diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index 9a1b48b3eb..f4655eaebf 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -17,6 +17,14 @@ ms.localizationpriority: medium
This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
+## Windows 10 Holographic, version 2004
+
+The topics in this library have been updated for Windows 10 Holographic, version 2004.
+
+## HoloLens 2
+
+The topics in this library have been updated for HoloLens 2 and Windows 10 Holographic, version 1903.
+
## April 2019
New or changed topic | Description
diff --git a/devices/hololens/holographic-photos-and-videos.md b/devices/hololens/holographic-photos-and-videos.md
index 10e6bb4756..11255c8961 100644
--- a/devices/hololens/holographic-photos-and-videos.md
+++ b/devices/hololens/holographic-photos-and-videos.md
@@ -44,7 +44,9 @@ To take a quick photo of your current view, press the volume up and volume down
### Voice commands to take photos
-Cortana can also take a picture. Say: "Hey Cortana, take a picture."
+On HoloLens 2, version 2004 (and later), say: "Take a picture."
+
+On HoloLens (1st gen) or HoloLens 2, version 1903, say: "Hey Cortana, take a picture."
### Start menu to take photos
@@ -67,7 +69,9 @@ The quickest way to record a video is to press and hold the **volume up** and **
### Voice to record videos
-Cortana can also record a video. Say: "Hey Cortana, start recording." To stop a video, say "Hey Cortana, stop recording."
+On HoloLens 2, version 2004 (and later), say: "Start recording." To stop recording, say "Stop recording."
+
+On HoloLens (1st gen) or HoloLens 2, version 1903, say: "Hey Cortana, start recording." To stop recording, say "Hey Cortana, stop recording."
### Start menu to record videos
diff --git a/devices/hololens/hololens-multiple-users.md b/devices/hololens/hololens-multiple-users.md
index d65929d676..67860a5dd0 100644
--- a/devices/hololens/hololens-multiple-users.md
+++ b/devices/hololens/hololens-multiple-users.md
@@ -37,7 +37,7 @@ To use HoloLens, each user follows these steps:
1. If another user has been using the device, do one of the following:
- Press the power button once to go to standby, and then press the power button again to return to the lock screen
- - HoloLens 2 users may select the user tile on the top of the Pins panel to sign out the current user.
+ - HoloLens 2 users may select the user tile from the Start menu to sign out the current user.
1. Use your Azure AD account credentials to sign in to the device.
If this is the first time that you have used the device, you have to [calibrate](hololens-calibration.md) HoloLens to your own eyes.
diff --git a/devices/hololens/hololens2-autopilot.md b/devices/hololens/hololens2-autopilot.md
index 39e0029ff0..d92aee8369 100644
--- a/devices/hololens/hololens2-autopilot.md
+++ b/devices/hololens/hololens2-autopilot.md
@@ -71,10 +71,9 @@ Review the "[Requirements](https://docs.microsoft.com/windows/deployment/windows
Before you start the OOBE and provisioning process, make sure that the HoloLens devices meet the following requirements:
- The devices are not already members of Azure AD, and are not enrolled in Intune (or another MDM system). The Autopilot self-deploying process completes these steps. To make sure that all the device-related information is cleaned up, check the **Devices** pages in both Azure AD and Intune.
-- Every device can connect to the internet. You can "USB C to Ethernet" adapters for wired internet connectivity or "USB C to Wifi" adapters for wireless internet connectivity.
-- Every device can connect to a computer by using a USB-C cable, and that computer has the following available:
- - Advanced Recovery Companion (ARC)
- - The latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version)
+- Every device can connect to the internet. You can use "USB C to Ethernet" adapters for wired internet connectivity or "USB C to Wifi" adapters for wireless internet connectivity.
+- Every device can connect to a computer by using a USB-C cable, and that computer has [Advanced Recovery Companion (ARC)](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?rtc=1&activetab=pivot:overviewtab) installed
+- Every device has the latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version.
To configure and manage the Autopilot self-deploying mode profiles, make sure that you have access to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).
diff --git a/devices/surface/surface-book-quadro.md b/devices/surface/surface-book-quadro.md
index 8b1599f5b4..c1e6f3bcc2 100644
--- a/devices/surface/surface-book-quadro.md
+++ b/devices/surface/surface-book-quadro.md
@@ -15,29 +15,29 @@ audience: itpro
---
# Surface Book 3 Quadro RTX 3000 technical overview
-
+
Surface Book 3 for Business powered by the NVIDIA® Quadro RTX™ 3000 GPU is built for professionals who need real-time rendering, AI acceleration, advanced graphics, and compute performance in a portable form factor. Quadro RTX 3000 fundamentally changes what you can do with the new Surface Book 3:
-- **Ray Tracing** - Produce stunning renders, designs and animations faster than ever before with 30 RT Cores for hardware-accelerated ray tracing.
+- **Ray Tracing** - Produce stunning renders, designs and animations faster than ever before with 30 RT Cores for hardware-accelerated ray tracing.
- **Artificial Intelligence** - Remove redundant, tedious tasks and compute intensive work with 240 Tensor Cores for GPU-accelerated AI.
