Merge branch 'master' into tvm-event-insights

windows/security/identity-protection/access-control/active-directory-security-groups.md

@@ -79,8 +79,8 @@ Groups are characterized by a scope that identifies the extent to which the grou
 
 -   Domain Local
 
-**Note**  
-In addition to these three scopes, the default groups in the **Builtin** container have a group scope of Builtin Local. This group scope and group type cannot be changed.
+> [!NOTE]
+> In addition to these three scopes, the default groups in the **Builtin** container have a group scope of Builtin Local. This group scope and group type cannot be changed.
 
  
 
@@ -111,8 +111,8 @@ The following table lists the three group scopes and more information about each
 <td><p>Accounts from any domain in the same forest</p>
 <p>Global groups from any domain in the same forest</p>
 <p>Other Universal groups from any domain in the same forest</p></td>
-<td><p>Can be converted to Domain Local scope</p>
-<p>Can be converted to Global scope if the group is not a member of any other Universal groups</p></td>
+<td><p>Can be converted to Domain Local scope if the group is not a member of any other Universal groups</p>
+<p>Can be converted to Global scope if the group does not contain any other Universal groups</p></td>
 <td><p>On any domain in the same forest or trusting forests</p></td>
 <td><p>Other Universal groups in the same forest</p>
 <p>Domain Local groups in the same forest or trusting forests</p>
@@ -620,8 +620,8 @@ Members of the Account Operators group cannot manage the Administrator user acco
 
 The Account Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 
-**Note**  
-By default, this built-in group has no members, and it can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and do not use it for any delegated administration. This group cannot be renamed, deleted, or moved.
+> [!NOTE]
+> By default, this built-in group has no members, and it can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and do not use it for any delegated administration. This group cannot be renamed, deleted, or moved.
 
  
 
@@ -686,8 +686,8 @@ Members of the Administrators group have complete and unrestricted access to the
 
 The Administrators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 
-**Note**  
-The Administrators group has built-in capabilities that give its members full control over the system. This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups.
+> [!NOTE]
+> The Administrators group has built-in capabilities that give its members full control over the system. This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups.
 
 Membership can be modified by members of the following groups: the default service Administrators, Domain Admins in the domain, or Enterprise Admins. This group has the special privilege to take ownership of any object in the directory or any resource on a domain controller. This account is considered a service administrator group because its members have full access to the domain controllers in the domain.
 
@@ -2056,8 +2056,8 @@ When a member of the Guests group signs out, the entire profile is deleted. This
 
 Computer Configuration\\Administrative Templates\\System\\User Profiles
 
-**Note**  
-A Guest account is a default member of the Guests security group. People who do not have an actual account in the domain can use the Guest account. A user whose account is disabled (but not deleted) can also use the Guest account.
+> [!NOTE]
+> A Guest account is a default member of the Guests security group. People who do not have an actual account in the domain can use the Guest account. A user whose account is disabled (but not deleted) can also use the Guest account.
 
 The Guest account does not require a password. You can set rights and permissions for the Guest account as in any user account. By default, the Guest account is a member of the built-in Guests group and the Domain Guests global group, which allows a user to sign in to a domain. The Guest account is disabled by default, and we recommend that it stay disabled.
 
@@ -2125,8 +2125,8 @@ This security group has not changed since Windows Server 2008.
 
 Members of the Hyper-V Administrators group have complete and unrestricted access to all the features in Hyper-V. Adding members to this group helps reduce the number of members required in the Administrators group, and further separates access.
 
-**Note**  
-Prior to Windows Server 2012, access to features in Hyper-V was controlled in part by membership in the Administrators group.
+> [!NOTE]
+> Prior to Windows Server 2012, access to features in Hyper-V was controlled in part by membership in the Administrators group.
 
  
 
@@ -2252,8 +2252,8 @@ Members of the Incoming Forest Trust Builders group can create incoming, one-way
 
 To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account. A secured channel extends to other Active Directory domains through interdomain trust relationships. This secured channel is used to obtain and verify security information, including security identifiers (SIDs) for users and groups.
 
-**Note**  
-This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
+> [!NOTE]
+> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
 
  
 
@@ -2261,8 +2261,8 @@ For more information, see [How Domain and Forest Trusts Work: Domain and Forest
 
 The Incoming Forest Trust Builders group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 
-**Note**  
-This group cannot be renamed, deleted, or moved.
+> [!NOTE]
+> This group cannot be renamed, deleted, or moved.
 
  
 
@@ -2359,17 +2359,15 @@ Members of the Network Configuration Operators group can have the following admi
 
 -   Enter the PIN unblock key (PUK) for mobile broadband devices that support a SIM card.
 
-**Note**  
-This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
+> [!NOTE]
+> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
 
  
-
 The Network Configuration Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 
-**Note**  
-This group cannot be renamed, deleted, or moved.
+> [!NOTE]
+> This group cannot be renamed, deleted, or moved.
 
- 
 
 This security group has not changed since Windows Server 2008.
 
@@ -2434,26 +2432,23 @@ Members of the Performance Log Users group can manage performance counters, logs
 
 -   Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right.
 
-    **Warning**  
-    If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials.
+    > [!WARNING]
+    > If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials.
 
-     
 
 -   Cannot use the Windows Kernel Trace event provider in Data Collector Sets.
 
 For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console.
 
-**Note**  
-This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
+> [!NOTE]
+> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
 
  
-
 The Performance Log Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 
-**Note**  
-This account cannot be renamed, deleted, or moved.
+> [!NOTE]
+> This account cannot be renamed, deleted, or moved.
 
- 
 
 This security group has not changed since Windows Server 2008.
 
@@ -2524,13 +2519,13 @@ Specifically, members of this security group:
 
 -   Cannot create or modify Data Collector Sets.
 
-    **Warning**  
-    You cannot configure a Data Collector Set to run as a member of the Performance Monitor Users group.
+    > [!WARNING]
+    > You cannot configure a Data Collector Set to run as a member of the Performance Monitor Users group.
 
      
 
-**Note**  
-This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). This group cannot be renamed, deleted, or moved.
+> [!NOTE]
+> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). This group cannot be renamed, deleted, or moved.
 
  
 
@@ -2590,15 +2585,13 @@ This security group has not changed since Windows Server 2008.
 </table>
 
  
-
 ### <a href="" id="bkmk-pre-ws2kcompataccess"></a>Pre–Windows 2000 Compatible Access
 
 Members of the Pre–Windows 2000 Compatible Access group have Read access for all users and groups in the domain. This group is provided for backward compatibility for computers running Windows NT 4.0 and earlier. By default, the special identity group, Everyone, is a member of this group. Add users to this group only if they are running Windows NT 4.0 or earlier.
 
-**Warning**  
-This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
+> [!WARNING]
+> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
 
- 
 
 The Pre–Windows 2000 Compatible Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 
@@ -3243,8 +3236,8 @@ This security group was introduced in Windows Server 2012, and it has not chang
 
 Computers that are members of the Replicator group support file replication in a domain. Windows Server operating systems use the File Replication service (FRS) to replicate system policies and logon scripts stored in the System Volume (SYSVOL). Each domain controller keeps a copy of SYSVOL for network clients to access. FRS can also replicate data for the Distributed File System (DFS), synchronizing the content of each member in a replica set as defined by DFS. FRS can copy and maintain shared files and folders on multiple servers simultaneously. When changes occur, content is synchronized immediately within sites and by a schedule between sites.
 
-**Important**  
-In Windows Server 2008 R2, FRS cannot be used for replicating DFS folders or custom (non-SYSVOL) data. A Windows Server 2008 R2 domain controller can still use FRS to replicate the contents of a SYSVOL shared resource in a domain that uses FRS for replicating the SYSVOL shared resource between domain controllers.
+> [!WARNING]
+> In Windows Server 2008 R2, FRS cannot be used for replicating DFS folders or custom (non-SYSVOL) data. A Windows Server 2008 R2 domain controller can still use FRS to replicate the contents of a SYSVOL shared resource in a domain that uses FRS for replicating the SYSVOL shared resource between domain controllers.
 
 However, Windows Server 2008 R2 servers cannot use FRS to replicate the contents of any replica set apart from the SYSVOL shared resource. The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication. For more information, see:
 
@@ -3489,8 +3482,8 @@ For more information about this security group, see [Terminal Services License S
 
 The Terminal Server License Servers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 
-**Note**  
-This group cannot be renamed, deleted, or moved.
+> [!NOTE]
+> This group cannot be renamed, deleted, or moved.
 
  
 
@@ -3624,11 +3617,10 @@ Members of this group have access to the computed token GroupsGlobalAndUniversal
 
 The Windows Authorization Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 
-**Note**  
-This group cannot be renamed, deleted, or moved.
+> [!NOTE]
+> This group cannot be renamed, deleted, or moved.
 
  
-
 This security group has not changed since Windows Server 2008.
 
 <table>
@@ -3704,8 +3696,8 @@ The WinRMRemoteWMIUsers\_ group applies to versions of the Windows Server operat
 
 In Windows Server 2012, the Access Denied Assistance functionality adds the Authenticated Users group to the local WinRMRemoteWMIUsers\_\_ group. Therefore, when the Access Denied Assistance functionality is enabled, all authenticated users who have Read permissions to the file share can view the file share permissions.
 
-**Note**  
-The WinRMRemoteWMIUsers\_ group allows running Windows PowerShell commands remotely whereas the [Remote Management Users](#bkmk-remotemanagementusers) group is generally used to allow users to manage servers by using the Server Manager console.
+> [!NOTE]
+> The WinRMRemoteWMIUsers\_ group allows running Windows PowerShell commands remotely whereas the [Remote Management Users](#bkmk-remotemanagementusers) group is generally used to allow users to manage servers by using the Server Manager console.
 
