want to configure, and then click **Edit**.

-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**.

-3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Exclusions**.

-4. Double-click **Turn off Auto Exclusions** and set the option to **Enabled**. Click **OK**. 
+4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**. 

-**Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:**
+### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016

 Use the following cmdlets:

@ -71,11 +70,13 @@ Use the following cmdlets:
 Set-MpPreference -DisableAutoExclusions $true
 ```

-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+[Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md).
+
+[Use PowerShell with Windows Defender Antivirus](https://technet.microsoft.com/itpro/powershell/windows/defender/index).

 ### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016

-Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
+Use the **Set** method of the [MSFT_MpPreference](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:

 ```WMI
 DisableAutoExclusions
@ -85,212 +86,221 @@ See the following for more information and allowed parameters:
 - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)

 ## List of automatic exclusions
+
 The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types.

 ### Default exclusions for all roles
-This section lists the default exclusions for all Windows Server 2016 roles.

- Windows "temp.edb" files:
+This section lists the default exclusions for all Windows Server 2016 and 2019 roles.

-  - *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
+#### Windows "temp.edb" files

-  - *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
+- *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb

- Windows Update files or Automatic Update files:
+- *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log

-  - *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
+#### Windows Update files or Automatic Update files

-  - *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
+- *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb

-  - *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
+- *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk

-  - *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
+- *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log

-  - *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
+- *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs

- Windows Security files:
+- *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log

-  - *%windir%*\Security\database\\*.chk
+#### Windows Security files

-  - *%windir%*\Security\database\\*.edb
+- *%windir%*\Security\database\\*.chk

-  - *%windir%*\Security\database\\*.jrs
+- *%windir%*\Security\database\\*.edb

-  - *%windir%*\Security\database\\*.log
+- *%windir%*\Security\database\\*.jrs

-  - *%windir%*\Security\database\\*.sdb
+- *%windir%*\Security\database\\*.log

- Group Policy files:
+- *%windir%*\Security\database\\*.sdb

-  - *%allusersprofile%*\NTUser.pol
+#### Group Policy files

-  - *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
+- *%allusersprofile%*\NTUser.pol

-  - *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
+- *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol

- WINS files:
+- *%SystemRoot%*\System32\GroupPolicy\User\registry.pol

-  - *%systemroot%*\System32\Wins\\*\\\*.chk
+#### WINS files

-  - *%systemroot%*\System32\Wins\\*\\\*.log
+- *%systemroot%*\System32\Wins\\*\\\*.chk

-  - *%systemroot%*\System32\Wins\\*\\\*.mdb
+- *%systemroot%*\System32\Wins\\*\\\*.log

-  - *%systemroot%*\System32\LogFiles\
+- *%systemroot%*\System32\Wins\\*\\\*.mdb

-  - *%systemroot%*\SysWow64\LogFiles\
+- *%systemroot%*\System32\LogFiles\

- File Replication Service (FRS) exclusions:
+- *%systemroot%*\SysWow64\LogFiles\

-  - Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
+#### File Replication Service (FRS) exclusions

-    - *%windir%*\Ntfrs\jet\sys\\*\edb.chk
+- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`

-    - *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
+  - *%windir%*\Ntfrs\jet\sys\\*\edb.chk

-    - *%windir%*\Ntfrs\jet\log\\*\\\*.log
+  - *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb

-    - FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
+  - *%windir%*\Ntfrs\jet\log\\*\\\*.log

-    -*%windir%*\Ntfrs\\*\Edb\*.log
+- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`

-    - The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
+  - *%windir%*\Ntfrs\\*\Edb\*.log

-      - *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
+- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`

-    - The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
+  - *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\

-      - *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
+- The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`

-    - The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
+  - *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\

-      > [!NOTE]
-      > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions). 
+- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`

-      - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
+  > [!NOTE]
+  > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions). 