- **Advanced Graphics and Compute Technology** - Experience remarkable speed and interactivity during your most taxing graphics and compute workloads with 1,920 CUDA Cores and 6GB of GDDR6 memory.
## Enterprise grade solution
-Of paramount importance to commercial customers, Quadro RTX 3000 brings a fully professional grade solution that combines accelerated ray tracing and deep learning capabilities with an integrated enterprise level management and support solution. Quadro drivers are tested and certified for more than 100 professional applications by leading ISVs providing an additional layer of quality assurance to validate stability, reliability, and performance.
+Of paramount importance to commercial customers, Quadro RTX 3000 brings a fully professional-grade solution that combines accelerated ray tracing and deep learning capabilities with an integrated enterprise level management and support solution. Quadro drivers are tested and certified for more than 100 professional applications by leading ISVs, providing an additional layer of quality assurance to validate stability, reliability, and performance.
-Quadro includes dedicated enterprise tools for remote management of Surface Book 3 devices with Quadro RTX 3000. IT admins can remotely configure graphics systems, save/restore configurations, continuously monitor graphics systems and perform remote troubleshooting if necessary. These capabilities along with deployment tools help maximize uptime and minimize IT support requirements.
+Quadro includes dedicated enterprise tools for remote management of Surface Book 3 devices with Quadro RTX 3000. IT admins can remotely configure graphics systems, save/restore configurations, continuously monitor graphics systems, and perform remote troubleshooting if necessary. These capabilities along with deployment tools help maximize uptime and minimize IT support requirements.
-NVIDIA develops and maintains Quadro Optimal Drivers for Enterprise (ODE) that are tuned, tested, and validated to provide enterprise level stability, reliability, availability, and support with extended product availability. Each driver release involves more than 2,000 man days of testing with professional applications test suites and test cases, as well as WHQL certification. Security threats are continually monitored, and regular security updates are released to protect against newly discovered vulnerabilities. In addition, Quadro drivers undergo an additional layer of testing by Surface engineering prior to release via Windows Update.
+NVIDIA develops and maintains Quadro Optimal Drivers for Enterprise (ODE) that are tuned, tested, and validated to provide enterprise level stability, reliability, availability, and support with extended product availability. Each driver release involves more than 2,000 man-days of testing with professional applications test suites and test cases, as well as WHQL certification. Security threats are continually monitored, and regular security updates are released to protect against newly discovered vulnerabilities. In addition, Quadro drivers undergo an additional layer of testing by Surface engineering prior to release via Windows Update.
## Built for compute-intensive workloads
-Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, enabling advanced professionals to work from anywhere.
+The Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, enabling advanced professionals to work from anywhere.
- **Creative professionals such as designers and animators.** Quadro RTX enables real-time cinematic-quality rendering through Turing-optimized ray tracing APIs such as NVIDIA OptiX, Microsoft DXR, and Vulkan.
- **Architects and engineers using large, complex computer aided design (CAD) models and assemblies.** The RTX platform features the new NGX SDK to infuse powerful AI-enhanced capabilities into visual applications. This frees up time and resources through intelligent manipulation of images, automation of repetitive tasks, and optimization of compute-intensive processes.
-- **Software developers across manufacturing, media & entertainment, medical, and other industries.** Quadro RTX speeds application development with ray tracing, deep learning, and rasterization capabilities through industry-leading software SDKs and APIs.
+- **Software developers across manufacturing, media and entertainment, medical, and other industries.** Quadro RTX speeds application development with ray tracing, deep learning, and rasterization capabilities through industry-leading software SDKs and APIs.
- **Data scientists using Tensor Cores and CUDA cores to accelerate computationally intensive tasks and other deep learning operations.** By using sensors, increased connectivity, and deep learning, researchers and developers can enable AI applications for everything from autonomous vehicles to scientific research.
