Merge pull request #3354 from MicrosoftDocs/FromPrivateRepo

From private repo

it-client

@@ -0,0 +1 @@
+Subproject commit 61e0a21977430f3c0eef1c32e398999dc090c332

windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md

@@ -14,7 +14,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/05/2019
+ms.date: 04/22/2019
 ---
 
 # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
@@ -462,15 +462,6 @@ After you've decided where your protected apps can access enterprise data on you
 **To set your optional settings**
 1.	Choose to set any or all of the optional settings:
 
-    - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are:
-    
-        - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. 
-	
-        - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
-
-        >[!IMPORTANT]
-        >The **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box** option is only available for Configuration Manager versions 1610 and below.
-
     - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
 	
         - **Yes (recommended).** Turns on the feature and provides the additional protection.

windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md

@@ -28,47 +28,40 @@ ms.topic: article
 
 
 
-Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. 
+Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. 
 
 You'll need to know the exact Linux distros and macOS versions that are compatible with Windows Defender ATP for the integration to work. 
 
+
+
+## Onboarding non-Windows machines
 You'll need to take the following steps to onboard non-Windows machines:
-1. Turn on third-party integration
+1. Select your preferred method of onboarding:
-2. Run a detection test
 
-## Turn on third-party integration
+   - For macOS devices, you can choose to onboard through Windows Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac).
+   - For other non-Windows devices choose **Onboard non-Windows machines through third-party integration**.   
        
-1. In the navigation pane, select **Settings** > **Onboarding**. Make sure the third-party solution is listed.
+     1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed.
 
-2. 	Select **Linux, macOS, iOS and Android** as the operating system.
+      2. 	In the **Partner Applications** tab, select the partner that supports your non-Windows devices.
 
-3. Turn on the third-party solution integration.
+      3. Select **Open partner page** to open the partner's page. Follow the instructions provided on the page.
 
-4. 	Click **Generate access token** button and then **Copy**.
+      4. After creating an account or subscribing to the partner solution, you should get to a stage where a tenant Global Admin in your organization is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it is aligned with the service that you require. 
-
-5. 	You’ll need to copy and paste the token to the third-party solution you’re using. The implementation may vary depending on the solution. 
 
         
->[!WARNING] 
+2. Run a detection test by following the instructions of the third-party solution.
->The access token has a limited validity period. If needed, regenerate the token close to the time you need to share it with the third-party solution.
-
-### Run detection test
-Create an EICAR test file by saving the string displayed on the portal in an empty text file. Then, introduce the test file to a machine running the third-party antivirus solution. 
-
-The file should trigger a detection and a corresponding alert on Windows Defender ATP.
 
 ## Offboard non-Windows machines
-To effectively offboard the machine from the service, you'll need to disable the data push on the third-party portal first then switch the toggle to off in Windows Defender Security Center. The toggle in the portal only blocks the data inbound flow.
 
+1. Follow the third-party's documentation to disconnect the third-party solution from Windows Defender ATP.
 
-1. Follow the third-party documentation to opt-out on the third-party service side.
+2. Remove permissions for the third-party solution in your Azure AD tenant.
+   1. Sign in to the [Azure portal](https://portal.azure.com).
+   2. Select **Azure Active Directory > Enterprise Applications**.
+   3. Select the application you'd like to offboard.
+   4. Select the **Delete** button.
 
-2. In the navigation pane, select **Settings** > **Onboarding**.
-
-3. Turn off the third-party solution integration. 
-
->[!WARNING]
->If you decide to turn on the third-party integration again after disabling the integration, you'll need to regenerate the token and reapply it on machines. 
 
 ## Related topics
 - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md

@@ -60,23 +60,28 @@ Each ASR rule contains three settings:
 
 For further details on how audit mode works and when to use it, see [Audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md).
 
-### Enable ASR rules in Intune
+### Intune
 
-1. In Intune, select *Device configuration* > *Profiles*. Choose an existing endpoint protection profile or create a new one. To create a new one, select *Create profile* and enter information for this profile. For *Profile type*, select *Endpoint protection*. If you've chosen an existing profile, select *Properties* and then select *Settings*.
+1. In Intune, select **Device configuration** > **Profiles**. Choose an existing endpoint protection profile or create a new one. To create a new one, select **Create profile** and enter information for this profile. For **Profile type**, select **Endpoint protection**. If you've chosen an existing profile, select **Properties** and then select **Settings**.
 
-2. In the *Endpoint protection* pane, select *Windows Defender Exploit Guard*, then select *Attack Surface Reduction*. Select the desired setting for each ASR rule.
+2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
 
-3. Under *Attack Surface Reduction exceptions*, you can enter individual files and folders, or you can select *Import* to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
+3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
 	
+   *C:\folder*, *%ProgramFiles%\folder\file*, *path*	
 
+4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
 
-4. Select *OK* on the three configuration panes and then select *Create* if you're creating a new endpoint protection file or *Save* if you're editing an existing one.
+### SCCM
 
-### Enable ASR rules in SCCM
+1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. Click **Home** > **Create Exploit Guard Policy**.
+1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
+1. Choose which rules will block or audit actions and click **Next**.
+1. Review the settings and click **Next** to create the policy.
+1. After the policy is created, click **Close**. 
 
-For information about enabling ASR rules and setting exclusions in SCCM, see [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy).
+### Group Policy
-
-### Enable ASR rules with Group Policy
 
 >[!WARNING]
 >If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
@@ -97,7 +102,7 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr
 
 5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. 
  