  
 

windows/security/identity-protection/credential-guard/credential-guard-requirements.md

@@ -31,7 +31,7 @@ For Windows Defender Credential Guard to provide protection, the computers you a
 To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:
 - Support for Virtualization-based security (required)
 - Secure boot (required)
-- TPM 1.2 or 2.0 (preferred - provides binding to hardware), either discrete or firmware 
+- TPM (preferred - provides binding to hardware) versions 1.2 and 2.0 are supported, either discrete or firmware 
 - UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
 
 The Virtualization-based security requires:

windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md

@@ -40,7 +40,9 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire
 
 A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription.  The hybrid key trust deployment, does not need a premium Azure Active Directory subscription.
 
-You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers.  However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 or later domain controllers at each site where users authenticate using Windows Hello for Business.  Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
+You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers.  
+If using the key trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.  
+Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
 > [!NOTE]
 >There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue.

windows/security/information-protection/TOC.md

@@ -38,7 +38,7 @@
 
 ## [Encrypted Hard Drive](encrypted-hard-drive.md)
 
-## [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md)
+## [Kernel DMA Protection](kernel-dma-protection-for-thunderbolt.md)
 
 ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
 ### [Create a WIP policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md)

windows/security/information-protection/index.md

@@ -22,7 +22,7 @@ Learn more about how to secure documents and other data across your organization
 |-|-|
 | [BitLocker](bitlocker/bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. |
 | [Encrypted Hard Drive](encrypted-hard-drive.md)| Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. |
-| [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md)| Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. |
+| [Kernel DMA Protection](kernel-dma-protection-for-thunderbolt.md)| Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to PCI accessible ports, such as Thunderbolt™ 3 ports. |
 | [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.|
 | [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Windows 10 supports features to help prevent rootkits and bootkits from loading during the startup process. |
 | [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)| Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys.  |

windows/security/information-protection/windows-information-protection/limitations-with-wip.md

@@ -133,9 +133,14 @@ This table provides info about the most common problems you might encounter whil
         </td>
       </tr>
     <tr>
-        <td>By design, OneNote only supports WIP protected notebooks stored on enterprise-managed SharePoint (OneDrive for Business).  Onenote does not support local WIP protected notebooks.</td>
-        <td>OneNote might encounter an error such as "This notebook contains protected content from your organization, which can't be viewed or synced. Please change the file ownership to Personal, or contact your IT administrator." Supported notebooks (OneDrive for Business) should be shown in File Explorer as links and open with your associated browser. Unsupported notebooks would show as folders or .one files (with a OneNote icon)</td>
-        <td>If unsupported files won't open in the browser, then they are 'stuck' in the old local format - incompatible with WIP or viewing online. We recommend that you create a new notebook and copy the contents from the existing notebook into the new one. In OneNote desktop, File > New > OnedDive - company name notebook and create a new one. Then within OneNote, copy over the old 'local' sections into this new notebook to ensure they get upgraded to the modern format. Hold Ctrl + drag and drop the sections into the notebook. Holding Ctrl will copy sections rather than move them,  preserving the old sections as backup copies. Wait for the new notebook to finish syncing to OneDrive for business.</td>    
+        <td>OneNote notebooks on OneDrive for Business must be properly configured to work with WIP.</td>
+        <td>OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it.</td>
+        <td>"OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps:
+1. Close the notebook in OneNote.
+2. Move the notebook folder via File Explorer out of the OneDrive for Business folder to another location, such as the Desktop.
+3. Copy the notebook folder and Paste it back into the OneDrive for Business folder.
+
+Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut.  Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button.</td>    
     </tr>
     <tr>
         <td>Microsoft Office Outlook offline data files (PST and OST files) are not marked as <strong>Work</strong> files, and are therefore not protected.

windows/security/threat-protection/TOC.md

@@ -249,6 +249,18 @@
 #### [Privacy](microsoft-defender-atp/linux-privacy.md)
 #### [Resources](microsoft-defender-atp/linux-resources.md)
 
+
+### [Microsoft Defender Advanced Threat Protection for Android]()
+#### [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp/microsoft-defender-atp-android.md)
+
+#### [Deploy]()
+##### [Deploy Microsoft Defender ATP for Android with Microsoft Intune](microsoft-defender-atp/android-intune.md)
+
+#### [Configure]()
+##### [Configure Microsoft Defender ATP for Android features](microsoft-defender-atp/android-configure.md)
+
+
+
 ### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
 
 ## [Security operations]()

windows/security/threat-protection/intelligence/TOC.md

@@ -2,10 +2,6 @@
 
 ## [Understand malware & other threats](understanding-malware.md)
 
-### [Prevent malware infection](prevent-malware-infection.md)
-
-### [Malware names](malware-naming.md)
-
 ### [Coin miners](coinminer-malware.md)
 
 ### [Exploits and exploit kits](exploits-malware.md)
@@ -30,6 +26,10 @@
 
 ### [Worms](worms-malware.md)
 
+## [Prevent malware infection](prevent-malware-infection.md)
+
+## [Malware naming convention](malware-naming.md)
+
 ## [How Microsoft identifies malware and PUA](criteria.md)
 
 ## [Submit files for analysis](submission-guide.md)

windows/security/threat-protection/intelligence/index.md

@@ -15,9 +15,11 @@ ms.topic: conceptual
 ---
 # Security intelligence
 
-Here you will find information about different types of malware, safety tips on how you can protect your organization, and resources for industry collaboration programs
+Here you will find information about different types of malware, safety tips on how you can protect your organization, and resources for industry collaboration programs.
 
 * [Understand malware & other threats](understanding-malware.md)
+* [Prevent malware infection](prevent-malware-infection.md)
+* [Malware naming convention](malware-naming.md)
 * [How Microsoft identifies malware and PUA](criteria.md)
 * [Submit files for analysis](submission-guide.md)
 * [Safety Scanner download](safety-scanner-download.md)

windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md

@@ -53,7 +53,7 @@ Because your protection is a cloud service, computers must have access to the in
 | **Service**| **Description** |**URL** |
 | :--: | :-- | :-- |
 | Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com` <br/> `*.wdcpalt.microsoft.com` <br/> `*.wd.microsoft.com`|
-| Microsoft Update Service (MU)|	Security intelligence and product updates	|`*.update.microsoft.com`|
+| Microsoft Update Service (MU) <br/> Windows Update Service (WU)|	Security intelligence and product updates	|`*.update.microsoft.com` <br/> `*.delivery.mp.microsoft.com`<br/> `*.windowsupdate.com` <br/> for details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)|
 |Security intelligence updates Alternate Download Location (ADL)|	Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)|	`*.download.microsoft.com`|
 | Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission	| `ussus1eastprod.blob.core.windows.net` <br/>    `ussus1westprod.blob.core.windows.net` <br/>    `usseu1northprod.blob.core.windows.net` <br/>    `usseu1westprod.blob.core.windows.net` <br/>    `ussuk1southprod.blob.core.windows.net` <br/>    `ussuk1westprod.blob.core.windows.net` <br/>    `ussas1eastprod.blob.core.windows.net` <br/>    `ussas1southeastprod.blob.core.windows.net` <br/>    `ussau1eastprod.blob.core.windows.net` <br/>    `ussau1southeastprod.blob.core.windows.net` |
 | Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL	| `https://www.microsoft.com/pkiops/crl/` <br/> `https://www.microsoft.com/pkiops/certs` <br/>   `https://crl.microsoft.com/pki/crl/products` <br/> `https://www.microsoft.com/pki/certs` |

windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md

@@ -50,6 +50,7 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh
 If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key:
 - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
 - Name: ForceDefenderPassiveMode
+- Type: REG_DWORD
 - Value: 1
 
 See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations.

windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md

@@ -27,10 +27,13 @@ In Windows 10, version 1703 and later, the Windows Defender app is part of the W
 Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
 
 > [!IMPORTANT]
-> Disabling the Windows Security Center service will not disable Microsoft Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.<br/>If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. 
->It may also prevent Microsoft Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. 
->This will significantly lower the protection of your device and could lead to malware infection.
-
+> Disabling the Windows Security Center service will not disable Microsoft Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
+>
+> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+>
+> It may also prevent Microsoft Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
+>
+> This will significantly lower the protection of your device and could lead to malware infection.
 
 See the [Windows Security article](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
 
@@ -46,7 +49,7 @@ The Windows Security app is a client interface on Windows 10, version 1703 and l
     
 ## Comparison of settings and functions of the old app and the new app
 
-All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app. 
+All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app.
 
 The following diagrams compare the location of settings and functions between the old and new apps:
 
@@ -95,7 +98,6 @@ This section describes how to perform some of the most common tasks when reviewi
 
 4. Click **Check for updates** to download new protection updates (if there are any).
 
-
 ### Ensure Microsoft Defender Antivirus is enabled in the Windows Security app
 
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -106,10 +108,10 @@ This section describes how to perform some of the most common tasks when reviewi
 
 4. Toggle the **Real-time protection** switch to **On**.
 
-    >[!NOTE]
-    >If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.  
-    >If you install another antivirus product, Microsoft Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md).
-
+    > [!NOTE]
+    > If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.
+    >
+    > If you install another antivirus product, Microsoft Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md).
 
 <a id="exclusions"></a>
 
@@ -135,21 +137,19 @@ The following table summarizes exclusion types and what happens:
 |**File type**   |File extension <br/>Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Microsoft Defender Antivirus.         |
 |**Process**     |Executable file path <br>Example: `c:\test\process.exe`         |The specific process and any files that are opened by that process are skipped by Microsoft Defender Antivirus.         |
 
-To learn more, see: 
+To learn more, see:
 - [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus) 
 - [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus)
 
 ### Review threat detection history in the Windows Defender Security Center app
 
-  1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or 
-  searching the start menu for **Defender**.
- 
-  2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
-  3. Click **Threat history**
+  1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
   
-  4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, 
-  **Allowed threats**).
+  2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+  3. Click **Threat history**
+  
+  4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).
 
 <a id="ransomware"></a>
 
@@ -168,5 +168,3 @@ To learn more, see:
 ## Related articles
 
 - [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)
-
-

windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md

@@ -30,7 +30,7 @@ For a list of the cmdlets and their functions and available parameters, see the
 PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
 
 > [!NOTE]
-> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), or [Microsoft Defender Antivirus Group Policy ADMX templates](https://www.microsoft.com/download/100591).
+> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), or [Microsoft Defender Antivirus Group Policy ADMX templates](https://www.microsoft.com/download/101445).
 
 Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
 

windows/security/threat-protection/microsoft-defender-atp/android-configure.md

@@ -0,0 +1,50 @@
+---
+title: Configure Microsoft Defender ATP for Android features
+ms.reviewer:
+description: Describes how to configure Microsoft Defender ATP for Android 
+keywords: microsoft, defender, atp, android, configuration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Configure Microsoft Defender ATP for Android features
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
+
+## Conditional Access with Microsoft Defender ATP for Android  
+Microsoft Defender ATP for Android along with Microsoft Intune and Azure Active
+Directory enables enforcing Device compliance and Conditional Access policies
+based on device risk levels. Microsoft Defender ATP is a Mobile Threat Defense
+(MTD) solution that you can deploy to leverage this capability via Intune.
+
+For more infomation on how to setup Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and
+Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
+
+
+## Configure custom indicators  
+
+>[!NOTE]
+> Microsoft Defender ATP for Android only supports creating custom indicators for IP addresses and URLs/domains.
+
+Microsoft Defender ATP for Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Manage indicators](manage-indicators.md).
+
+## Configure web protection
+Microsoft Defender ATP for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center.
+
+For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
+
+## Related topics
+- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
+- [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md)

windows/security/threat-protection/microsoft-defender-atp/android-intune.md

@@ -0,0 +1,294 @@
+---
+title: Deploy Microsoft Defender ATP for Android with Microsoft Intune
+ms.reviewer:
+description: Describes how to deploy Microsoft Defender ATP for Android with Microsoft Intune
+keywords: microsoft, defender, atp, android, installation, deploy, uninstallation,
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Deploy Microsoft Defender ATP for Android with Microsoft Intune 
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
+
+This topic describes deploying Microsoft Defender ATP for Android on Intune
+Company Portal enrolled devices. For more information about Intune device enrollment, see  [Enroll your
+device](https://microsoft.sharepoint.com/teams/WDATPIndia/Shared%20Documents/General/PM%20Docs/External%20Documentation/aka.ms/enrollAndroid).
+
+
+> [!NOTE]
+> During public preview, instructions to deploy Microsoft Defender ATP for Android on Intune enrolled Android devices are different across Device Administrator and Android Enterprise entrollment modes. <br>
+> **When Microsoft Defender ATP for Android reaches General Availability (GA), the app will be available on Google Play.**
+
+## Deploy on Device Administrator enrolled devices
+
+**Deploy Microsoft Defender ATP for Android on Intune Company Portal - Device
+Administrator enrolled devices**
+
+This topic describes how to deploy Microsoft Defender ATP for Android on Intune Company Portal - Device Administrator enrolled devices. Upgrade from the Preview APK to the GA version on Google Play would be supported.
+
+### Download the onboarding package
+
+Download the onboarding package from Microsoft Defender Security Center.
+
+1. In [Microsoft Defender Security
+Center](https://microsoft.sharepoint.com/teams/WDATPIndia/Shared%20Documents/General/PM%20Docs/External%20Documentation/securitycenter.microsoft.com), go to **Settings** \> **Machine Management** \> **Onboarding**.
+
+2. In the first drop-down, select **Android** as the Operating system.
+
+3. Select **Download Onboarding package** and save the downloaded .APK file.
+
+    ![Image of onboarding package page](images/onboarding_package_1.png)
+
+### Add as Line of Business (LOB) App
+
+The downloaded Microsoft Defender ATP for Android onboarding package. It is a
+.APK file can be deployed to user groups as a Line of Business app during the
+preview from Microsoft Endpoint Manager Admin Center.
+
+1. In [Microsoft Endpoint Manager admin
+center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
+**Android Apps** \> **Add \> Line-of-business app** and click **Select**.
+
+    ![Image of Microsoft Endpoint Manager Admin Center](images/eba67e1a3adfec2c77c35a34cb030fba.png)
+
+
+2. On the **Add app** page and in the *App Information* section, click **Select
+add package file** and then click the ![Icon](images/1a62eac0222a9ba3c2fd62744bece76e.png) icon and select the MDATP Universal APK file that was downloaded from the *Download Onboarding package* step.
+
+    ![Image of Microsoft Endpoint Manager Admin Center](images/e78d36e06495c2f70eb14230de6f7429.png)
+
+
+3. Select **OK**.
+
+4. In the *App Information* section that comes up, enter the **Publisher** as
+Microsoft. Other fields are optional and then select **Next**.
+
+    ![Image of Microsoft Endpoint Manager Admin Center](images/190a979ec5b6a8f57c9067fe1304cda8.png)
+
+5. In the *Assignments* section, go to the **Required** section and select **Add
+group.** You can then choose the user group(s) that you would like to target
+Microsoft Defender ATP for Android app. Click **Select** and then **Next**.
+
+    >[!NOTE]
+    >The selected user group should consist of Intune enrolled users.
+
+      ![Image of Microsoft Endpoint Manager Admin Center](images/363bf30f7d69a94db578e8af0ddd044b.png)
+
+
+6. In the **Review+Create** section, verify that all the information entered is
+correct and then select **Create**.
+
+    In a few moments, the Microsoft Defender ATP app would be created successfully,
+and a notification would show up at the top-right corner of the page.
+
+    ![Image of Microsoft Endpoint Manager Admin Center](images/86cbe56f88bb6e93e9c63303397fc24f.png)
+
+
+7. In the app information page that is displayed, in the **Monitor** section,
+select **Device install status** to verify that the device installation has
+completed successfully.
+
+    ![Image of Microsoft Endpoint Manager Admin Center](images/513cf5d59eaaef5d2b5bc122715b5844.png)
+
+
+During Public Preview, to **update** Microsoft Defender ATP for Android deployed
+as a Line of Business app, download the latest APK. Following the steps in
+*Download the onboarding package* section and follow instructions on how to [update
+a Line of Business
+App](https://docs.microsoft.com/mem/intune/apps/lob-apps-android#step-5-update-a-line-of-business-app).
+
+### Complete onboarding and check status
+
+1. Once Microsoft Defender ATP for Android has been installed on the device, you'll see the app icon.
+
+    ![Icon on mobile device](images/7cf9311ad676ec5142002a4d0c2323ca.jpg)
+
+2. Tap the Microsoft Defender ATP app icon and follow the on-screen instructions
+to complete onboarding the app. The details include end-user acceptance of Android permissions required by Microsoft Defender ATP for Android.
+
+3. Upon successful onboarding, the device will start showing up on the Devices
+list in Microsoft Defender Security Center.
+
+    ![Image of device in Microsoft Defender ATP portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png)
+
+## Deploy on Android Enterprise enrolled devices
+
+Microsoft Defender ATP for Android supports Android Enterprise enrolled devices.
+
+For more information on the enrollment options supported by Intune, see 
+[Enrollment
+Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) .
+
+As Microsoft Defender ATP for Android is deployed via managed Google Play,
+updates to the app are automatic via Google Play.
+
+Currently only Work Profile, Fully Managed devices are supported for deployment.
+
+
+>[!NOTE]
+>During Public Preview, to access Microsoft Defender ATP in your managed Google Play, contact [atpm@microsoft.com](mailto:atpm@microsoft.com) with the organization ID of your managed Google Play for next steps. This can be found under the **Admin Settings** of [managed Google Play](https://play.google.com/work/).<br>
+> At General Availability (GA), Microsoft Defender ATP for Android will be available as a public app. Upgrades from preview to GA version will be supported.
+
+## Add Microsoft Defender ATP for Android as a managed Google Play app
+
+After receiving a confirmation e-mail from Microsoft that your managed Google
+Play organization ID has been approved, follow the steps below to add Microsoft
+Defender ATP app into your managed Google Play.
+
+1. In [Microsoft Endpoint Manager admin
+center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
+**Android Apps** \> **Add** and select **managed Google Play app**.
+
+    ![Image of Microsoft Endpoint Manager admin center](images/579ff59f31f599414cedf63051628b2e.png)
+
+
+2. On your managed Google Play page that loads subsequently, go to the search
+box and lookup **Microsoft Defender.** Your search should display the Microsoft
+Defender ATP app in your Managed Google Play. Click on the Microsoft Defender
+ATP app from the Apps search result.
+
+    ![Image of Microsoft Endpoint Manager admin center](images/0f79cb37900b57c3e2bb0effad1c19cb.png)
+
+3. In the App description page that comes up next, you should be able to see app
+details on Microsoft Defender ATP. Review the information on the page and then
+select **Approve**.
+
+    ![A screenshot of a Managed Google Play](images/07e6d4119f265037e3b80a20a73b856f.png)
+
+
+4. You should now be presented with the permissions that Microsoft Defender ATP
+obtains for it to work. Review them and then select **Approve**.
+
+    ![A screenshot of Microsoft Defender ATP preview app approval](images/206b3d954f06cc58b3466fb7a0bd9f74.png)
+
+
+5. You'll be presented with the Approval settings page. The page confirms
+your preference to handle new app permissions that Microsoft Defender ATP for
+Android might ask. Review the choices and select your preferred option. Select
+**Done**.
+
+    By default, managed Google Play selects *Keep approved when app requests new
+permissions*
+
+   ![Image of notifications tab](images/ffecfdda1c4df14148f1526c22cc0236.png)
+
+
+6. After the permissions handling selection is made, select **Sync** to sync
+Microsoft Defender ATP to your apps list.
+
+    ![Image of sync page](images/34e6b9a0dae125d085c84593140180ed.png)
+
+
+7. The sync will complete in a few minutes.
+
+    ![Image of Android app](images/9fc07ffc150171f169dc6e57fe6f1c74.png)
+
+8. Select the **Refresh** button in the Android apps screen and Microsoft
+Defender ATP should be visible in the apps list.
+
+    ![Image of list of Android apps](images/fa4ac18a6333335db3775630b8e6b353.png)
+
+
+9. Microsoft Defender ATP supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s).
+
+    a. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**.
+
+    ![Image of Microsoft Endpoint Manager admin center](images/android-mem.png)
+
+    b. In the **Create app configuration policy** page, enter the following details:
+        - Name: Microsoft Defender ATP.
+        - Choose **Android Enterprise** as platform.
+        - Choose **Work Profile only** as Profile Type.
+        - Click **Select App**, choose **Microsoft Defender ATP**, select **OK** and then **Next**.
+    
+    ![Image of create app configuration policy page](images/android-create-app.png)
+
+    c. In the **Settings** page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions 
+    - External storage (read)
+    - External storage (write)
+
+    Then select **OK**.
+
+    ![Image of create app configuration policy](images/android-create-app-config.png)
+
+    
+    d. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**.
+
+     ![Image of create app configuration policy](images/android-auto-grant.png)
+
+
+    e. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**.  The group selected here is usually the same group to which you would assign Microsoft Defender ATP Android app. 
+
+    ![Image of create app configuration policy](images/android-select-group.png)
+    
+
+     f. In the **Review + Create** page that comes up next, review all the information and then select **Create**. <br>
+    
+    The app configuration policy for Microsoft Defender ATP auto-granting the storage permission is now assigned to the selected user group.
+
+    ![Image of create app configuration policy](images/android-review-create.png)
+
+
+
+10. Select **Microsoft Defender ATP** app in the list \> **Properties** \>
+**Assignments** \> **Edit**.
+
+    ![Image of list of apps](images/9336bbd778cff5e666328bb3db7c76fd.png)
+
+
+11. Assign the app as a *Required* app to a user group. It is automatically installed in the *work profile* during the next sync of
+the device via Company Portal app. This assignment can be done by navigating to
+the *Required* section \> **Add group,** selecting the user group and click
+**Select**.
+
+    ![Image of edit application page](images/ea06643280075f16265a596fb9a96042.png)
+
+
+12. In the **Edit Application** page, review all the information that was entered
+above. Then select **Review + Save** and then **Save** again to commence
+assignment.
+
+## Complete onboarding and check status
+
+1. Confirm the installation status of Microsoft Defender ATP for Android by
+clicking on the **Device Install Status**. Verif that the device is
+displayed here.
+
+    ![Image of device installation status](images/900c0197aa59f9b7abd762ab2b32e80c.png)
+
+
+2. On the device, you can confirm the same by going to the **work profile** and
+confirm that Microsoft Defender ATP is available.
+
+    ![Image of app in mobile device](images/c2e647fc8fa31c4f2349c76f2497bc0e.png)
+
+3. When the app is installed, open the app and accept the permissions
+and then your onboarding should be successful.
+
+    ![Image of mobile device with Microsoft Defender ATP app](images/23c125534852dcef09b8e37c98e82148.png)
+
+4. At this stage the device is successfully onboarded onto Microsoft Defender
+ATP for Android. You can verify this on the [Microsoft Defender Security
+Center](https://microsoft.sharepoint.com/teams/WDATPIndia/Shared%20Documents/General/PM%20Docs/External%20Documentation/securitycenter.microsoft.com)
+by navigating to the **Devices** page.
+
+    ![Image of Microsoft Defender ATP portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png)
+
+
+## Related topics
+- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
+- [Configure Microsoft Defender ATP for Android features](android-configure.md)