@@ -45,14 +45,14 @@ Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of an
| **Component** | **Description** |
| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| RT cores | Dedicated hardware-based ray-tracing technology allows the GPU to render film quality, photorealistic objects and environments with physically accurate shadows, reflections, and refractions. The real-time ray-tracing engine works with NVIDIA OptiX, Microsoft DXR, and Vulkan APIs to deliver a level of realism far beyond what is possible using traditional rendering techniques. RT cores accelerate the Bounding Volume Hierarchy (BVH) traversal and ray casting functions using low number of rays casted through a pixel. |
-| Enhanced tensor cores | Mixed-precision cores purpose-built for deep learning matrix arithmetic, deliver 8x TFLOPS for training compared with previous generation. Quadro RTX 3000 utilizes 240 Tensor Cores; each Tensor Core performs 64 floating point fused multiply-add (FMA) operations per clock, and each streaming multiprocessor (SM) performs a total of 1,024 individual floating-point operations per clock. In addition to supporting FP16/FP32 matrix operations, new Tensor Cores added INT8 (2,048 integer operations per clock) and experimental INT4 and INT1 (binary) precision modes for matrix operations. |
+| RT cores | Dedicated hardware-based ray-tracing technology allows the GPU to render film quality, photorealistic objects and environments with physically accurate shadows, reflections, and refractions. The real-time ray-tracing engine works with NVIDIA OptiX, Microsoft DXR, and Vulkan APIs to deliver a level of realism far beyond what is possible using traditional rendering techniques. RT cores accelerate the Bounding Volume Hierarchy (BVH) traversal and ray casting functions using low number of rays casted through a pixel. |
+| Enhanced tensor cores | Mixed-precision cores purpose-built for deep learning matrix arithmetic, deliver 8x TFLOPS for training compared with previous generation. Quadro RTX 3000 utilizes 240 Tensor Cores; each Tensor Core performs 64 floating point fused multiply-add (FMA) operations per clock, and each streaming multiprocessor (SM) performs a total of 1,024 individual floating-point operations per clock. In addition to supporting FP16/FP32 matrix operations, new Tensor Cores added INT8 (2,048 integer operations per clock) and experimental INT4 and INT1 (binary) precision modes for matrix operations. |
| Turing optimized software | Deep learning frameworks such as the Microsoft Cognitive Toolkit (CNTK), Caffe2, MXNet, TensorFlow, and others deliver significantly faster training times and higher multi-node training performance. GPU accelerated libraries such as cuDNN, cuBLAS, and TensorRT deliver higher performance for both deep learning inference and High-Performance Computing (HPC) applications. |
| NVIDIA CUDA parallel computing platform | Natively execute standard programming languages like C/C++ and Fortran, and APIs such as OpenCL, OpenACC and Direct Compute to accelerate techniques such as ray tracing, video and image processing, and computation fluid dynamics. |
-| Advanced streaming multiprocessor (SM) architecture | Combined shared memory and L1 cache improve performance significantly, while simplifying programming and reducing the tuning required to attain best application performance. |
-| High performance GDDR6 Memory | Quadro RTX 3000 features 6GB of frame buffer making it the ideal platform for handling large datasets and latency-sensitive applications. |
+| Advanced streaming multiprocessor (SM) architecture | Combined shared memory and L1 cache improve performance significantly, while simplifying programming and reducing the tuning required to attain the best application performance. |
+| High performance GDDR6 Memory | Quadro RTX 3000 features 6GB of frame buffer, making it the ideal platform for handling large datasets and latency-sensitive applications. |
| Single instruction, multiple thread (SIMT) | New independent thread scheduling capability enables finer-grain synchronization and cooperation between parallel threads by sharing resources among small jobs. |
-| Mixed-precision computing | 16-bit floating-point precision computing enables the training and deployment of larger neural networks. With independent parallel integer and floating-point data paths, the Turing SM handles workloads more efficiently using a mix of computation and addressing calculations. |
+| Mixed-precision computing | 16-bit floating-point precision computing enables the training and deployment of larger neural networks. With independent parallel integer and floating-point data paths, the Turing SM handles workloads more efficiently using a mix of computation and addressing calculations. |
| Dynamic load balancing | Provides dynamic allocation capabilities of GPU resources for graphics and compute tasks as needed to maximize resource utilization. |
| Compute preemption | Preemption at the instruction-level provides finer grain control over compute tasks to prevent long-running applications from either monopolizing system resources or timing out. |
| H.264, H.265 and HEVC encode/decode engines | Enables faster than real-time performance for transcoding, video editing, and other encoding applications with two dedicated H.264 and HEVC encode engines and a dedicated decode engine that are independent of 3D/compute pipeline. |
@@ -86,7 +86,7 @@ Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of an
## App acceleration
-The following table shows how Quadro RTX 3000 provides significantly faster acceleration across leading professional applications. It includes SPECview perf 13 benchmark test results comparing Surface Book 3 15-inch with NVIDIA Quadro RTX 3000 versus Surface Book 2 15-inch with NVIDIA GeForce GTX 1060 devices in market March 2020.
+The following table shows how Quadro RTX 3000 provides significantly faster acceleration across leading professional applications. It includes SPECview perf 13 benchmark test results comparing the Surface Book 3 15-inch with NVIDIA Quadro RTX 3000 versus the Surface Book 2 15-inch with NVIDIA GeForce GTX 1060 devices in the market as of March 2020.
**Table 3. App acceleration on Surface Book 3 with Quadro RTX 3000**
@@ -95,23 +95,23 @@ The following table shows how Quadro RTX 3000 provides significantly faster acce
| Adobe Dimension | - RTX-accelerated ray tracing delivers photorealistic 3D rendering to 2D artists and designers. |
| Adobe Substance Alchemist | - Create and blend materials with ease, featuring RTX-accelerated AI. |
| Adobe Substance Painter | - Paint materials onto 3d models, featuring RTX accelerated bakers, and Iray RTX rendering which generates photorealistic imagery for interactive and batch rendering workflows.
|
-| Adobe Substance Designer | - Author procedural materials featuring RTX accelerated bakers
- Uses NVIDIA Iray rendering including textures/substances and bitmap texture export to render in any Iray powered compatible with MDL.
