From 7e065f62e69cf7d2484aa6bf3437a09bc0ce5f7f Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Fri, 14 Feb 2020 17:06:55 -0800
Subject: [PATCH] updates

---
 windows/security/threat-protection/TOC.md     | 327 +++++++++---------
 .../microsoft-defender-atp/configure.md       |  26 +-
 .../deployment-phases.md                      |  24 +-
 ...rity-compass.md => deployment-strategy.md} |   6 +-
 .../microsoft-defender-atp/images/onboard.png | Bin 0 -> 3775 bytes
 .../microsoft-defender-atp/images/prepare.png | Bin 0 -> 2375 bytes
 .../microsoft-defender-atp/images/setup.png   | Bin 0 -> 2036 bytes
 .../production-deployment.md                  |  25 +-
 8 files changed, 189 insertions(+), 219 deletions(-)
 rename windows/security/threat-protection/microsoft-defender-atp/{security-compass.md => deployment-strategy.md} (73%)
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/images/onboard.png
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/images/prepare.png
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/images/setup.png

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 9cebc799c2..41c697a4c5 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -10,23 +10,168 @@
 ### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
 ### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
 
+## [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md)
+
+## [Design]()
+### [Design your Microsoft Defender ATP](microsoft-defender-atp/deployment-strategy.md)
+
+## [Deployment guide]()
+### [Deployment phases](microsoft-defender-atp/deployment-phases.md)
+
+### [Phase 1: Prepare Microsoft Defender ATP deployment](microsoft-defender-atp/prepare-deployment.md)
+#### [Validate licensing and complete setup - NEED DATA IF CAN KILL](microsoft-defender-atp/licensing.md)
+
+
+### [Phase 2:  Setup the Microsoft Defender ATP service](microsoft-defender-atp/production-deployment.md)
+
+
+### [Phase 3: Onboard](microsoft-defender-atp/configure.md)
+
+
+## [Operations]()
+### [Security operations]()
+#### [Portal overview](microsoft-defender-atp/portal-overview.md)
+#### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
+
+
+#### [Incidents queue]()
+##### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
+##### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
+##### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
+
+#### [Alerts queue]()
+##### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
+##### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
+##### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
+##### [Investigate files](microsoft-defender-atp/investigate-files.md)
+##### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
+##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
+##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
+###### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
+##### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
+
+#### [Machines list]()
+##### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
+##### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
+
+#### [Take response actions]()
+##### [Take response actions on a machine]()
+###### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
+###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
+###### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
+###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
+###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
+###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
+###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
+###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
+###### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
+###### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
+
+##### [Take response actions on a file]()
+###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
+###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
+###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
+###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
+###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
+###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
+###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
+###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
+###### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
+###### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
+###### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
+
+#### [Use the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md)
+##### [Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md)
+
+
+#### [Investigate entities using Live response]()
+##### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
+##### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
+
+#### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
+
+#### [Advanced hunting]()
+##### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md)
+##### [Learn the query language](microsoft-defender-atp/advanced-hunting-query-language.md)
+##### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md)
+##### [Advanced hunting schema reference]()
+###### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md)
+###### [DeviceAlertEvents](microsoft-defender-atp/advanced-hunting-devicealertevents-table.md)
+###### [DeviceFileEvents](microsoft-defender-atp/advanced-hunting-devicefileevents-table.md)
+###### [DeviceImageLoadEvents](microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md)
+###### [DeviceLogonEvents](microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md)
+###### [DeviceInfo](microsoft-defender-atp/advanced-hunting-deviceinfo-table.md)
+###### [DeviceNetworkInfo](microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md)
+###### [DeviceEvents](microsoft-defender-atp/advanced-hunting-deviceevents-table.md)
+###### [DeviceFileCertificateInfoBeta](microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md)
+###### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md)
+###### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md)
+###### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md)
+###### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md)
+###### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md)
+###### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md)
+###### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md)
+##### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
+
+#### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
+
+#### [Reporting]()
+##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
+##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
+##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
+##### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
 
 
 
-## [How-to guides]()
-### [Deployment guide]()
-#### [Deployment phases](microsoft-defender-atp/deployment-phases.md)
-
-#### [Phase 1: Prepare Microsoft Defender ATP deployment](microsoft-defender-atp/prepare-deployment.md)
-##### [Validate licensing and complete setup](microsoft-defender-atp/licensing.md)
-##### [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md)
-##### [Security compass](microsoft-defender-atp/security-compass.md)
-
-#### [Phase 2:  Setup the Microsoft Defender ATP service](microsoft-defender-atp/production-deployment.md)
+#### [Custom detections]()
+##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
+##### [Create and manage custom detections rules](microsoft-defender-atp/custom-detection-rules.md)
 