windows/security/threat-protection/microsoft-defender-atp/android-terms.md

@@ -0,0 +1,229 @@
+---
+title: Microsoft Defender ATP for Android Application license terms
+ms.reviewer:
+description: Describes the Microsoft Defender ATP for Android license terms
+keywords: microsoft, defender, atp, android,license, terms, application, use, installation, service, feedback, scope, 
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+hideEdit: true
+---
+
+# Microsoft Defender ATP for Android application license terms
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
+
+## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER ATP
+
+These license terms ("Terms") are an agreement between Microsoft Corporation (or
+based on where you live, one of its affiliates) and you. Please read them. They
+apply to the application named above. These Terms also apply to any Microsoft
+
+-   updates,
+
+-   supplements,
+
+-   Internet-based services, and
+
+-   support services
+
+for this application, unless other terms accompany those items. If so, those
+terms apply.
+
+**BY USING THE APPLICATION, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM,
+DO NOT USE THE APPLICATION.**
+
+**If you comply with these Terms, you have the perpetual rights below.**
+
+1.  **INSTALLATION AND USE RIGHTS.**
+
+    1.  **Installation and Use.** You may install and use any number of copies
+        of this application on Android enabled device or devices which you own
+        or control. You may use this application with your company's valid
+        subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or
+        an online service that includes MDATP functionalities.
+
+    2.  **Updates.** Updates or upgrades to MDATP may be required for full
+        functionality. Some functionality may not be available in all countries.
+
+    3.  **Third Party Programs.** The application may include third party
+        programs that Microsoft, not the third party, licenses to you under this
+        agreement. Notices, if any, for the third-party program are included for
+        your information only.
+
+2.  **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to
+    Internet access, data transfer and other services per the terms of the data
+    service plan and any other agreement you have with your network operator due
+    to use of the application. You are solely responsible for any network
+    operator charges.
+
+3.  **INTERNET-BASED SERVICES.** Microsoft provides Internet-based services with
+    the application. It may change or cancel them at any time.
+
+    1.  Consent for Internet-Based or Wireless Services. The application may
+        connect to Internet-based wireless services. Your use of the application
+        operates as your consent to the transmission of standard device
+        information (including but not limited to technical information about
+        your device, system and application software, and peripherals) for
+        Internet-based or wireless services. If other terms are provided in
+        connection with your use of the services, those terms also apply.
+
+        -   Data. Some online services require, or may be enhanced by, the
+            installation of local software like this one. At your, or your
+            admin's direction, this software may send data from a device to or
+            from an online service.
+
+        -   Usage Data. Microsoft automatically collects usage and performance
+            data over the internet. This data will be used to provide and
+            improve Microsoft products and services and enhance your experience.
+            You may limit or control collection of some usage and performance
+            data through your device settings. Doing so may disrupt your use of
+            certain features of the application. For additional information on
+            Microsoft's data collection and use, see the [Online Services
+            Terms](https://go.microsoft.com/fwlink/?linkid=2106777).
+
+    2.  Misuse of Internet-based Services. You may not use any Internet-based
+        service in any way that could harm it or impair anyone else's use of it
+        or the wireless network. You may not use the service to try to gain
+        unauthorized access to any service, data, account or network by any
+        means.
+
+4.  **FEEDBACK.** If you give feedback about the application to Microsoft, you
+    give to Microsoft, without charge, the right to use, share and commercialize
+    your feedback in any way and for any purpose. You also give to third
+    parties, without charge, any patent rights needed for their products,
+    technologies and services to use or interface with any specific parts of a
+    Microsoft software or service that includes the feedback. You will not give
+    feedback that is subject to a license that requires Microsoft to license its
+    software or documentation to third parties because we include your feedback
+    in them. These rights survive this agreement.
+
+5.  **SCOPE OF LICENSE.** The application is licensed, not sold. This agreement
+    only gives you some rights to use the application. Microsoft reserves all
+    other rights. Unless applicable law gives you more rights despite this
+    limitation, you may use the application only as expressly permitted in this
+    agreement. In doing so, you must comply with any technical limitations in
+    the application that only allow you to use it in certain ways. You may not
+
+    -   work around any technical limitations in the application;
+
+    -   reverse engineer, decompile or disassemble the application, except and
+        only to the extent that applicable law expressly permits, despite this
+        limitation;
+
+    -   make more copies of the application than specified in this agreement or
+        allowed by applicable law, despite this limitation;
+
+    -   publish the application for others to copy;
+
+    -   rent, lease or lend the application; or
+
+    -   transfer the application or this agreement to any third party.
+
+6.  **EXPORT RESTRICTIONS.** The application is subject to United States export
+    laws and regulations. You must comply with all domestic and international
+    export laws and regulations that apply to the application. These laws
+    include restrictions on destinations, end users and end use. For additional
+    information,
+    see<65>[www.microsoft.com/exporting](https://www.microsoft.com/exporting).
+
+7.  **SUPPORT SERVICES.** Because this application is "as is," we may not
+    provide support services for it. If you have any issues or questions about
+    your use of this application, including questions about your company's
+    privacy policy, please contact your company's admin. Do not contact the
+    application store, your network operator, device manufacturer, or Microsoft.
+    The application store provider has no obligation to furnish support or
+    maintenance with respect to the application.
+
+8.  **APPLICATION STORE.**
+
+    1.  If you obtain the application through an application store (e.g., Google
+        Play), please review the applicable application store terms to ensure
+        your download and use of the application complies with such terms.
+        Please note that these Terms are between you and Microsoft and not with
+        the application store.
+
+    2.  The respective application store provider and its subsidiaries are third
+        party beneficiaries of these Terms, and upon your acceptance of these
+        Terms, the application store provider(s) will have the right to directly
+        enforce and rely upon any provision of these Terms that grants them a
+        benefit or rights.
+
+9.  **TRADEMARK NOTICES.** Microsoft, Microsoft Defender ATP, MDATP, and
+    Microsoft 365 are registered or common-law trademarks of Microsoft
+    Corporation in the United States and/or other countries.
+
+10. **ENTIRE AGREEMENT.** This agreement and the terms for supplements, updates,
+    Internet-based services, and support services that you use are the entire
+    agreement for the application and support services.
+
+11. **APPLICABLE LAW.**
+
+    1.  **United States.** If you acquired the application in the United States,
+        Washington state law governs the interpretation of this agreement and
+        applies to claims for breach of it, regardless of conflict of laws
+        principles. The laws of the state where you live govern all other
+        claims, including claims under state consumer protection laws, unfair
+        competition laws, and in tort.
+
+    2.  **Outside the United States.** If you acquired the application in any
+        other country, the laws of that country apply.
+
+12. **LEGAL EFFECT.** This agreement describes certain legal rights. You may
+    have other rights under the laws of your country. You may also have rights
+    with respect to the party from whom you acquired the application. This
+    agreement does not change your rights under the laws of your country if the
+    laws of your country do not permit it to do so.
+
+13. **DISCLAIMER OF WARRANTY. THE APPLICATION IS LICENSED "AS-IS." "WITH ALL
+    FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND
+    WIRELESS CARRIERS OVER WHOSE NETWORK THE APPLICATION IS DISTRIBUTED, AND
+    EACH OF OUR RESPECTIVE AFFILIATES, AND SUPPLIERS ("COVERED PARTIES") GIVE NO
+    EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS UNDER OR IN RELATION TO THE
+    APPLICATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
+    APPLICATION IS WITH YOU. SHOULD THE APPLICATION BE DEFECTIVE, YOU ASSUME THE
+    ENTIRE COST OF ALL NECESSARY SERVICING OR REPAIR. YOU MAY HAVE ADDITIONAL
+    CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
+    THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, COVERED PARTIES EXCLUDE THE
+    IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+    NON-INFRINGEMENT.**
+
+    **FOR AUSTRALIA - YOU HAVE STATUTORY GUARANTEES UNDER THE AUSTRALIAN CONSUMER LAW AND NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS.**
+
+14.  **LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT
+    PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT ONLY DIRECT DAMAGES UP TO
+    ONE U.S. DOLLAR (\$1.00). YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER
+    DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR
+    INCIDENTAL DAMAGES FROM ANY COVERED PARTIES.**
+
+This limitation applies to:
+
+-   anything related to the application, services, content (including code) on
+    third party Internet sites, or third party programs; and
+
+-   claims for breach of contract, warranty, guarantee or condition; consumer
+    protection; deception; unfair competition; strict liability, negligence,
+    misrepresentation, omission, trespass or other tort; violation of statute or
+    regulation; or unjust enrichment; all to the extent permitted by applicable
+    law.
+
+It also applies even if:
+
+a.  Repair, replacement or refund for the application does not fully compensate
+    you for any losses; or
+
+b.  Covered Parties knew or should have known about the possibility of the
+    damages.
+
+The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.

windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md

@@ -125,6 +125,8 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a
 ## Power BI dashboard samples in GitHub
 For more information see the [Power BI report templates](https://github.com/microsoft/MDATP-PowerBI-Templates).
 
+## Sample reports
+View the Microsoft Defender ATP Power BI report samples. For more information, see [Browse code samples](https://docs.microsoft.com/samples/browse/?products=mdatp).
 
 
 ## Related topic

windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md

@@ -399,7 +399,7 @@ GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
 
 ## Related topics
 
-- [Attack surface reduction FAQ](attack-surface-reduction.md)
+- [Attack surface reduction FAQ](attack-surface-reduction-faq.md)
 
 - [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
 

windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md

@@ -93,22 +93,31 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
 3.  In the next field, provide enough information to give the Microsoft Threat Experts enough context to start the investigation.
   
 4. Enter the email address that you'd like to use to correspond with Microsoft Threat Experts.
+
+> [!NOTE]
+> Customers with Premier Support subscription mapped to their Office 365 license can track the status of their Experts on Demand cases through Microsoft Services Hub. 
+
+Watch this video for a quick overview of the Microsoft Services Hub.
+
+>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4pk9f] 
+
+
    
 ## Sample investigation topics that you can consult with Microsoft Threat Experts
 
 **Alert information**
 - We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?
-- We’ve observed two similar attacks which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
+- We’ve observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
 - I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Microsoft Defender ATP see these attempts? What type of sign-ins are being monitored?
 - Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”. 
 
 **Possible machine compromise**
-- Can you help answer why we see “Unknown process observed?” This is seen quite frequently on many machines. We appreciate any input to clarify whether this is related to malicious activity.
+- Can you help answer why we see “Unknown process observed?” This message or alert is seen frequently on many machines. We appreciate any input to clarify whether this message or alert is related to malicious activity.
 - Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?
 
 **Threat intelligence details**
-- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?
-- I recently saw a [social media reference e.g., Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor? 
+- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events, which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?
+- I recently saw a [social media reference, for example, Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor? 
 
 **Microsoft Threat Experts’ alert communications** 
 - Can your incident response team help us address the targeted attack notification that we got?
@@ -127,7 +136,7 @@ Response from Microsoft Threat Experts varies according to your inquiry. They wi
 - Investigation requires more time   
 - Initial information was enough to conclude the investigation 
 
-It is crucial to respond in a timely manner to keep the investigation moving. 
+It is crucial to respond in quickly to keep the investigation moving. 
 
 ## Related topic
 - [Microsoft Threat Experts overview](microsoft-threat-experts.md)

windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md

@@ -85,9 +85,9 @@ You'll need to take the following steps if you choose to onboard servers through
 Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
 
 The following steps are required to enable this integration:
-- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie)
+- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie).
 
-- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
+- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting.
 
 
 ### Turn on Server monitoring from the Microsoft Defender Security Center portal
@@ -156,6 +156,7 @@ Support for Windows Server, provide deeper insight into activities happening on
     1. Set the following registry entry:
        - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
        - Name: ForceDefenderPassiveMode
+       - Type: REG_DWORD
        - Value: 1
 
     1. Run the following PowerShell command to verify that the passive mode was configured:
@@ -185,7 +186,7 @@ The following capabilities are included in this integration:
     > Automated onboarding is only applicable for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016.
 
 - Servers monitored by  Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers.  In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console.
-- Server investigation -  Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach
+- Server investigation -  Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach.
 
 > [!IMPORTANT]
 > - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default.
@@ -233,7 +234,7 @@ To offboard the server, you can use either of the following methods:
 
 2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
 
-    ```
+    ```powershell
     # Load agent scripting object
     $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
     # Remove OMS Workspace

windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md

@@ -64,7 +64,7 @@ For more information on how to configure exclusions from Puppet, Ansible, or ano
 Run the following command to see the available switches for managing exclusions:
 
 ```bash
-$ mdatp --exclusion
+$ mdatp exclusion
 ```
 
 Examples:
@@ -72,29 +72,29 @@ Examples:
 - Add an exclusion for a file extension:
 
     ```bash
-    $ mdatp --exclusion --add-extension .txt
-    Configuration updated successfully
+    $ mdatp exclusion extension add --name .txt
+    Extension exclusion configured successfully
     ```
 
 - Add an exclusion for a file:
 
     ```bash
-    $ mdatp --exclusion --add-folder /var/log/dummy.log
-    Configuration updated successfully
+    $ mdatp exclusion file add --path /var/log/dummy.log
+    File exclusion configured successfully
     ```
 
 - Add an exclusion for a folder:
 
     ```bash
-    $ mdatp --exclusion --add-folder /var/log/
-    Configuration updated successfully
+    $ mdatp exclusion folder add --path /var/log/
+    Folder exclusion configured successfully
     ```
 
 - Add an exclusion for a process:
 
     ```bash
-    $ mdatp --exclusion --add-process cat
-    Configuration updated successfully
+    $ mdatp exclusion process add --name cat
+    Process exclusion configured successfully
     ```
 
 ## Validate exclusions lists with the EICAR test file

windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md

@@ -268,7 +268,7 @@ Download the onboarding package from Microsoft Defender Security Center:
     Initially the client machine is not associated with an organization. Note that the *orgId* attribute is blank:
 
     ```bash
-    mdatp --health orgId
+    mdatp health --field org_id
     ```
 
 2. Run MicrosoftDefenderATPOnboardingLinuxServer.py, and note that, in order to run this command, you must have `python` installed on the device:
@@ -280,17 +280,20 @@ Download the onboarding package from Microsoft Defender Security Center:
 3. Verify that the machine is now associated with your organization and reports a valid organization identifier:
 
     ```bash
-    mdatp --health orgId
+    mdatp health --field org_id
     ```
 
 4. A few minutes after you complete the installation, you can see the status by running the following command. A return value of `1` denotes that the product is functioning as expected:
 
     ```bash
-    mdatp --health healthy
+    mdatp health --field healthy
     ```
 
     > [!IMPORTANT]
-    > When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`.<br>
+    > When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `false`. You can check the status of the definition update using the following command:
+    > ```bash
+    > mdatp health --field definitions_status
+    > ```
     > Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Microsoft Defender ATP for Linux for static proxy discovery: Post-installation configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration#post-installation-configuration).
 
 5. Run a detection test to verify that the machine is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded machine:
@@ -298,7 +301,7 @@ Download the onboarding package from Microsoft Defender Security Center:
     - Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command):
 
         ```bash
-        mdatp --health realTimeProtectionEnabled
+        mdatp health --field real_time_protection_enabled
         ```
 
     - Open a Terminal window. Copy and execute the following command:
@@ -310,7 +313,7 @@ Download the onboarding package from Microsoft Defender Security Center:
     - The file should have been quarantined by Microsoft Defender ATP for Linux. Use the following command to list all the detected threats:
 
         ```bash
-        mdatp --threat --list --pretty
+        mdatp threat list
         ```
 
 ## Log installation issues

windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md

@@ -149,31 +149,31 @@ Create subtask or role files that contribute to an actual task. First create the
     > [!NOTE]
     > In case of Oracle Linux, replace *[distro]* with “rhel”.
 
-        ```bash
-        - name: Add Microsoft apt repository for MDATP
-            apt_repository:
-                repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main
-                update_cache: yes
-                state: present
-                filename: microsoft-[channel].list
-            when: ansible_os_family == "Debian"
+  ```bash
+  - name: Add Microsoft apt repository for MDATP
+      apt_repository:
+          repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main
+          update_cache: yes
+          state: present
+          filename: microsoft-[channel].list
+      when: ansible_os_family == "Debian"
 
-        - name: Add Microsoft APT key
-            apt_key:
-                keyserver: https://packages.microsoft.com/
-                id: BC528686B50D79E339D3721CEB3E94ADBE1229CF
-            when: ansible_os_family == "Debian"
+  - name: Add Microsoft APT key
+      apt_key:
+          keyserver: https://packages.microsoft.com/
+          id: BC528686B50D79E339D3721CEB3E94ADBE1229CF
+      when: ansible_os_family == "Debian"
 
-        - name: Add  Microsoft yum repository for MDATP
-            yum_repository:
-                name: packages-microsoft-com-prod-[channel]
-                description: Microsoft Defender ATP
-                file: microsoft-[channel]
-                baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/
-                gpgcheck: yes
-                enabled: Yes
-            when: ansible_os_family == "RedHat"
-        ```
+  - name: Add  Microsoft yum repository for MDATP
+      yum_repository:
+          name: packages-microsoft-com-prod-[channel]
+          description: Microsoft Defender ATP
+          file: microsoft-[channel]
+          baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/
+          gpgcheck: yes
+          enabled: Yes
+      when: ansible_os_family == "RedHat"
+  ```
 
 - Create the actual install/uninstall YAML files under `/etc/ansible/playbooks`.
 