- DXR-accelerated light and ambient occlusion baking. |
-| Adobe Photoshop | - CUDA core acceleration enables faster editing with 30+ GPU-accelerated features such as blur gallery, liquify, smart sharpen, & perspective warp enable photographers and designers to modify images smoothly and quickly. |
+| Adobe Substance Designer | - Author procedural materials featuring RTX accelerated bakers
- Uses NVIDIA Iray rendering including textures/substances and bitmap texture export to render in any Iray that is compatible with MDL.
- DXR-accelerated light and ambient occlusion baking. |
+| Adobe Photoshop | - CUDA core acceleration enables faster editing with 30+ GPU-accelerated features such as blur gallery, liquify, smart sharpen, and perspective warp enable photographers and designers to modify images smoothly and quickly. |
| Adobe Lightroom | - Faster editing high res images with GPU-accelerated viewport, which enables the modeling of larger 3D scenes, and the rigging of more complex animations.
- GPU-accelerated image processing enables dramatically more responsive adjustments, especially on 4K or higher resolution displays.
- GPU-accelerated AI-powered “Enhance Details” for refining fine color detail of RAW images. |
| Adobe Illustrator | - Pan and zoom with GPU-accelerated canvas faster, which enables graphic designers and illustrators to pan across and zoom in and out of complex vector graphics smoothly and interactively. |
-| Adobe
Premiere Pro | - Significantly faster editing and rendering video with GPU-accelerated effects vs CPU:
- GPU-accelerated effects with NVIDIA CUDA technology for real-time video editing and faster final frame rendering.
- GPU-accelerated AI Auto Reframe feature for intelligently converting landscape video to dynamically tracked portrait or square video. |
+| Adobe
Premiere Pro | - Significantly faster editing and rendering video with GPU-accelerated effects vs CPU.
- GPU-accelerated effects with NVIDIA CUDA technology for real-time video editing and faster final frame rendering.
- GPU-accelerated AI Auto Reframe feature for intelligently converting landscape video to dynamically tracked portrait or square video. |
| Autodesk
Revit | - GPU-accelerated viewport for a smoother, more interactive design experience.
- Supports 3rd party GPU-accelerated 3D renderers such as V-Ray and Enscape. |
-| Autodesk
3ds Max | - GPU-accelerated viewport graphics for fast, interactive 3D modelling and design.
- RTX-accelerated ray tracing and AI denoising ****with the default Arnold renderer.
- More than 70 percent faster compared with Surface Book 2 15”. |
+| Autodesk
3ds Max | - GPU-accelerated viewport graphics for fast, interactive 3D modelling and design.
- RTX-accelerated ray tracing and AI denoising with the default Arnold renderer.
- More than 70 percent faster compared with Surface Book 2 15”. |
| Autodesk
Maya | - RTX-accelerated ray tracing and AI denoising with the default Arnold renderer.
- OpenGL Viewport Acceleration. |
-| Dassault Systemes
Solidworks | - Solidworks Interactive Ray Tracer (Visualize) accelerated by both RT Cores and Tensor Cores; AI-accelerated denoiser.
- Runs more than 50% faster compared with Surface Book 2 15” |
-| Dassault Systemes
3D Experience Platform | - CATIA Interactive Ray Tracer (Live Rendering) accelerated by RT Cores.
- Catia runs more than 100% faster compared with Surface Book 2 15. |
-| ImageVis3D | - Runs more than 2x faster compared with Surface Book 2 15”.. |
+| Dassault Systemes
Solidworks | - Solidworks Interactive Ray Tracer (Visualize) accelerated by both RT Cores and Tensor Cores; AI-accelerated denoiser.
- Runs more than 50% faster compared with Surface Book 2 15”. |
+| Dassault Systemes
3D Experience Platform | - CATIA Interactive Ray Tracer (Live Rendering) accelerated by RT Cores.
- Catia runs more than 100% faster compared with Surface Book 2 15". |
+| ImageVis3D | - Runs more than 2x faster compared with Surface Book 2 15”. |
| McNeel & Associates
Rhino 3D | - GPU-accelerated viewport for a smooth and interactive modelling and design experience.
- Supports Cycles for GPU-accelerated 3D rendering. |
-| Siemens NX | - Siemens NX Interactive Ray Tracer (Ray Traced Studio) accelerated by RT Cores.
- Runs more than 10 x faster compared with Surface Book 2 15”.. |
-| Esri ArcGIS | - Real-time results from what took days & weeks, due to DL inferencing leveraging tensor cores. |
+| Siemens NX | - Siemens NX Interactive Ray Tracer (Ray Traced Studio) accelerated by RT Cores.
- Runs more than 10x faster compared with Surface Book 2 15”. |
+| Esri ArcGIS | - Real-time results from what took days and weeks, due to DL inferencing leveraging tensor cores. |
| PTC Creo | - Creo's real-time engineering simulation tool (Creo Simulation Live) built on CUDA.