 
-#### [Phase 3: Onboard](microsoft-defender-atp/configure.md)
+### [Security administration]()
+#### [Threat & Vulnerability Management]()
+##### [Threat & Vulnerability Management overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
+##### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
+##### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
+##### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
+##### [Configuration score](microsoft-defender-atp/configuration-score.md)
+##### [Security recommendation](microsoft-defender-atp/tvm-security-recommendation.md)
+##### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
+##### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
+##### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
+##### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
 
+#### [Manage machine configuration]()
+##### [Ensure your machines are configured properly](microsoft-defender-atp/configure-machines.md)
+##### [Monitor and increase machine onboarding](microsoft-defender-atp/configure-machines-onboarding.md)
+##### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md)
+##### [Optimize ASR rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md)
+
+
+
+## [How-to]()
+### [Onboard devices to the service]()
+#### [Onboard machines to Microsoft Defender ATP](microsoft-defender-atp/onboard-configure.md)
+#### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel.md)
+#### [Onboard Windows 10 machines]()
+##### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md)
+##### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md)
+##### [Onboard machines using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md)
+##### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md)
+##### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script.md)
+##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi.md)
+ 
+#### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md)
+#### [Onboard non-Windows machines](microsoft-defender-atp/configure-endpoints-non-windows.md)
+#### [Onboard machines without Internet access](microsoft-defender-atp/onboard-offline-machines.md)
+#### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test.md)
+#### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations.md)
+#### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md)
+#### [Create an onboarding or offboarding notification rule](microsoft-defender-atp/onboarding-notification.md)
+ 
+#### [Troubleshoot onboarding issues]()
+##### [Troubleshoot issues during onboarding](microsoft-defender-atp/troubleshoot-onboarding.md)
+##### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
 
 ### [Manage capabilities]()
 
@@ -211,143 +356,11 @@
 #### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
 
 
-
-
-
-
-
-### [Operations]()
-#### [Security operations]()
-##### [Portal overview](microsoft-defender-atp/portal-overview.md)
-##### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
-
-
-##### [Incidents queue]()
-###### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
-###### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
-###### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
-
-##### [Alerts queue]()
-###### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
-###### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
-###### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
-###### [Investigate files](microsoft-defender-atp/investigate-files.md)
-###### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
-###### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
-###### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
-####### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
-###### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
-
-##### [Machines list]()
-###### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
-###### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
-
-##### [Take response actions]()
-###### [Take response actions on a machine]()
-####### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
-####### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
-####### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
-####### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
-####### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
-####### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
-####### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
-####### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
-####### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
-####### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
-
-###### [Take response actions on a file]()
-####### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
-####### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
-####### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
-####### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
-####### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
-####### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
-####### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
-####### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
-####### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
-####### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
-####### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
-
-##### [Use the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md)
-###### [Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md)
-
-
-##### [Investigate entities using Live response]()
-###### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
-###### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
-
-##### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
-
-##### [Advanced hunting]()
-###### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md)
-###### [Learn the query language](microsoft-defender-atp/advanced-hunting-query-language.md)
-###### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md)
-###### [Advanced hunting schema reference]()
-####### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md)
-####### [DeviceAlertEvents](microsoft-defender-atp/advanced-hunting-devicealertevents-table.md)
-####### [DeviceFileEvents](microsoft-defender-atp/advanced-hunting-devicefileevents-table.md)
-####### [DeviceImageLoadEvents](microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md)
-####### [DeviceLogonEvents](microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md)
-####### [DeviceInfo](microsoft-defender-atp/advanced-hunting-deviceinfo-table.md)
-####### [DeviceNetworkInfo](microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md)
-####### [DeviceEvents](microsoft-defender-atp/advanced-hunting-deviceevents-table.md)
-####### [DeviceFileCertificateInfoBeta](microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md)
-####### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md)
-####### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md)
-####### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md)
-####### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md)
-####### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md)
-####### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md)
-####### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md)
-###### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
-
-##### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
-
-##### [Reporting]()
-###### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
-###### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
-###### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
-###### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
-
-
-
-##### [Custom detections]()
-###### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
-###### [Create and manage custom detections rules](microsoft-defender-atp/custom-detection-rules.md)
-
-
-#### [Security administration]()
-##### [Threat & Vulnerability Management]()
-###### [Threat & Vulnerability Management overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
-###### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
-###### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
-###### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
-###### [Configuration score](microsoft-defender-atp/configuration-score.md)
-###### [Security recommendation](microsoft-defender-atp/tvm-security-recommendation.md)
-###### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
-###### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
-###### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
-###### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
-
-##### [Manage machine configuration]()
-###### [Ensure your machines are configured properly](microsoft-defender-atp/configure-machines.md)
-###### [Monitor and increase machine onboarding](microsoft-defender-atp/configure-machines-onboarding.md)
-###### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md)
-###### [Optimize ASR rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md)
-
 ## Reference
 ### [Capabilities]()
 #### [Threat & Vulnerability Management]()
 ##### [Next-generation capabilities](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
 ##### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
-##### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
-##### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
-##### [Configuration score](microsoft-defender-atp/configuration-score.md)
-##### [Security recommendation](microsoft-defender-atp/tvm-security-recommendation.md)
-##### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
-##### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
-##### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
-##### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
 