-      - *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
+  - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$

-      - *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
+  - *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*

-      - *%systemdrive%*\System Volume Information\DFSR\\*.XML
+  - *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*

-      - *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
+  - *%systemdrive%*\System Volume Information\DFSR\\*.XML

-      - *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
+  - *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$

-      - *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
+  - *%systemdrive%*\System Volume Information\DFSR\\$db_clean$

-      - *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
+  - *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$

-      - *%systemdrive%*\System Volume Information\DFSR\\*.frx
+  - *%systemdrive%*\System Volume Information\DFSR\Dfsr.db

-      - *%systemdrive%*\System Volume Information\DFSR\\*.log
+  - *%systemdrive%*\System Volume Information\DFSR\\*.frx

-      - *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
+  - *%systemdrive%*\System Volume Information\DFSR\\*.log

-      - *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
+  - *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs

- Process exclusions
+  - *%systemdrive%*\System Volume Information\DFSR\Tmp.edb

-  - *%systemroot%*\System32\dfsr.exe
+#### Process exclusions

-  - *%systemroot%*\System32\dfsrs.exe
+- *%systemroot%*\System32\dfsr.exe

- Hyper-V exclusions:
+- *%systemroot%*\System32\dfsrs.exe

-  - This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
+#### Hyper-V exclusions

-    - File type exclusions:
+This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role

-      - *.vhd
+- File type exclusions:

-      - *.vhdx
+  - *.vhd

-      - *.avhd
+  - *.vhdx

-      - *.avhdx
+  - *.avhd

-      - *.vsv
+  - *.avhdx

-      - *.iso
+  - *.vsv

-      - *.rct
+  - *.iso

-      - *.vmcx
+  - *.rct

-      - *.vmrs
+  - *.vmcx

-    - Folder exclusions:
+  - *.vmrs

-      - *%ProgramData%*\Microsoft\Windows\Hyper-V
+- Folder exclusions:

-      - *%ProgramFiles%*\Hyper-V
+  - *%ProgramData%*\Microsoft\Windows\Hyper-V

-      - *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
+  - *%ProgramFiles%*\Hyper-V

-      - *%Public%*\Documents\Hyper-V\Virtual Hard Disks
+  - *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots

-    - Process exclusions:
+  - *%Public%*\Documents\Hyper-V\Virtual Hard Disks

-      - *%systemroot%*\System32\Vmms.exe
+- Process exclusions:

-      -   *%systemroot%*\System32\Vmwp.exe
+  - *%systemroot%*\System32\Vmms.exe

- SYSVOL files:
+  -   *%systemroot%*\System32\Vmwp.exe

-  - *%systemroot%*\Sysvol\Domain\\*.adm
+#### SYSVOL files

-  - *%systemroot%*\Sysvol\Domain\\*.admx
+- *%systemroot%*\Sysvol\Domain\\*.adm

-  - *%systemroot%*\Sysvol\Domain\\*.adml
+- *%systemroot%*\Sysvol\Domain\\*.admx

-  - *%systemroot%*\Sysvol\Domain\Registry.pol
+- *%systemroot%*\Sysvol\Domain\\*.adml

-  - *%systemroot%*\Sysvol\Domain\\*.aas
+- *%systemroot%*\Sysvol\Domain\Registry.pol

-  - *%systemroot%*\Sysvol\Domain\\*.inf
+- *%systemroot%*\Sysvol\Domain\\*.aas

-  - *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
+- *%systemroot%*\Sysvol\Domain\\*.inf

-  - *%systemroot%*\Sysvol\Domain\\*.ins
+- *%systemroot%*\Sysvol\Domain\\*.Scripts.ini

-  - *%systemroot%*\Sysvol\Domain\Oscfilter.ini
+- *%systemroot%*\Sysvol\Domain\\*.ins
+
+- *%systemroot%*\Sysvol\Domain\Oscfilter.ini

 ### Active Directory exclusions
+
 This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.

- NTDS database files. The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
+#### NTDS database files

-  - %windir%\Ntds\ntds.dit
+The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`

-  - %windir%\Ntds\ntds.pat
+- %windir%\Ntds\ntds.dit

- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
+- %windir%\Ntds\ntds.pat

-  - %windir%\Ntds\EDB*.log
+#### The AD DS transaction log files

-  - %windir%\Ntds\Res*.log
+The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`

-  - %windir%\Ntds\Edb*.jrs
+- %windir%\Ntds\EDB*.log

-  - %windir%\Ntds\Ntds*.pat
+- %windir%\Ntds\Res*.log

-  - %windir%\Ntds\EDB*.log
+- %windir%\Ntds\Edb*.jrs

-  - %windir%\Ntds\TEMP.edb
+- %windir%\Ntds\Ntds*.pat

- The NTDS working folder. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
+- %windir%\Ntds\EDB*.log