- Runs more than 15% faster compared with Surface Book 2 15”. |
| Luxion KeyShot | - 3rd party Interactive Ray Tracer used by Solidworks, Creo, and Rhino. Accelerated by RT Cores, OptiX™ AI-accelerated denoising. |
-| ANSYS
Discovery Live | - ANSYS real-time engineering simulation tool (ANSYS Discovery Live) built on CUDA |
+| ANSYS
Discovery Live | - ANSYS real-time engineering simulation tool (ANSYS Discovery Live) built on CUDA. |
## SKUs
**Table 4. Surface Book 3 with Quadro RTX 3000 SKUs**
@@ -123,7 +123,7 @@ The following table shows how Quadro RTX 3000 provides significantly faster acce
## Summary
-Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance on any Surface laptop, providing architects, engineers, developers, and data scientists with the tools they need to work efficiently from anywhere:
+The Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, providing architects, engineers, developers, and data scientists with the tools they need to work efficiently from anywhere:
- RTX-acceleration across multiple workflows like design, animation, video production, and more.
- Desktop-grade performance in a mobile form factor.
diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md
index d553a30d50..c1e5dd8c30 100644
--- a/windows/client-management/mdm/policy-csp-dmaguard.md
+++ b/windows/client-management/mdm/policy-csp-dmaguard.md
@@ -73,7 +73,7 @@ manager: dansimp
-This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing.
+This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with [DMA Remapping](https://docs.microsoft.com/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers)/device memory isolation and sandboxing.
Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
index 243ea0e80a..e9fd6a400e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 02/05/2020
+ms.date: 06/08/2020
ms.reviewer: shwetaj
manager: dansimp
audience: ITPro
@@ -25,17 +25,17 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Microsoft Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Microsoft Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware and spyware across email, apps, the cloud, and the web.
+Microsoft Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Microsoft Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.
-But what if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these things. You can:
-- [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis);
-- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring); or
-- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned) by Microsoft Defender Antivirus.
+What if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these issues. You can:
+- [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis)
+- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring)
+- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned)
## Submit a file to Microsoft for analysis
1. Review the [submission guidelines](../intelligence/submission-guide.md).
-2. [Submit your file or sample](https://www.microsoft.com/wdsi/filesubmission).
+2. [Submit your file or sample](https://www.microsoft.com/wdsi/filesubmission).
> [!TIP]
> We recommend signing in at the submission portal so you can track the results of your submissions.
@@ -48,7 +48,7 @@ To set up your "Allow" indicator, follow the guidance in [Manage indicators](htt
## Define an exclusion on an individual Windows device to prevent an item from being scanned
-When you define an exclusion for Microsoft Defender Antivirus, you configure your antivirus to skip that item.
+When you define an exclusion for Microsoft Defender Antivirus, you configure your antivirus to skip that item.
1. On your Windows 10 device, open the Windows Security app.
2. Select **Virus & threat protection** > **Virus & threat protection settings**.
@@ -64,8 +64,8 @@ The following table summarizes exclusion types, how they're defined, and what ha
|**File type** |File extension
Example: `.test` |All files with the specified extension anywhere on your device are skipped by Microsoft Defender Antivirus. |
|**Process** |Executable file path
Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. |
-To learn more, see:
-- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus)
+To learn more, see:
+- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus)
- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus)
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
index de3333fed1..213731cfa6 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
@@ -43,11 +43,11 @@ A specific process | The executable file `c:\test\process.exe` | File and folder
Exclusion lists have the following characteristics:
-- Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
-- File extensions will apply to any file name with the defined extension if a path or folder is not defined.
+- Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
+- File extensions apply to any file name with the defined extension if a path or folder is not defined.
>[!IMPORTANT]
->The use of wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
+>Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
>
>You cannot exclude mapped network drives. You must specify the actual network path.
>
@@ -62,7 +62,7 @@ The exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-def
>
>Changes made in the Windows Security app **will not show** in the Group Policy lists.
-By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence when there are conflicts.
+By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts.
You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
@@ -91,10 +91,10 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
4. Double-click the **Path Exclusions** setting and add the exclusions.
- - Set the option to **Enabled**.
+ - Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- - Specify each folder on its own line under the **Value name** column.
- - If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
+ - Specify each folder on its own line under the **Value name** column.
+ - If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
@@ -178,14 +178,14 @@ You can use the asterisk `*`, question mark `?`, or environment variables (such
>
>- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
>- You cannot use a wildcard in place of a drive letter.
->- An asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
+>- An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
The following table describes how the wildcards can be used and provides some examples.
|Wildcard |Examples |
|---------|---------|
-|`*` (asterisk)
In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.
In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple, nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`
`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`
`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` |
+|`*` (asterisk)
In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.
In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`
`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`
`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` |
|`?` (question mark)
In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.
In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my` would include `C:\MyData\my1.zip`
`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders
`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders |
|Environment variables
The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` |
@@ -215,7 +215,7 @@ You can retrieve the items in the exclusion list using one of the following meth
If you use PowerShell, you can retrieve the list in two ways:
-- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
+- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists are displayed on separate lines, but the items within each list are combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
### Validate the exclusion list by using MpCmdRun
@@ -271,7 +271,7 @@ In the following PowerShell snippet, replace *test.txt* with a file that conform
Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
```
-If Microsoft Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html).
+If Microsoft Defender Antivirus reports malware, then the rule is not working. If there is no report of malware and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html).
You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating:
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 06fb8a10f3..971482d70d 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -25,9 +25,9 @@ ms.custom: nextgen
## Overview
-During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring.