 #### [Attack surface reduction]()
 #####[Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
@@ -386,28 +399,6 @@
 
 #### [Secure score](microsoft-defender-atp/overview-secure-score.md)
 
-### [Onboard devices to the service]()
-#### [Onboard machines to Microsoft Defender ATP](microsoft-defender-atp/onboard-configure.md)
-#### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel.md)
-#### [Onboard Windows 10 machines]()
-##### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md)
-##### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md)
-##### [Onboard machines using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md)
-##### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md)
-##### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script.md)
-##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi.md)
- 
-#### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md)
-#### [Onboard non-Windows machines](microsoft-defender-atp/configure-endpoints-non-windows.md)
-#### [Onboard machines without Internet access](microsoft-defender-atp/onboard-offline-machines.md)
-#### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test.md)
-#### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations.md)
-#### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md)
-#### [Create an onboarding or offboarding notification rule](microsoft-defender-atp/onboarding-notification.md)
- 
-#### [Troubleshoot onboarding issues]()
-##### [Troubleshoot issues during onboarding](microsoft-defender-atp/troubleshoot-onboarding.md)
-##### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
 
 ### [Role-based access control]()
 #### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
@@ -418,12 +409,6 @@
 
 
 
-
-
-
-
-
-
 ### [Management and APIs]()
 #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure.md b/windows/security/threat-protection/microsoft-defender-atp/configure.md
index 143efe29bc..7aa8e6efef 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure.md
@@ -26,33 +26,23 @@ Deploying Microsoft Defender ATP is a three-phase process:
   <tr style="text-align:center;">
     <td align="center" style="width:25%; border:0;" >
       <a href= "prepare-deployment"> 
-        <img src="images/plan.png" alt="Plan to deploy Microsoft Defender ATP" title="Plan" />
+        <img src="images/prepare.png" alt="Prepare to deploy Microsoft Defender ATP" title="Prepare" />
       <br/>Plan </a><br>
     </td>
-     <td align="center"  >
+     <td align="center">
       <a href="production-deployment">
-        <img src="images/oboard.png" alt="Onboard to the Microsoft Defender ATP service" title="Onboard to Microsoft Defender ATP" />
-      <br/> Onboard </a><br>
-        </td>
+        <img src="images/setup.png" alt="Onboard to the Microsoft Defender ATP service" title="Setup" />
+      <br/>Setup </a><br>
+    </td>
     <td align="center" bgcolor="#d5f5e3">
       <a href="configure">
-        <img src="images/configure.png" alt="Configure capabilities" title="Configure capabilities" />
-      <br/>Configure </a><br>
+        <img src="images/onboard.png" alt="Onboard" title="Onboard" />
+      <br/>Onboard </a><br>
 </td>
-  </tr>
-  <tr>
-    <td style="width:25%; border:0;">
-   
-    </td>
-    <td valign="top" style="width:25%; border:0;">
-    
-</td>
-    <td valign="top" style="width:25%; border:0;">
 
-</td>    
+
   </tr>
 </table>
-
 You are currently in the configuration phase.
 
 ## Onboarding using System Center Configuration Manager 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
index 93cce5edba..8adcc930b6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
@@ -25,31 +25,31 @@ There are three phases in deploying Microsoft Defender ATP:
 <table border="0" width="100%" align="center">
   <tr style="text-align:center;">
     <td align="center" style="width:25%; border:0;">
-      <a href= "windows/security/threat-protection/microsoft-defender-atp/prepare-deployment"> 
-        <img src="images/plan.png" alt="Plan to deploy Microsoft Defender ATP" title="Plan" />
+      <a href= "prepare-deployment"> 
+        <img src="images/prepare.png" alt="Prepare to deploy Microsoft Defender ATP" title="Prepare" />
       <br/>Plan </a><br>
     </td>
      <td align="center">
-      <a href="windows/security/threat-protection/microsoft-defender-atp/production-deployment">
-        <img src="images/oboard.png" alt="Onboard to the Microsoft Defender ATP service" title="Setup" />
+      <a href="production-deployment">
+        <img src="images/setup.png" alt="Onboard to the Microsoft Defender ATP service" title="Setup" />
       <br/>Setup </a><br>
     </td>
     <td align="center">
-      <a href="windows/security/threat-protection/microsoft-defender-atp/configure">
-        <img src="images/configure.png" alt="Onboard" title="Onboard" />
+      <a href="configure">
+        <img src="images/onboard.png" alt="Onboard" title="Onboard" />
       <br/>Onboard </a><br>
 </td>
   </tr>
   <tr>
     <td style="width:25%; border:0;">
-    The planning phase guides you through what you need to consider when deploying Microsoft Defender ATP:
+    This phase guides you through what you need to consider when deploying Microsoft Defender ATP:
 