-  - %windir%\Ntds\Temp.edb
+- %windir%\Ntds\TEMP.edb

-  - %windir%\Ntds\Edb.chk
+#### The NTDS working folder

- Process exclusions for AD DS and AD DS-related support files:
+This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`

-  - %systemroot%\System32\ntfrs.exe
+- %windir%\Ntds\Temp.edb

-  - %systemroot%\System32\lsass.exe
+- %windir%\Ntds\Edb.chk
+
+#### Process exclusions for AD DS and AD DS-related support files
+
+- %systemroot%\System32\ntfrs.exe
+
+- %systemroot%\System32\lsass.exe

 ### DHCP Server exclusions

@ -310,19 +320,19 @@ This section lists the exclusions that are delivered automatically when you inst

 This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role.

- File and folder exclusions for the DNS Server role:
+#### File and folder exclusions for the DNS Server role

-  - *%systemroot%*\System32\Dns\\*\\\*.log
+- *%systemroot%*\System32\Dns\\*\\\*.log

-  - *%systemroot%*\System32\Dns\\*\\\*.dns
+- *%systemroot%*\System32\Dns\\*\\\*.dns

-  - *%systemroot%*\System32\Dns\\*\\\*.scc
+- *%systemroot%*\System32\Dns\\*\\\*.scc

-  - *%systemroot%*\System32\Dns\\*\BOOT
+- *%systemroot%*\System32\Dns\\*\BOOT

- Process exclusions for the DNS Server role:
+#### Process exclusions for the DNS Server role

-  - *%systemroot%*\System32\dns.exe
+- *%systemroot%*\System32\dns.exe

 ### File and Storage Services exclusions

@ -338,43 +348,45 @@ This section lists the file and folder exclusions that are delivered automatical

 This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role.

- File type exclusions:
+#### File type exclusions

-  - *.shd
+- *.shd

-  - *.spl
+- *.spl

- Folder exclusions. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
+#### Folder exclusions

-  - *%system32%*\spool\printers\\*
+This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`

- Process exclusions:
+- *%system32%*\spool\printers\\*

-  - spoolsv.exe
+#### Process exclusions
+
+- spoolsv.exe

 ### Web Server exclusions

 This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role.

- Folder exclusions:
+#### Folder exclusions

-  - *%SystemRoot%*\IIS Temporary Compressed Files
+- *%SystemRoot%*\IIS Temporary Compressed Files

-  - *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
+- *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files

-  - *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
+- *%SystemDrive%*\inetpub\temp\ASP Compiled Templates

-  - *%systemDrive%*\inetpub\logs
+- *%systemDrive%*\inetpub\logs

-  - *%systemDrive%*\inetpub\wwwroot
+- *%systemDrive%*\inetpub\wwwroot

- Process exclusions:
+#### Process exclusions

-  - *%SystemRoot%*\system32\inetsrv\w3wp.exe
+- *%SystemRoot%*\system32\inetsrv\w3wp.exe

-  - *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
+- *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe

-  - *%SystemDrive%*\PHP5433\php-cgi.exe
+- *%SystemDrive%*\PHP5433\php-cgi.exe

 ### Windows Server Update Services exclusions

@ -391,7 +403,11 @@ This section lists the folder exclusions that are delivered automatically when y
 ## Related articles

 - [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
+
 - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
+
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+
 - [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
--- a/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md
@ -1,5 +1,5 @@
 ---
-title: Windows Defender Antivirus together with Office 365 (including OneDrive) - better protection from ransomware and cyberthreats
+title: Better together: Windows Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats
 description: Office 365, which includes OneDrive, goes together wonderfully with Windows Defender Antivirus. Read this article to learn more.
 keywords: windows defender, antivirus, office 365, onedrive
 search.product: eADQiWindows 10XVcnh
@ -19,7 +19,7 @@ ms.reviewer:
 manager: dansimp
 ---

-# Windows Defender Antivirus together with Office 365
+# Better together: Windows Defender Antivirus and Office 365 (including OneDrive)

 **Applies to:**