+During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring.
-With tamper protection, malicious apps are prevented from taking actions like these:
+With tamper protection, malicious apps are prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
@@ -37,11 +37,10 @@ With tamper protection, malicious apps are prevented from taking actions like th
### How it works
- Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods like these:
+ Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as:
- Configuring settings in Registry Editor on your Windows machine
- Changing settings through PowerShell cmdlets
- Editing or removing security settings through group policies
-- and so on.
Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; this is managed by your security team.
@@ -80,22 +79,22 @@ Here's what you see in the Windows Security app:
## Turn tamper protection on (or off) for your organization using Intune
-If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal ([https://aka.ms/intuneportal](https://aka.ms/intuneportal)).
+If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal ([https://aka.ms/intuneportal](https://aka.ms/intuneportal)).
> [!NOTE]
-> The ability to manage tamper protection in Intune is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below.
+> The ability to manage tamper protection in Intune is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below.
-You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
+You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune:
- - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)).
+ - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)).
- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.)
- Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.)
- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
- Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
-2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account.
+2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account.
3. Select **Device configuration** > **Profiles**.
@@ -113,9 +112,9 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
5. Assign the profile to one or more groups.
-Here's what you see in the Windows Security app:
+ Here's what you see in the Windows Security app:
-
+ 
### Are you using Windows OS 1709, 1803, or 1809?
@@ -131,17 +130,17 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release
## View information about tampering attempts
-Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.
+Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.
-When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
+When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
-Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts.
+Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts.
## Review your security recommendations
-Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image:
+Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image:
@@ -216,7 +215,7 @@ In this case, tamper protection status changes, and this feature is no longer ap
### Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center?
-Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**.
+Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**.
In addition, your security operations team can use hunting queries, such as the following:
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
index 579cc8db74..0a946cec7c 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@@ -91,7 +91,6 @@ Yes, both the Enterprise Resource domains hosted in the cloud and the Domains ca
### Why does my encryption driver break Microsoft Defender Application Guard?
-
Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT").
### Why do the Network Isolation policies in Group Policy and CSP look different?
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
index c093fcacb7..1cd0814c99 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
@@ -21,61 +21,61 @@ ms.topic: article
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional Cyber defenders, forces SOC to work in the most efficient way and automation is a must. MS flow supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within few minutes.
+Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional cyber defenders forces SOC to work in the most efficient way and automation is a must. Microsoft Power Automate supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within a few minutes.
-Microsoft Defender API has an official Flow Connector with a lot of capabilities:
+Microsoft Defender API has an official Flow Connector with many capabilities.
## Usage example
-The following example demonstrates how you can create a Flow that will be triggered any time a new Alert occurs on your tenant.
+The following example demonstrates how to create a Flow that is triggered any time a new Alert occurs on your tenant.
-- Login to [Microsoft Flow](https://flow.microsoft.com)
+1. Log in to [Microsoft Power Automate](https://flow.microsoft.com).
-- Go to: My flows > New > Automated
+2. Go to **My flows** > **New** > **Automated-from blank**.
-
+ 
-- Choose a name for your Flow, Search for **Microsoft Defender ATP Triggers** as the trigger and choose the new Alerts trigger.
+3. Choose a name for your Flow, search for "Microsoft Defender ATP Triggers" as the trigger, and then select the new Alerts trigger.
-
+ 
-- Now you have a Flow that is triggered every time a new Alert occurs.
+Now you have a Flow that is triggered every time a new Alert occurs.
-All you need to do now, is to choose your next steps.
-Lets, for example, Isolate the machine if the Severity of the Alert is **High** and mail about it.
-The Alert trigger gives us only the Alert ID and the Machine ID. We can use the Connector to expand these entities.
+All you need to do now is choose your next steps.
+For example, you can isolate the machine if the Severity of the Alert is High and send an email about it.
+The Alert trigger provides only the Alert ID and the Machine ID. You can use the connector to expand these entities.
-### Get the Alert entity using the connector
+### Get the Alert entity using the connector
-- Choose Microsoft Defender ATP for new step.
+1. Choose **Microsoft Defender ATP** for the new step.
-- Choose Alerts - Get single alert API.
+2. Choose **Alerts - Get single alert API**.
-- Set the Alert Id from the last step as Input.
+3. Set the **Alert ID** from the last step as **Input**.
-
+ 
### Isolate the machine if the Alert's severity is High
-- Add **Condition** as a new step .
+1. Add **Condition** as a new step.
-- Check if Alert severity equals to **High**.
+2. Check if the Alert severity **is equal to** High.
-- If yes, add Microsoft Defender ATP - Isolate machine action with the Machine Id and a comment.
+ If yes, add the **Microsoft Defender ATP - Isolate machine** action with the Machine ID and a comment.
-
+ 
-Now you can add a new step for mailing about the Alert and the Isolation.
-There are multiple Email connectors that are very easy to use, e.g. Outlook, GMail, etc..
-Save your flow and that's all.
+3. Add a new step for emailing about the Alert and the Isolation. There are multiple email connectors that are very easy to use, such as Outlook or Gmail.