-- Stakeholders and Sign-off
+- Stakeholders and sign-off
 - Environment considerations
 - Access 
 - Adoption order
 
-You can use the security compass to better prepare you in the deployment journey. 
+ 
     </td>
     <td valign="top" style="width:25%; border:0;">
      The setup phase covers the initial steps you'll take as you first access Microsoft Defender Security Center. You'll be guided on:
@@ -60,7 +60,11 @@ You can use the security compass to better prepare you in the deployment journey
 
 </td>
     <td valign="top" style="width:25%; border:0;">
-Maximize the Microsoft Defender ATP capabilities by configuring the components that make up the platform. 
+Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them. You'll be guided on:
+
+
+- Using Microsoft Endpoint Configuration Manager to onboard devices
+- Configure capabilities 
 </td>    
   </tr>
 </table>
diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-compass.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
similarity index 73%
rename from windows/security/threat-protection/microsoft-defender-atp/security-compass.md
rename to windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
index a7e9fff7ec..ac17eafb4d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/security-compass.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
@@ -1,5 +1,5 @@
 ---
-title: Security compass
+title: Deployment strategy
 description: 
 keywords: 
 search.product: eADQiWindows 10XVcnh
@@ -16,9 +16,9 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Security compass
+# Deployment strategy
 
-Use the security compass as a guide in 
+Use the security 
 
 
 Put Chris Hatley's visios here
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/onboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/onboard.png
new file mode 100644
index 0000000000000000000000000000000000000000..eb6cb9b0aae7870ef4c94a2376ba381e393d0215
GIT binary patch
literal 3775
zcmbVP2{_bwA0Gx0x|CaHCrUJzW6TUn4WdlWb)^_{FqzBDxRWEcwxsa3vE*ozCPYgZ