@@ -241,8 +241,8 @@ Now run the tasks files under `/etc/ansible/playbooks/`.
 - Validation/configuration:
 
     ```bash
-    $ ansible -m shell -a 'mdatp --connectivity-test' all
-    $ ansible -m shell -a 'mdatp --health' all
+    $ ansible -m shell -a 'mdatp connectivity test' all
+    $ ansible -m shell -a 'mdatp health' all
     ```
 
 - Uninstallation:

windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md

@@ -174,10 +174,10 @@ Enrolled agent devices periodically poll the Puppet Server, and install new conf
 On the agent machine, you can also check the onboarding status by running:
 
 ```bash
-$ mdatp --health
+$ mdatp health
 ...
 licensed                                : true
-orgId                                   : "[your organization identifier]"
+org_id                                  : "[your organization identifier]"
 ...
 ```
 
@@ -190,7 +190,7 @@ orgId                                   : "[your organization identifier]"
 You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status:
 
 ```bash
-mdatp --health healthy
+mdatp health --field healthy
 ```
 
 The above command prints `1` if the product is onboarded and functioning as expected.

windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md

@@ -247,11 +247,25 @@ Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, de
 
 #### Enable / disable automatic sample submissions
 
-Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. You are prompted if the submitted file is likely to contain personal information.
+Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. There are three levels for controlling sample submission:
+
+- **None**: no suspicious samples are submitted to Microsoft.
+- **Safe**: only suspicious samples that do not contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting.
+- **All**: all suspicious samples are submitted to Microsoft.
 
 |||
 |:---|:---|
-| **Key** | automaticSampleSubmission |
+| **Key** | automaticSampleSubmissionConsent |
+| **Data type** | String |
+| **Possible values** | none <br/> safe (default) <br/> all |
+
+#### Enable / disable automatic security intelligence updates
+
+Determines whether security intelligence updates are installed automatically:
+
+|||
+|:---|:---|
+| **Key** | automaticDefinitionUpdateEnabled |
 | **Data type** | Boolean |
 | **Possible values** | true (default) <br/> false |
 
@@ -261,12 +275,13 @@ To get started, we recommend the following configuration profile for your enterp
 
 The following configuration profile will:
 
-- Enable real-time protection (RTP).
+- Enable real-time protection (RTP)
 - Specify how the following threat types are handled:
-  - **Potentially unwanted applications (PUA)** are blocked.
-  - **Archive bombs** (file with a high compression rate) are audited to the product logs.
-- Enable cloud-delivered protection.
-- Enable automatic sample submission.
+  - **Potentially unwanted applications (PUA)** are blocked
+  - **Archive bombs** (file with a high compression rate) are audited to the product logs
+- Enable automatic security intelligence updates
+- Enable cloud-delivered protection
+- Enable automatic sample submission at `safe` level
 
 ### Sample profile
 
@@ -286,7 +301,8 @@ The following configuration profile will:
       ]
    },
    "cloudService":{
-      "automaticSampleSubmission":true,
+      "automaticDefinitionUpdateEnabled":true,
+      "automaticSampleSubmissionConsent":"safe",
       "enabled":true
    }
 }
@@ -346,7 +362,8 @@ The following configuration profile contains entries for all settings described
    "cloudService":{
       "enabled":true,
       "diagnosticLevel":"optional",
-      "automaticSampleSubmission":true
+      "automaticSampleSubmissionConsent":"safe",
+      "automaticDefinitionUpdateEnabled":true
    }
 }
 ```

windows/security/threat-protection/microsoft-defender-atp/linux-pua.md

@@ -53,7 +53,7 @@ You can configure how PUA files are handled from the command line or from the ma
 In Terminal, execute the following command to configure PUA protection:
 
 ```bash
-$ mdatp --threat --type-handling potentially_unwanted_application [off|audit|block]
+$ mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block]
 ```
 
 ### Use the management console to configure PUA protection:

windows/security/threat-protection/microsoft-defender-atp/linux-resources.md

@@ -31,29 +31,24 @@ If you can reproduce a problem, please increase the logging level, run the syste
 1. Increase logging level:
 
    ```bash
-   $ mdatp --log-level verbose
-   Creating connection to daemon
-   Connection established
-   Operation succeeded
+   $ mdatp log level set --level verbose
+   Log level configured successfully
    ```
 
 2. Reproduce the problem.
 
-3. Run `sudo mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds:
+3. Run `sudo mdatp diagnostic create` to back up Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds:
 
    ```bash
-   $ sudo mdatp --diagnostic --create
-   Creating connection to daemon
-   Connection established
+   $ sudo mdatp diagnostic create
+   Diagnostic file created: <path to file>
    ```
 
 4. Restore logging level:
 
    ```bash
-   $ mdatp --log-level info
-   Creating connection to daemon
-   Connection established
-   Operation succeeded
+   $ mdatp log level set --level info
+   Log level configured successfully
    ```
 
 ## Log installation issues
@@ -78,21 +73,22 @@ Important tasks, such as controlling product settings and triggering on-demand s
 
 |Group        |Scenario                                   |Command                                                                |
 |-------------|-------------------------------------------|-----------------------------------------------------------------------|
-|Configuration|Turn on/off real-time protection           |`mdatp --config realTimeProtectionEnabled [true/false]`                |
-|Configuration|Turn on/off cloud protection               |`mdatp --config cloudEnabled [true/false]`                             |
-|Configuration|Turn on/off product diagnostics            |`mdatp --config cloudDiagnosticEnabled [true/false]`                               |
-|Configuration|Turn on/off automatic sample submission    |`mdatp --config cloudAutomaticSampleSubmission [true/false]`           |
-|Configuration|Turn on PUA protection                     |`mdatp --threat --type-handling potentially_unwanted_application block`|
-|Configuration|Turn off PUA protection                    |`mdatp --threat --type-handling potentially_unwanted_application off`  |
-|Configuration|Turn on audit mode for PUA protection      |`mdatp --threat --type-handling potentially_unwanted_application audit`|
-|Diagnostics  |Change the log level                       |`mdatp --log-level [error/warning/info/verbose]`                       |
-|Diagnostics  |Generate diagnostic logs                   |`mdatp --diagnostic --create`                                                   |
-|Health       |Check the product's health                 |`mdatp --health`                                                       |
-|Protection   |Scan a path                                |`mdatp --scan --path [path]`                                           |
-|Protection   |Do a quick scan                            |`mdatp --scan --quick`                                                 |
-|Protection   |Do a full scan                             |`mdatp --scan --full`                                                  |
-|Protection   |Cancel an ongoing on-demand scan           |`mdatp --scan --cancel`                                                |
-|Protection   |Request a security intelligence update     |`mdatp --definition-update`                                            |
+|Configuration|Turn on/off real-time protection           |`mdatp config real_time_protection --value [enabled|disabled]`         |
+|Configuration|Turn on/off cloud protection               |`mdatp config cloud --value [enabled|disabled]`                        |
+|Configuration|Turn on/off product diagnostics            |`mdatp config cloud-diagnostic --value [enabled|disabled]`             |
+|Configuration|Turn on/off automatic sample submission    |`mdatp config cloud-automatic-sample-submission [enabled|disabled]`    |
+|Configuration|Turn on/off AV passive mode                |`mdatp config passive-mode [enabled|disabled]`                         |
+|Configuration|Turn on PUA protection                     |`mdatp threat policy set --type potentially_unwanted_application --action block` |
+|Configuration|Turn off PUA protection                    |`mdatp threat policy set --type potentially_unwanted_application --action off` |
+|Configuration|Turn on audit mode for PUA protection      |`mdatp threat policy set --type potentially_unwanted_application --action audit` |
+|Diagnostics  |Change the log level                       |`mdatp log level set --level verbose [error|warning|info|verbose]`     |
+|Diagnostics  |Generate diagnostic logs                   |`mdatp diagnostic create`                                              |
+|Health       |Check the product's health                 |`mdatp health`                                                         |
+|Protection   |Scan a path                                |`mdatp scan custom --path [path]`                                      |
+|Protection   |Do a quick scan                            |`mdatp scan quick`                                                     |
+|Protection   |Do a full scan                             |`mdatp scan full`                                                      |
+|Protection   |Cancel an ongoing on-demand scan           |`mdatp scan cancel`                                                    |
+|Protection   |Request a security intelligence update     |`mdatp definitions update`                                             |
 
 ## Microsoft Defender ATP portal information
 
@@ -114,3 +110,12 @@ In the Microsoft Defender ATP portal, you'll see two categories of information:
   - Computer model
   - Processor architecture
   - Whether the device is a virtual machine
+
+### Known issues
+
+- Logged on users do not appear in the Microsoft Defender Security Center portal.
+- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered:
+
+    ```bash
+    $ sudo SUSEConnect --status-text
+    ```

windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md

@@ -29,7 +29,7 @@ ms.topic: conceptual
 To test if Microsoft Defender ATP for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line:
 