-- You can also create **scheduled** flow that will run Advanced Hunting queries and much more!
+4. Save your flow.
+
+You can also create a **scheduled** flow that runs Advanced Hunting queries and much more!
## Related topic
- [Microsoft Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
index ace57f0c77..e7f8c3b23b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
@@ -100,4 +100,4 @@ Machine configuration management monitors baseline compliance only of Windows 10
## Related topics
- [Ensure your machines are configured properly](configure-machines.md)
- [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
-- [Optimize ASR rule deployment and detections](configure-machines-asr.md)
\ No newline at end of file
+- [Optimize ASR rule deployment and detections](configure-machines-asr.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index a2ebc76a15..2506f2934b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/29/2020
+ms.date: 06/04/2020
ms.reviewer:
manager: dansimp
---
@@ -201,7 +201,3 @@ Example:
- [Attack surface reduction FAQ](attack-surface-reduction.md)
-* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
-* [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
-* [Attack surface reduction FAQ](attack-surface-reduction.md)
-* [Enable cloud-delivered protection](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
index bda42ad846..f7626685ae 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
@@ -87,6 +87,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`|
|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` |
|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`|
+|Configuration|Turn on/off passiveMode |`mdatp --config passiveMode [on/off]` |
|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` |
|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` |
|Health |Check the product's health |`mdatp --health` |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
index eb5b02f1ac..b6eaffbafa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
title: Microsoft Defender Advanced Threat Protection
-description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is an enterprise security platform that helps defend against advanced persistent threats.
+description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is an enterprise endpoint security platform that helps defend against advanced persistent threats.
keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -23,7 +23,7 @@ ms.topic: conceptual
>
> For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
-Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
+Microsoft Defender Advanced Threat Protection is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4wDob]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index 736722c00e..3bbf64e500 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -40,15 +40,23 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
- Microsoft 365 E5 Security
- Microsoft 365 A5 (M365 A5)
+> [!NOTE]
+> Eligible Licensed Users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices.
+
+Microsoft Defender Advanced Threat Protection, on Windows Server, requires one of the following licensing options:
+
+- [Azure Security Center Standard plan](https://docs.microsoft.com/azure/security-center/security-center-pricing) (per node)
+- Microsoft Defender ATP for Servers (one per covered Server)
+
+> [!NOTE]
+> Customers with a combined minimum of 50 licenses for one or more of the following may acquire Server SLs for Microsoft Defender Advanced Threat Protection for Servers (one per covered Server OSE): Microsoft Defender Advanced Threat Protection, Windows E5/A5, Microsoft 365 E5/A5 and Microsoft 365 E5 Security User SLs. This license applies to Microsoft Defender ATP for Linux.
+
For detailed licensing information, see the [Product terms page](https://www.microsoft.com/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product.
For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare).
For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://go.microsoft.com/fwlink/p/?linkid=2069559).
-For more information about licensing requirements for Microsoft Defender ATP platform on Windows Server, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114).
-
-
## Browser requirements
Access to Microsoft Defender ATP is done through a browser, supporting the following browsers:
- Microsoft Edge
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index 7153eaffb1..7ac4761b32 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -58,7 +58,7 @@ Once you are in the Software inventory page and have opened the flyout panel by
## Software evidence
-We now show evidence of where we detected a specific software on a machine from the registry, disk or both machine on where we detected a certain software.
+We now show evidence of where we detected a specific software on a machine from the registry, disk or both.
You can find it on any machines found in the [machines list](machines-view-overview.md) in a section called "Software Evidence."
From the Microsoft Defender Security Center navigation panel, go to **Machines list** > select the name of a machine to open the machine page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence.
@@ -86,4 +86,4 @@ You can report a false positive when you see any vague, inaccurate version, inco
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
-- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
\ No newline at end of file
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 5f46ca3685..f5a0e5c08f 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -22,6 +22,7 @@ ms.author: dansimp
- Windows 10, version 1507 with [KB 4012606](https://support.microsoft.com/help/4012606) installed
- Windows 8.1 with [KB 4102219](https://support.microsoft.com/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed
- Windows 7 with [KB 4012218](https://support.microsoft.com/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed
+- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2 with[KB 4012219](https://support.microsoft.com/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed
- Windows Server 2012 with [KB 4012220](https://support.microsoft.com/help/4012220/march-2017-preview-of-monthly-quality-rollup-for-windows-server-2012) installed
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
index 56613b0b02..2e91b3b1b6 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
@@ -43,7 +43,7 @@ Misuse of this policy setting is a common error that can cause data loss or prob
### Best practices
-- Set **Domain controller: LDAP server signing requirements** to **Require signature**. If you set the server to require LDAP signatures, you must also set the client devices to do so. Not setting the client devices will prevent client computers from communicating with the server. This can cause many features to fail, including user authentication, Group Policy, and logon scripts.
+- Set both the **Network security: LDAP client signing requirements** and **Domain controller: LDAP server signing requirements** settings to **Require signing**. To avoid usage of unsigned traffic, set both client and server sides to require signing. Not setting one of the sides will prevent client computers from communicating with the server. This can cause many features to fail, including user authentication, Group Policy, and logon scripts.