zqas%avE)8R63QKsHhTX$JiG6+@4L^t|L6Jtf7j>t`QG2>`TuBt<e>a|)%73{NZ!WU
z!VwtvtiIAxz;}DBhZr!(u&v#>Adu3Q)mO|nvlT!|D$<<Ycy0t+9Ert%6Ui(e3Ot0t
z2GAgo>Any)k>pR|L3}8_G^QDJTKE78p^?p?u0{kTfsLp5(X7Kb6sNEw&ZIDZ5|#|z
zw-;g>f&&N`6dn;0!k{y`xDYewXI>mIU)@GPA)g^Ue>3R*Re=yUf;|M!;!q$)a5RjB
zGQ>cPv2YaH5NUwk1JOsKum~gufii$0Q8*+TXJicd`al6`95NN>XkqnL7O*md`tf*d
z90Cy>91IUOfU`Kh2ox3zaOflS^<e-4#tmiih#@d0cgHsd3ksLSp|N>178A0{Nc3R^
z^30%sre928u-9mr+^=o|9EJ!XvJogaa@C~IKr(3!#}4GsKMN<55EMFvL1FT^02Z}|
zW&5#sEUq8xzfi9o|49JgS^{BB#$W2fV62JY@+^Y@Grl_HFVS4*P&NhONa3;qIV6f@
z5TNFcRcqKdJcmN$u{h2w7X4eG?7yiD(Fd%C=(y6DWL7YD_a81$EQmac8B`yskAxxh
zVJJgqlo1Yz!5N`pz!!=90wu7>G-~KyK~YGYf&QPMK+2GbJmTMi$s`<=#bFQugJ}$+
zF9pG7`a&UVZp7hPbQT8?3}|QY$9)?--k!sv(&)ee*YV&1h>ay4jl!bQFnu`cv$_NV
z&W6e55t$^4jfEK$a1NYCBjb=hSPU6uM1tvK(I}V^*^mq)lCembp}vm+*$7QU`sf>f
zyKliF1+J#RxBKM(^S&L229zL?{*QT93v)GhaMm;~5Y^DHrQ<{i_&TH0AfM9(M<lJ5
zff<yv8h;8I`gNQ3k3H~(HrS5>kp7Rn_yXgysJvhzhqB)n@Ydhv9Rg4uv0AWS>_Ggd
ziJ#B@P~6|(K*v~}uC*#)vDWM;OrXPYfL7-D(rP!*HSKIH_B*@9O{Rvko!d1U_B{}W
zX76usF;}lk++U}7#{(AEKbUvUjqjI(iy<3B-s`+ot?QRe0tv-nZ^ry~4^F+k`7q1p
z_07vZn~T+))jdQpg${d8T>X$`Z;K9puuL+(B=4Sd)3!k+GO|Csd3w<-Q<TbWUcSmD
zY!PX5S45y=cc;~hBCcjt_`kX6$e-)3zBf<RnKF4dKBnaSuMPduhl6UfTVNk{R>w5g
z1Wa%A*mvIf#)q^THEPehrk0*Eyz!Yj2iZdU*aG8e5G{6GcRW&;dqY|tjO3SO6}uM}
zRtPh#z>jm9PMq=%8tQYs|D9e7H8yV--L%3iH_jE!JO4g;<CB2nwaTa6H`=gdkA_DL
z5~p@a1s}>co?sU}wsiT(sm=W0MD80oKAF?8ZP0Yo8iLhKKd;`F@7?%2rX>DW9a2pi
z@_H)1=2|yORGLsbe#_ApazP2bT_^E<OG~Z&!$k@65?!pSd%<8SyYF}Q!LXzSaI@My
ze%a-%lgOE2kIZ_yo{z58X2&O|cOiG6-WS}Cm#(TDFP$&tz4S2<8tOGcPb(mQ085vi
zc{$)zA)zjFT~XCmAx!eO-bN3*i`v=c!3SLT_j+hux`nzqU{{qJbB{W|Spsm^$Al=2
zsHM)1MO2Cuq(Q}N;NEBe{O8@Xf|e2%SP`PW*x_Aa+X`0+)*R?>YYr&iT$L4cJF;z7
zgQje5c&TDtibNQ4>*56_Ek9#sh<NvW^9NRVbl~@V1J3}JAt=5<yg#}OHBj%Sac-$&
z+Z)3-c2_kHg_KP^u-hBk-JUe`BDV0BeY#dY++O60nFgf<P?00c;RoHVmiZp>-5TZX
zvT55AHg-SH9=O|_VVmfy7WJcSjLfuXy_m`Ea_!*a${k(S-=8qoy42Stt|vIpHmGR|
zJhC-4BVl}l)z9$P_$+b$wH<CzE$6a(wVNa_IdG9)=cOEDCem~TveccrK9g7%QTd%p
z9&2{oyWwycxcmBy{&bsU@?58A`w{299+kn+m0=3CkKVNeN(zs_ILw|YJ(Z-RpQ1xM
zmwNTYi0LMItx;w4F6BiybJDZ4Y<NTU?Acvu3lr+@!VzP_y3=EF^pab|5>J9YX%pFB