-### Enable ASR rules with PowerShell
+### PowerShell
 
 >[!WARNING]
 >If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
@@ -148,7 +153,7 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr
 	>[!IMPORTANT]
 	>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
 
-### Enable ASR rules with MDM CSPs
+### MDM
 
 Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
 

windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 03/29/2019
+ms.date: 04/22/2019
 ---
 
 # Enable controlled folder access
@@ -20,28 +20,24 @@ ms.date: 03/29/2019
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-[Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
+[Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is included with Windows 10 and Windows Server 2019.
 
 You can enable controlled folder access by using any of the these methods:
 
-- Windows Security app
+- [Windows Security app](#windows-security-app)
-- Intune 
+- [Microsoft Intune](#intune) 
-- MDM
+- [Mobile Device Management (MDM)](#mdm)
-- Group Policy
+- [System Center Configuration Manager (SCCM)](#sccm)
-- PowerShell cmdlets
+- [Group Policy](#group-policy)
+- [PowerShell](#powershell)
 
- Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
+[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
 
->[!NOTE]
+Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
->The Controlled folder access feature will display the state in the Windows Security app under **Virus & threat protection settings**.
+- Windows Defender Antivirus **Configure local administrator merge behavior for lists**
->If the feature is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
+- System Center Endpoint Protection **Allow users to add exclusions and overrides**
->If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
+
->See [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md) for more details on how audit mode works.
+For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
-><p>
->Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
->- Windows Defender Antivirus **Configure local administrator merge behavior for lists**
->- System Center Endpoint Protection **Allow users to add exclusions and overrides**
->For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
 
 ## Windows Security app
 
@@ -51,6 +47,10 @@ You can enable controlled folder access by using any of the these methods:
 
 3. Set the switch for **Controlled folder access** to **On**.
 
+>[!NOTE]
+>If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
+>If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
+
 ## Intune
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
@@ -60,6 +60,8 @@ You can enable controlled folder access by using any of the these methods:
 1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. 
 1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**. 
    ![Enable controlled folder access in Intune](images/enable-cfa-intune.png)
+   >[!NOTE]
+   >Wilcard is supported for applications, but not for folders. Subfolders are not protected. 
 1. Click **OK** to save each open blade and click **Create**. 
 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
 
@@ -67,6 +69,15 @@ You can enable controlled folder access by using any of the these methods:
 
 Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders. 
 
+## SCCM
+
+1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. Click **Home** > **Create Exploit Guard Policy**.
+1. Enter a name and a description, click **Controlled folder access**, and click **Next**.
+1. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
+1. Review the settings and click **Next** to create the policy.
+1. After the policy is created, click **Close**. 
+
 ## Group Policy
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.

windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 03/29/2019
+ms.date: 04/22/2019
 ---
 
 # Enable exploit protection
@@ -28,11 +28,12 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
 
 You can enable each mitigation separately by using any of the these methods:
 
-- Windows Security app
+- [Windows Security app](#windows-security-app)
-- Intune 
+- [Microsoft Intune](#intune) 
-- MDM
+- [Mobile Device Management (MDM)](#mdm)
-- Group Policy
+- [System Center Configuration Manager (SCCM)](#sccm)
-- PowerShell cmdlets
+- [Group Policy](#group-policy)
+- [PowerShell](#powershell)
 
 They are configured by default in Windows 10. 
 
@@ -124,6 +125,15 @@ CFG will be enabled for *miles.exe*.
 
 Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) configuration service provider (CSP) to enable or disable exploit protection mitigations or to use audit mode.
 
+## SCCM
+
+1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. Click **Home** > **Create Exploit Guard Policy**.
+1. Enter a name and a description, click **Exploit protection**, and click **Next**.
+1. Browse to the location of the exploit protection XML file and click **Next**.
+1. Review the settings and click **Next** to create the policy.
+1. After the policy is created, click **Close**. 
+
 ## Group Policy
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -231,15 +241,6 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu
 See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
 
 
-
-
-
-
-
-
-
-
-
 ## Related topics
 
 - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)

windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/01/2019
+ms.date: 04/22/2019
 ---
 
 # Enable network protection
@@ -24,11 +24,11 @@ ms.date: 04/01/2019
 You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it.  
 You can enable network protection by using any of the these methods:
 
-- Intune 
+- [Microsoft Intune](#intune) 
-- MDM
+- [Mobile Device Management (MDM)](#mdm)
-- Group Policy
+- [System Center Configuration Manager (SCCM)](#sccm)
-- PowerShell cmdlets
+- [Group Policy](#group-policy)
-- Registry
+- [PowerShell](#powershell)
 
 ## Intune
 
@@ -45,9 +45,18 @@ You can enable network protection by using any of the these methods:
 
 Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode.
 
+## SCCM
+
+1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. Click **Home** > **Create Exploit Guard Policy**.
+1. Enter a name and a description, click **Network protection**, and click **Next**.
+1. Choose whether to block or audit access to suspicious domains and click **Next**.
+1. Review the settings and click **Next** to create the policy.
+1. After the policy is created, click **Close**. 
+
 ## Group Policy 
 
-You can use the following procedure to enable network protection on a standalone computer or for domain-joined computers.
+You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer. 
 
 1.  On a standalone computer, click **Start**, type and then click **Edit group policy**.
 
@@ -93,9 +102,6 @@ Set-MpPreference -EnableNetworkProtection AuditMode
 
 Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
 
-## 
-
-Network protection can't be turned on using the Windows Security app, but you can enable it by 
 
 ## Related topics