### Location
@@ -84,11 +84,11 @@ Unsigned network traffic is susceptible to man-in-the-middle attacks in which an
### Countermeasure
-Configure the **Network security: LDAP server signing requirements** setting to **Require signature**.
+Configure the **Network security: LDAP client signing requirements** setting to **Require signing**.
### Potential impact
-If you configure the server to require LDAP signatures, you must also configure the client computers. If you do not configure the client devices, they cannot communicate with the server, which could cause many features to fail, including user authentication, Group Policy, and logon scripts.
+If you configure the client to require LDAP signatures, it may fail to communicate with the LDAP servers that do not require requests to be signed. To avoid this issue, make sure that both the **Network security: LDAP client signing requirements** and **Domain controller: LDAP server signing requirements** settings are set to **Require signing**.
## Related topics
diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
index 873ee01d4f..38155aa557 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
@@ -19,7 +19,7 @@ ms.date: 08/17/2017
# Create an Authentication Request Rule
-**Applies to**
+**Applies to:**
- Windows 10
- Windows Server 2016
@@ -27,9 +27,9 @@ After you have configured IPsec algorithms and authentication methods, you can c
**Administrative credentials**
-To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the (Group Policy Objects) GPOs.
-To create the authentication request rule
+To create the authentication request rule:
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
@@ -39,9 +39,10 @@ To create the authentication request rule
4. On the **Requirements** page, select **Request authentication for inbound and outbound connections**.
- >**Caution:** Do not configure the rule to require inbound authentication until you have confirmed that all of your devices are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the devices to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network.
+ > [!CAUTION]
+ > Do not configure the rule to require inbound authentication until you have confirmed that all of your devices are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the devices to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network.
-5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are tried in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP).
+5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are attempted in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP).
1. **Default**. Selecting this option tells the device to request authentication by using the method currently defined as the default on the device. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods](configure-authentication-methods.md) procedure.
@@ -49,7 +50,9 @@ To create the authentication request rule
3. **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows.
- 4. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
+ 4. **Advanced**. Selecting this option enables you to specify a custom combination of authentication methods required for your scenario.
+
+6. Optional: If you selected **Advanced** in the previous step, then Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
The **First authentication method** can be one of the following:
@@ -75,18 +78,19 @@ To create the authentication request rule
If you check **Second authentication is optional**, the connection can succeed even if the authentication attempt specified in this column fails.
- >**Important:** Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails.
+ > [!IMPORTANT]
+ > Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails.
-6. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**.
+7. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**.
-7. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies.
+8. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies.
- On portable devices, consider clearing the **Private** and **Public** boxes to enable the device to communicate without authentication when it is away from the domain network.
- - On devices that do not move from network to network, consider selecting all of the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule.
+ - On devices that do not move from network to network, consider selecting all the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule.
Click **Next**.
-8. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**.
+9. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**.
The new rule appears in the list of connection security rules.
diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
index ba9cedf313..74dacfe608 100644
--- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
@@ -27,30 +27,42 @@ After you collect information about your environment and decide on a design by f
## Reviewing your Windows Defender Firewall with Advanced Security Design
-If the design team that created the Windows Defender Firewall design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points:
+If the design team that created the Windows Defender Firewall design for your organization is different from the deployment team that will implement it, make sure the deployment team reviews the final design with the design team. Review the following information before starting your deployment.
-- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Defender Firewall with Advanced Security Design Guide:
+### Decide which devices apply to which GPO
- - [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
+The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Defender Firewall with Advanced Security Design Guide:
- - [Planning the GPOs](planning-the-gpos.md)
+- [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
- - [Planning GPO Deployment](planning-gpo-deployment.md)
+- [Planning the GPOs](planning-the-gpos.md)
-- The communication to be allowed between members of each of the zones in the isolated domain and devices that are not part of the isolated domain or members of the isolated domain's exemption list.
+- [Planning GPO Deployment](planning-gpo-deployment.md)
-- The recommendation that domain controllers are exempted from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers.
+### Configure communication between members and devices
-- The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between devices might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior, so communications can continue while the authentication failures are investigated.
+Decide what communication is to be allowed between members of each of the zones in the isolated domain and devices that are not part of the isolated domain or members of the isolated domain's exemption list.
-- The requirement that all devices that must communicate with each other share a common set of:
+### Exempt domain controllers from IPsec authentication requirements
- - Authentication methods
+It is recommended that domain controllers are exempt from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers.
- - Main mode key exchange algorithms
+### Configure IPsec authentication rules
- - Quick mode data integrity algorithms
+The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between devices might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior. Communications can continue while the authentication failures are investigated.
- If at least one set of each does not match between two devices, then the devices cannot successfully communicate.
+### Make sure all devices can communicate with each other
+
+For all devices to communicate with each other, they must share a common set of:
+
+- Authentication methods
+
+- Main mode key exchange algorithms
+
+- Quick mode data integrity algorithms
+
+If at least one set of each does not match between two devices, then the devices cannot successfully communicate.
+
+## Deploy your Windows Firewall Design Plan
After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Defender Firewall design. For more information, see [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md).