zp>{b(yMO!ct;LZV3!SdmE@<PqxY33e@0-0??dXRnUk!6^y#_Kow9Y?HV#iDL;=@2a
zbIQ)v>{wRdccM2aenw8+NpZ*(@1@ON14c^&hgD^lMlWB1r@~UUflWMW#4%K3v6SwD
zIPYJge-JoCa&iSz4O0GcN29xMSwr4AJkRuKIc__7X!^k>#0akYB(h7f*Y)F8tR?vI
zvytb~{O(j`OnD@|*D&%xgr+e=&m4~ehp5c!&TPXh%ga}n8v*g_C?9>4c-LQQn4q2Q
zDrfT4-YctS8%49o)8scfiRrsRH)ShZT(5^m1vQ>s3K}VEUkq$3m7wcHT{l*5oA<8t
z!JoH#o>_T_%579W?zr;GsVcO<sIlwvg&ZfzPxp5dFX`1ziV8G5TYbf)dwb9raBgx$
zv8E;6px7yHuJh(T!TiFL(Tifz+9&gl+0E4@m8zwy$zO*zDI^vfuWRA=ghqzarq%($
zI*^fZ*u`EKi|kVQNmvPeTKK&?Os$jN#Igj-JAtS$vr)5#bW7~j@i_}yB}!<2VTA-e
zWT1I((W#}F1&66ODW%m(@JGkH@|5?93svv9w7yh+l_k8kGOP-E@<ag?GdE}XeoIx{
zhNtbO-ko=TP=68E-mbRTG+Cl5YU1>&BnGIxm1RG@4_0Zt0%3w<0|dkekAC}D?C^RV
z6!Spyy`bf|!MNhAaV+T8!FwLiVQ|*X3C*ig8KZXc#qqz}%UaB?vs5a@JcpZ1%eIiZ
z^DAJDqpu7=2kRmZ$V`iyS}toB)agiWni`{@42nSCF-oh1Iz+y`{Ogogybf%)iK1X7
z_3*Qmvqw@C<ga&N>%EZA6h0`^-!z8QB^O+kxClxquY}JW5V;WS$dCJf1ZC%(E<K}g
zUyrRKYrCQ0%+%2v4>!uKX#Hzu$#y}n#idcodVx)<2;l35^9_nF6=(;68lqj6i^}N}
zwROHZz1;W@PI}0C>oA#44YlKY=U)j{2o2%+W2ZeGf58<ub>}Mir9k=h@jJwZIlhSp
zjSPJ5f7*JEw$$36c(3?WoVVDctpu^0#t9zRlz;XCaVWnQYZAM>p~{<}b*X~3|NCFV
z$BP6cC%lrg_C<!C(z%TSA^$pGvo!)Vf-G>a)R56)Vcf0>#P<p`CbVjFPtSh$bfe;?
zce}0-(H%vyz*3Df%dMtT6>{DE@`xL(BD2)}o-quSO7m2@Os&Z$<b=xRKE>EuGIb}%
zkN!T{+t$96{E|{?G2?-m(r6jlB%_u4)0M@_$hY@)jYhm27ndjX?sOStDZd&@V08OU
zO~>_jYi}@@rz*<TS2mZf+dgaTNxGprs0DJ(pLYugM6MJE&qWox-#9KVRdJiiR@d8X
zYdp52MA9=7vv>a80uJk4QqPzer5?IClad?&OO|P<EVTNVR#?@CJDtqc5VbiwD()#+
zJ|~e>9IaYo>)7K7mxnDDu!{YUB%tV$*94RZhKh!bke#ouKDW0+Wh_X6Z+mPUmp)l_
zU48yc!e+Vp2)*99Op_IXf>~<gFI9G0Iccqy2RrlCOY}ZL>N3OH;+?e25GBZn19Lq|
zi-)&R<Db19=O@i)c!_@HbY<MGvJ!v1^h498o*}f}a7elemAnt$N=lNfd0NR*JbTQy
zOS*_(-8Cqjd)A>9m$>cBl_i(EVWvA(tr_4EW%Qn7C*MD_hTQE7co+YY$n9N!yH3$r
zTPTFPKAxZs8iJC|u>Nr@aM5>LtOvZ^wiYK+<KvyRYhI)vdJ>$sC`YHg7CVON{8_Wh
z)D%B5@{_U3dd;#Sds3@TV|spO#@wSDqMv5a!%GRhEwW{MPPj4s3k#I1JM!?gnIE}R
zmKo~t@`Bu_yJixfNFi>#pvG<t+A9aSGZ5Wg9b49afpNYm&vv;r;H)^93!atZWY(uw
zOI-m8)r3axZVRUS`bA?`_OGj&jvX2}C8^bO_vSwL3+{xp2Cv6F8_Y;=h;^h&)cQyx
zSvQ>*d5k^GH)6Jm&)1(inm!Q01CG0f=9cYJ@r;G#%oaTT6F9fPY+H7{q-gaQ)5h|M
K#q9&$G5-b)?O7`T