 ```bash
-$ mdatp --connectivity-test
+$ mdatp connectivity test
 ```
 
 If the connectivity test fails, check if the machine has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall.
@@ -84,7 +84,7 @@ $ sudo systemctl daemon-reload; sudo systemctl restart mdatp
 Upon success, attempt another connectivity test from the command line:
 
 ```bash
-$ mdatp --connectivity-test
+$ mdatp connectivity test
 ```
 
 If the problem persists, contact customer support.

windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md

@@ -116,6 +116,7 @@ and try again.
 
 If none of the above steps help, collect the diagnostic logs:
 ```bash
-$ sudo mdatp --diagnostic --create
+$ sudo mdatp diagnostic create
+Diagnostic file created: <path to file>
 ```
 Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.

windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md

@@ -36,7 +36,8 @@ The following steps can be used to troubleshoot and mitigate these issues:
     If your device is not managed by your organization, real-time protection can be disabled from the command line:
 
     ```bash
-    $ mdatp --config realTimeProtectionEnabled false
+    $ mdatp config real-time-protection --value disabled
+    Configuration property updated
     ```
 
     If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
@@ -49,19 +50,20 @@ The following steps can be used to troubleshoot and mitigate these issues:
     This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line:
  
     ```bash
-    $ mdatp config real_time_protection_statistics_enabled on
+    $ mdatp config real-time-protection-statistics --value enabled
     ```
 
     This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
 
     ```bash
-    $ mdatp health
+    $ mdatp health --field real_time_protection_enabled
     ```
 
     Verify that the `real_time_protection_enabled` entry is `true`. Otherwise, run the following command to enable it:
 
     ```bash
-    $ mdatp --config realTimeProtectionEnabled true
+    $ mdatp config real-time-protection --value enabled
+    Configuration property updated
     ```
 
     To collect current statistics, run:

windows/security/threat-protection/microsoft-defender-atp/linux-updates.md

@@ -26,6 +26,12 @@ ms.topic: conceptual
 
 Microsoft regularly publishes software updates to improve performance, security, and to deliver new features.
 
+> [!WARNING]
+> Each version of Microsoft Defender ATP for Linux has an expiration date, after which it will no longer continue to protect your device. You must update the product prior to this date. To check the expiration date, run the following command:
+> ```bash
+> mdatp health --field product_expiration
+> ```
+
 To update Microsoft Defender ATP for Linux manually, execute one of the following commands:
 
 ## RHEL and variants (CentOS and Oracle Linux)

windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md

@@ -19,6 +19,12 @@ ms.topic: conceptual
 
 # What's new in Microsoft Defender Advanced Threat Protection for Linux
 
+## 101.00.75
+
+- Added support for the following file system types: `ecryptfs`, `fuse`, `fuseblk`, `jfs`, `nfs`, `overlay`, `ramfs`, `reiserfs`, `udf`, and `vfat`
+- New syntax for the command-line tool. For more information, see [this page](linux-resources.md#configure-from-the-command-line).
+- Performance improvements & bug fixes
+
 ## 100.90.70
 
 > [!WARNING]

windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md

@@ -50,7 +50,7 @@ File, folder, and process exclusions support the following wildcards:
 
 Wildcard | Description | Example | Matches | Does not match
 ---|---|---|---|---
-\* |	Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder) | `/var/\*/\*.log` | `/var/log/system.log` | `/var/log/nested/system.log`
+\* |	Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder) | `/var/*/*.log` | `/var/log/system.log` | `/var/log/nested/system.log`
 ? | Matches any single character | `file?.log` | `file1.log`<br/>`file2.log` | `file123.log`
 
 ## How to configure the list of exclusions

windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md

@@ -66,10 +66,10 @@ To complete this process, you must have admin privileges on the machine.
 
     ![Security and privacy window screenshot](../microsoft-defender-antivirus/images/MDATP-31-SecurityPrivacySettings.png)
 
-The installation proceeds.
+   The installation proceeds.
 
-> [!CAUTION]
-> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but some features, such as real-time protection, will be disabled. See [Troubleshoot kernel extension issues](mac-support-kext.md) for information on how to resolve this.
+   > [!CAUTION]
+   > If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but some features, such as real-time protection, will be disabled. See [Troubleshoot kernel extension issues](mac-support-kext.md) for information on how to resolve this.
 
 > [!NOTE]
 > macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-time protection will not be available until the machine is rebooted.
@@ -81,21 +81,19 @@ The installation proceeds.
     The client machine is not associated with orgId. Note that the *orgId* attribute is blank.
 
     ```bash
-    $ mdatp --health orgId
+    mdatp --health orgId
     ```
 
 2. Run the Python script to install the configuration file:
 
     ```bash
-    $ /usr/bin/python MicrosoftDefenderATPOnboardingMacOs.py
-    Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password)
+    /usr/bin/python MicrosoftDefenderATPOnboardingMacOs.py
     ```
 
 3. Verify that the machine is now associated with your organization and reports a valid *orgId*:
 
     ```bash
-    $ mdatp --health orgId
-    E6875323-A6C0-4C60-87AD-114BBE7439B8
+    mdatp --health orgId
     ```
 
 After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.

windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md

@@ -207,7 +207,7 @@ You may now enroll more devices. You can also enroll them later, after you have
    </plist>
    ```
 
-9. To allow Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload: <a name = "create-system-configuration-profiles-step-9" id = "create-system-configuration-profiles-step-9"></a>
+9. To allow Defender and Auto Update to display notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload: <a name = "create-system-configuration-profiles-step-9" id = "create-system-configuration-profiles-step-9"></a>
 
    ```xml
    <?xml version="1.0" encoding="UTF-8"?>

windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md

@@ -277,6 +277,16 @@ Determines whether suspicious samples (that are likely to contain threats) are s
 | **Data type** | Boolean |
 | **Possible values** | true (default) <br/> false |
 
+#### Enable / disable automatic security intelligence updates
+
+Determines whether security intelligence updates are installed automatically:
+
+|||
+|:---|:---|
+| **Key** | automaticDefinitionUpdateEnabled |
+| **Data type** | Boolean |
+| **Possible values** | true (default) <br/> false |
+
 ### User interface preferences
 
 Manage the preferences for the user interface of Microsoft Defender ATP for Mac.
@@ -358,6 +368,7 @@ The following configuration profile (or, in case of JAMF, a property list that c
 - Specify how the following threat types are handled:
   - **Potentially unwanted applications (PUA)** are blocked
   - **Archive bombs** (file with a high compression rate) are audited to Microsoft Defender ATP logs
+- Enable automatic security intelligence updates
 - Enable cloud-delivered protection
 - Enable automatic sample submission
 
@@ -394,6 +405,8 @@ The following configuration profile (or, in case of JAMF, a property list that c
         <true/>
         <key>automaticSampleSubmission</key>
         <true/>
+        <key>automaticDefinitionUpdateEnabled</key>
+        <true/>
     </dict>
 </dict>
 </plist>
@@ -471,6 +484,8 @@ The following configuration profile (or, in case of JAMF, a property list that c
                     <true/>
                     <key>automaticSampleSubmission</key>
                     <true/>
+                    <key>automaticDefinitionUpdateEnabled</key>
+                    <true/>
                 </dict>
             </dict>
         </array>
@@ -563,6 +578,8 @@ The following templates contain entries for all settings described in this docum
         <string>optional</string>
         <key>automaticSampleSubmission</key>
         <true/>
+        <key>automaticDefinitionUpdateEnabled</key>
+        <true/>
     </dict>
     <key>edr</key>
     <dict>
@@ -701,6 +718,8 @@ The following templates contain entries for all settings described in this docum
                     <string>optional</string>
                     <key>automaticSampleSubmission</key>
                     <true/>
+                    <key>automaticDefinitionUpdateEnabled</key>
+                    <true/>
                 </dict>
                 <key>edr</key>
                 <dict>

windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md

@@ -26,6 +26,12 @@ ms.topic: conceptual
 > 
 > If you have previously allowed the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to allow the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to allow the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
 
+## 101.01.54
+
+- Improvements around compatibility with Time Machine
+- Accessibility improvements
+- Performance improvements & bug fixes
+
 ## 101.00.31
 
 - Improved [product onboarding experience for Intune users](https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos)

windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md

@@ -148,7 +148,7 @@ It's important to understand the following prerequisites prior to creating indic
 
 5. Review the details in the Summary tab, then click **Save**.
 
-## Create indicators for certificates (preview)
+## Create indicators for certificates
 
 You can create indicators for certificates. Some common use cases include:
 

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md

@@ -0,0 +1,100 @@
+---
+title: Microsoft Defender ATP for Android
+ms.reviewer:
+description: Describes how to install and use Microsoft Defender ATP for Android
+keywords: microsoft, defender, atp, android, installation, deploy, uninstallation, intune
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Microsoft Defender Advanced Threat Protection for Android
+
+> [!IMPORTANT]
+> **PUBLIC PREVIEW EDITION**
+> 
+> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
+> 
+> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
+> 
+> If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Linux onboarding page immediately. If you have not yet opted into previews, we encourage you to [turn on preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview) in the Microsoft Defender Security Center today.
+
+This topic describes how to install, configure, update, and use Microsoft Defender ATP for Android.
+
+> [!CAUTION]
+> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Android is likely to cause performance problems and unpredictable system errors.
+
+
+
+## How to install Microsoft Defender ATP for Android
+
+### Prerequisites
+
+-   **For end users**
+
+    -   Microsoft Defender ATP license assigned to the end user(s) of the app.
+
+    -   Intune Company Portal app can be downloaded from [Google
+        Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal)
+        and is available on the Android device.
+
+        -   Additionally, device(s) can be
+            [enrolled](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal)
+            via the Intune Company Portal app to enforce Intune device compliance
+            policies. This requires the end user to be assigned a Microsoft Intune license.
+
+    -   For more information on how to assign licenses, see [Assign licenses to
+        users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign).
+        
+
+-   **For Administrators**
+
+    -   Access to the Microsoft Defender Security Center portal.
+
+        > [!NOTE]
+        > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender ATP for Android. Currently only enrolled devices are supported for enforcing Microsoft Defender ATP for Android related device compliance policies in Intune. 
+
+    -   Access [Microsoft Endpoint Manager admin
+        center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the
+        app to enrolled user groups in your organization.
+
+### System Requirements
+
+-   Android devices running Android 6.0 and above.
+-   Intune Company Portal app is downloaded from [Google
+    Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal)
+    and installed. Device enrollment is required for Intune device compliance policies to be enforced.
+
+### Installation instructions
+
+Microsoft Defender ATP for Android supports installation on both modes of
+enrolled devices - the legacy Device Administrator and Android Enterprise modes
+
+Deployment of Microsoft Defender ATP for Android is via Microsoft Intune (MDM).
+For more information, see [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md).
+
+
+> [!NOTE]
+> During public preview, instructions to deploy Microsoft Defender ATP for Android on Intune enrolled Android devices are different across Device Administrator and Android Enterprise entrollment modes. <br>
+> **When Microsoft Defender ATP for Android reaches General Availability (GA), the app will be available on Google Play.**
+
+## How to Configure Microsoft Defender ATP for Android
+
+Guidance on how to configure Microsoft Defender ATP for Android features is available in [Configure Microsoft Defender ATP for Android features](android-configure.md).
+
+
+
+## Related topics
+- [Deploy Microsoft Defender ATP for with Microsoft Intune](android-intune.md)
+- [Configure Microsoft Defender ATP for Android features](android-configure.md)
+

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md

@@ -20,20 +20,7 @@ ms.topic: conceptual
 
 # Microsoft Defender ATP for Linux
 
-> [!IMPORTANT]
-> **PUBLIC PREVIEW EDITION**
-> 
-> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
-> 
-> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
-> 
-> If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Linux onboarding page immediately. If you have not yet opted into previews, we encourage you to [turn on preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview) in the Microsoft Defender Security Center today.
-
-This topic describes how to install, configure, update, and use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux.
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4q3yP]
-
-<p></p>
+This topic describes how to install, configure, update, and use Microsoft Defender ATP for Linux.
 
 > [!CAUTION]
 > Running other third-party endpoint protection products alongside Microsoft Defender ATP for Linux is likely to cause performance problems and unpredictable system errors.
@@ -46,16 +33,6 @@ This topic describes how to install, configure, update, and use Microsoft Defend
 - Beginner-level experience in Linux and BASH scripting
 - Administrative privileges on the device (in case of manual deployment)
 
-### Known issues
-
-- Logged on users do not appear in the ATP portal.
-- Running the product on CentOS / RHEL / Oracle Linux 7.0 or 7.1 with kernel versions lower than 3.10.0-327 can result in hanging the operating system. We recommend that you upgrade to version 7.2 or newer.
-- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered:
-
-    ```bash
-    $ sudo SUSEConnect --status-text
-    ```
-
 ### Installation instructions
 
 There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Linux.
@@ -91,14 +68,22 @@ If you experience any installation failures, refer to [Troubleshooting installat
 - Disk space: 650 MB
 - The solution currently provides real-time protection for the following file system types:
 
-  - btrfs
-  - ext2
-  - ext3
-  - ext4
-  - tmpfs
-  - xfs
-
-  More file system types will be added in the future.
+  - `btrfs`
+  - `ecryptfs`
+  - `ext2`
+  - `ext3`
+  - `ext4`
+  - `fuse`
+  - `fuseblk`
+  - `jfs`
+  - `nfs`
+  - `overlay`
+  - `ramfs`
+  - `reiserfs`
+  - `tmpfs`
+  - `udf`
+  - `vfat`
+  - `xfs`
 
 After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
 

windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md

@@ -65,5 +65,13 @@ The option to **Consult a threat expert** is available in several places in the
 - <i>**File page actions menu**</i><BR>
 ![Screenshot of MTE-EOD file page action menu option](images/mte-eod-file.png)
 
+> [!NOTE]
+> Customers with Premier Support subscription mapped to their Office 365 license can track the status of their Experts on Demand cases through Microsoft Services Hub. 
+
+Watch this video for a quick overview of the Microsoft Services Hub.
+
+>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4pk9f] 
+
+   
 ## Related topic
 - [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md)

windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md

@@ -93,6 +93,10 @@ The hardware requirements for Microsoft Defender ATP on machines is the same as
 
 > [!NOTE]
 > Machines running mobile versions of Windows are not supported.
+>
+> Virtual Machines running Windows 10 Enterprise 2016 LTSC (which is based on Windows 10, version 1607) may encounter performance issues if run on non-Microsoft virtualization platforms.
+>
+> For virtual environments, we recommend using Windows 10 Enterprise LTSC 2019 (which is based on Windows 10, version 1809) or later.
 
 
 ### Other supported operating systems

windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md

@@ -33,7 +33,7 @@ Windows Server 2016 and earlier or Windows 8.1 and earlier.
 > - An OMS gateway server cannot be used as proxy for disconnected Windows 10 or Windows Server 2019 machines when configured via 'TelemetryProxyServer' registry or GPO.
 > - For Windows 10 or Windows Server 2019 - while you may use TelemetryProxyServer, it must point to a standard proxy device or appliance.
 > - In addition, Windows 10 or Windows Server 2019 in disconnected environments must be able to update Certificate Trust Lists offline via an internal file or web server.
-> - For more information about updating CTLs offline, see (Configure a file or web server to download the CTL files)[https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265983(v=ws.11)#configure-a-file-or-web-server-to-download-the-ctl-files].
+> - For more information about updating CTLs offline, see [Configure a file or web server to download the CTL files](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265983(v=ws.11)#configure-a-file-or-web-server-to-download-the-ctl-files).
 
 For more information about onboarding methods, see the following articles:
 - [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel)

windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md

@@ -29,7 +29,7 @@ Submits or Updates new [Indicator](ti-indicator.md) entity.
 
 ## Limitations
 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-2. There is a limit of 5,000 active indicators per tenant. 
+2. There is a limit of 15,000 active indicators per tenant. 
 
 
 ## Permissions
@@ -102,4 +102,4 @@ Content-type: application/json
 ```
 