literal 0
HcmV?d00001

diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/prepare.png b/windows/security/threat-protection/microsoft-defender-atp/images/prepare.png
new file mode 100644
index 0000000000000000000000000000000000000000..8b0c46059fa4e3bc31efc4da95d1c75404eeae6b
GIT binary patch
literal 2375
zcmbVO2~ZRF8V{lfwld&>M-}5jsZYtVAqQCqh)EDe!Wj`2#m(*#B1v{hHUX3>1${<*
zV6FHlM@49>C>~g)2o`D3f>^{#M+N05@DSQs1*eJ>v~R;T_Koj#UU%ky|Ng)4_<!Fw
zyFWB|?d(~LXVGZ1*?|F)aB6h7G+P_0ciywfiW=;QfQ@<@ZNVH%vr-l|Q>YnEDtQzc
zB@2QOT*HJ>T!Ar@Gz5jF(Y$?=2pEaSNV)=3s<a~D$>kb=u0ln?2A+&9Bg9yoDqx2W
zi`Wq?M|Q*`LKN`zp?fDm6oCdKVS18At<^(GB4CUcqUM%u7C;|^kntkG&mxc>B@3mC
zaUDkIG5HJx<a*KtLMF)PvOW0jbPgL7ve=$1(1XDSAvPc43Fs3aKuOb~u~4|ge?k_u
z5&>}}NkA-CVqzjQ(SwQWlq^svq&PS%4u?S@82V%_2`4eMdY4HC38qJMDuPtuTDpZ1
zR^SFw1W=leo1h`4XtnwYH&G5_CBXy>WU?(LjR8?)3P%`p>M`Lc!ot*;2Gf#y3JXqQ
zi8!3Z^>O%rp`JSag8<64GTD@jH|nC%Oo`BwQX^%?ghSql*2|L#j1`XQaf1%Qq((|j
z7mGCnB-UXtiR<JzuAY3T&`Fi)9Lj3?iVZ3)iYMy-_SywZ0+W~s;IKJt2AjhGxpI&P
zu{|LUmqGPx_Bd3AqpH~CH$g$_jRk*zQXzxFB>bmf6oF!Kod%{1R%u`*#v-&zfIj6$
zNQ|p-9VM93&g1p{K(RPfhsUba)PX*H?HYQZRLlp3d_IH21jp2s$)G^3o`kgs7AO$`
zlyjIW6$)Vr5M*;vl)?7kVhlcy%V7u+9>P!{91x2|g`PaFVDi2MM+}w_n7ohvpZ7y_
zDk=qG^<U<(B&H>Hpa7Mgde!8K)QP|nCT40CeJorc7_p>*2tX|FkD<WCw(2i?V4OBF
z4x>o_M_i1<^mr_p2<tFECFQL@jXM^lJj;@><94wA)5Ni}*OGe@PE`!cbgEQQi>YFV
zX{idQqe@w#%|IuOW_>SE;wO*V+nXB_x5O~7-WTV~dVY7y_ILQX$dsL%DRG@XxNUif
z<0G>|KK=6yTT#oVQm@v}e~H}WW&JF~94!g`YT=4JzHL#rUr2FIb9-yCZS}9=@pt(1
z7dN*jJI7vb|E211ZtF?@v$w83e$}zFbEsW_cZ?b%<wts__tZE!EciB<2>Ccn(tW<Q
zcdfZ)*4y_sWPPyP;k^;VlDsnhkx*ob*@y|^&Ra(~*0;?)vN9+FV!%1eRHpUDk8YQv
zB;!U?)gHwU-;3641|T%zrD56G%8G`v1(%y=ZYmi`d7wE?n2jfEG-png_8-zS;)_2m
zNhL1cjPc9}Urk=jd{TI6+GuVNyKdPbfLT!xuoH;sb6nl)_hICfrdF@5-eH@IH(o!L
z8hR`Jh2fR+cPn|mbLVtg%hL~TPi^xXSbvK*TwZuvlD0Jd*kH%=VC(dSZS`Jv&#kMg
zx|^`=7{-WkzShSjZ0f5n?BCh&;Bls*$5wjh(#*@`y4sdI3mcxZ1E+Vsom%AU>f@L5
zO-9>10eAloov8=Dj<HkZAFC*eHoY@HrVKfAVCiAt)!GGHJf8OYZRZ>yyt2xD<~P}!
zV!8^3rhR$hUthgvwIcgTo#3H^|A*R<9V*v2yG66Ne*BHk`Mr6KAK0g--0IF4%zjqB
zeAl{551k&}0Qw^bPNYePv#xYxdJZ*N57gZ%-5B=Ldrsj`aCH1n_w8(mMvdV%4vb!}
z9Zo3N$J`26b8Y@1?VeLfi$=_}tYN3hr|&wK8Nub{PWkaNB&W&0XVGtN!S^2@-;>Yy
z>|NKD&G}c2m8LDjblw$<o+-%=y}Zby?Xm=MS<NS>ABlM}oelW9^<C>ttQLWNn$OkR
zJjboR<%c?kE5h2XQlBdBPdn$IVh&$bT*vNTxT<frRrOo6USV{6RhKg7Xx6oRLnA>w
zLDJPJ=8=87YMGhhhqfg%Qv2Ns9_7p~EEsZk(Acw1=UN@j$n)u1;tVxBe>(Tq8;-6Q
z4!r!iX8ZX<?*x+}mg{(<%k$*ngXKeCoM=fHO|Xwr-dFE)+y1pg@z{YB+_i7pEmaqB
z(zYzJ9}J%Hqnf2ZvhU=N?!>C^@@FY$UOPANS;fo;5pJs<SY6-wj>9L`zlFU7u=h2l
z82F6ui_rITqFZbGlG9G@`g?x0eP0<;9n!Q}^1|WJ&1ZKGCY;`|*hlyTbnT83#}bV>
zpB@h}-mbhm?|Lb%B&8YPuioA0!ucq~u71=O^*B2mo`19axOth0^mObqENz!j`xh^0
zN_t$r*AnTk8V?T02Rm!OC?)!90`9r|bIab}ZPbT(soCy@{+3^zKxwe#?3!(9{|0a{
Bn$-XR