 ## Related topic
-- [Manage indicators](manage-indicators.md)
+- [Manage indicators](manage-indicators.md)

windows/security/threat-protection/microsoft-defender-atp/preview.md

@@ -36,7 +36,7 @@ For more information on new capabilities that are generally available, see [What
 
 ## Turn on preview features
 
-You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
+You'll have access to upcoming features that you can provide feedback on to help improve the overall experience before features are generally available.
 
 Turn on the preview experience setting to be among the first to try upcoming features.
 
@@ -47,13 +47,13 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 ## Preview features
 
 The following features are included in the preview release:
-- [Attack simulators in the evaluation lab](evaluation-lab.md#threat-simulator-scenarios) <br> Microsoft Defender ATP has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal.
+- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md) <br> Microsoft Defender ATP now adds support for Android. Learn how to install, configure, and use Microsoft Defender ATP for Android.
 
 - [Create indicators for certificates](manage-indicators.md) <br> Create indicators to allow or block certificates. 
 
 - [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md) <br> Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux.
 
- - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR> Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019. <BR> <BR> Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019. See [Secure Configuration Assessment (SCA) for Windows Server now in public preview](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/secure-configuration-assessment-sca-for-windows-server-now-in/ba-p/1243885) and [Reducing risk with new Threat & Vulnerability Management capabilities](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/reducing-risk-with-new-threat-amp-vulnerability-management/ba-p/978145) blogs for more information.
+ - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR> Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019. <BR> <BR> Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019.
 
 - [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) <BR> You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
  

windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md

@@ -24,8 +24,6 @@ ms.topic: article
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
 
-[!include[Prerelease information](../../includes/prerelease.md)]
-
 Before you begin, ensure that you meet the following operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for.
 
 Operating system | Security assessment support

windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md

@@ -35,6 +35,11 @@ For more information preview features, see [Preview features](https://docs.micro
 > https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us
 > ```
 
+
+## June 2020
+- [Attack simulators in the evaluation lab](evaluation-lab.md#threat-simulator-scenarios) <br> Microsoft Defender ATP has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal.
+
+
 ## April 2020
 
 - [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list) <BR>Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).

windows/security/threat-protection/security-policy-settings/minimum-password-length.md

@@ -26,16 +26,16 @@ Describes the best practices, location, values, policy management, and security
 
 ## Reference
 
-The **Minimum password length** policy setting determines the least number of characters that can make up a password for a user account. You can set a value of between 1 and 20 characters, or you can establish that no password is required by setting the number of characters to 0.
+The **Minimum password length** policy setting determines the least number of characters that can make up a password for a user account. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.
 
 ### Possible values
 
-- User-specified number of characters between 0 and 20
+- User-specified number of characters between 0 and 14
 - Not defined
 
 ### Best practices
 
-Set Minimum password length to at least a value of 8. If the number of characters is set to 0, no password is required. In most environments, an eight-character password is recommended because it is long enough to provide adequate security and still short enough for users to easily remember. This value will help provide adequate defense against a brute force attack. Adding complexity requirements will help reduce the possibility of a dictionary attack. For more info, see [Password must meet complexity requirements](password-must-meet-complexity-requirements.md).
+Set Minimum password length to at least a value of 8. If the number of characters is set to 0, no password is required. In most environments, an eight-character password is recommended because it is long enough to provide adequate security and still short enough for users to easily remember. A minimum password length greater than 14 is not supported at this time. This value will help provide adequate defense against a brute force attack. Adding complexity requirements will help reduce the possibility of a dictionary attack. For more info, see [Password must meet complexity requirements](password-must-meet-complexity-requirements.md).
 
 Permitting short passwords reduces security because short passwords can be easily broken with tools that perform dictionary or brute force attacks against the passwords. Requiring very long passwords can result in mistyped passwords that might cause an account lockout and subsequently increase the volume of Help Desk calls.