literal 0
HcmV?d00001

diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/setup.png
new file mode 100644
index 0000000000000000000000000000000000000000..e8402090e6f69c2e0819f05686b6aa85aaf7436a
GIT binary patch
literal 2036
zcmbVN2~ZPf6b>k&IH3rN#ey!2wpvJbH-tb|0!o4qG?XJ2)S_%Qo3N1V#@)q4QAZF*
z3mvtJgIW};4h5Zh)rw-#(T?JU2aZ?07%Qkah(k;3c+mdg$Y{sbsXMd#U*G%Q@xS->
z%ar5<vDYXskw_%gCTh~a80LHj4+7uO#WUT&FvONPgBOWL`Z`}Xb7d1idHB=%Od(S@
z4JTQvlrXXeO6suM09qu9j&;}wGLI4<17)Te72I+7C=Ag?6`T>FLv=Pal|v^k;HdNk
z$$D}@9;r0Ku`y7z0|x|FN+2MI)xz+&Lk0Kn;$ZIFMqsE1BIK#y$xek(rY;3ivm6CQ
zNEH$ilSe_3N-3t0qv47$NQPoc1dT$la0!axr~;3Og!&#BXyc3~JWVsDPZwCJ;2c4)
z;Rs^4+okq!Da)A=OsNDMGDIem0EC2}&j^G=!tf#e3>u0jIoc-BECV?i2?Luis9<1e
zuM1Y2i<aU0!UO__I0zepNl~XuJwPMr!rAgUOOJ9RiBJ~GN-+Wtu$T*L%V7nU&td<C
z+I9Sf0uWlA&ZXn6wpgt$6}%8X54h16khh|F{d^mRq)|MZ&yiI8JYZ&s(;FME<|sm7
zIX%l-`Y$S_-(*MzyoSbS(2S9_^AlbZpfrR)sbCo@LnWw8g30w*1dc}Ga<GiTQM4DT
zV~w<F{@b7!ibuQ&1u0`B1mc}wBZ-?>&Po7>X)9r-5F2BLAy*i2HEUrxpcq&e{`$UF
ztxn-s6Kw$pd|E;rq>WcAFr`8vkx8*0b9Fjg%kTohkd#)Vf<bVkG;PFX;RHz;OeTq(
zj5J9|RE|jqrCcd7MPV35L`0H=Lf$X0Vaa@F3iQhx|EK(C91Tj4u)H^qvoM{xgD28F
zxYhZ6rISw0?VDL>s3%=;f^?RF3MQTRPZ{C9ZTh_<&`WF2p#bTB<V7!xXH9~g;Hb%F
z5UqFS9RiF;oCVwK2l7uBd(K`f?tVDv7|yAyRe^=8*-;GWa2#l5mr7I3B9VKsRx??j
zxvYJ|-aNn5z=qhPQ^^xef5Z=ER<`LqhPjvEKdx<VZcaI-4GOF%c{pOJctd+tb?K|{
z3Qcj5VB1-DsCrB5nl-+3L9FL)%*vG?KD((k>4;C~la?0+9c#<)7Ibtb>(_;yetuV!
z8qu^k7|zmp9Db^~H0!V8>e3yhSNt;%BpfUsUY`|uZF7~!4;d#FL4IL;NQJU_Wf?lO
zHQ-E6!KSV8yB$AYZ~dYqdS~*D8D6qyEl<0cbw$Gq4Ye11n{pBL#q9-!ouejcW^UWD
zgY^^L95-x3y72K=*G6V$Wz|g2J$t8RUnMdm;AVweoST_x5*J>+>Jw${8z}FnCh@|O
zx`*|#8~1<G;Su2J;Yjc+nl><CkbCB8d&%Z0nb*%*V?OBg9=K=gN3)6g)ZB&bX!Ofj
zw_?|x_kEmuOd7cAmn~b%f4Wx!HLk`U)Zg=fuFe^&7yQ?YFMqr0{HLeKEX^0~Y)i<F
zVU`w^Em2RZS@%u7LDL<U7ks30|Cm9~gQmxSy|?j$<~<Ydjjkzgi+#cP<e1Oh+CJ4-
z-0);o(CrBizJEC?`@oHuM|HafT&$KK=^Ak3{Q6UPMQ!J`B@ONQN-j?s>bb{z;FH;@
zWjRTM_qiRs^SEG*wf6anjlQjgkD^ETnwBWDPfwU=cdKgs?qsdE<;n<a$(hFb;9Unp
zySP{BAD-$?i*p1tN<9}DU^eOE9Pi~yaog|XGki||I<GEtoY&B0e+C<>+$#3@<!P}4
zwEMP_#Xk2lpo&wQ+6-N~l%#15g)7FMh?}(9Z|-q>Y}wov{e|u@@o%Berap5I^t&&U
zR)#E3m_4p8+P)$rKfmhpntHF6+mW+)|FT2Fy2WS9jxSnhkzR2Am$mW9nq6_(MSlY@
CCgN29

literal 0
HcmV?d00001

diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
index 6454a0684e..8a3a022f4c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@@ -30,30 +30,21 @@ Deploying Microsoft Defender ATP is a three-phase process:
   <tr style="text-align:center;">
     <td align="center" style="width:25%; border:0;" >
       <a href= "prepare-deployment"> 
-        <img src="images/plan.png" alt="Plan to deploy Microsoft Defender ATP" title="Plan" />
+        <img src="images/prepare.png" alt="Prepare to deploy Microsoft Defender ATP" title="Prepare" />
       <br/>Plan </a><br>
     </td>
-     <td align="center" bgcolor="#d5f5e3" >
+     <td align="center"bgcolor="#d5f5e3">
       <a href="production-deployment">
-        <img src="images/oboard.png" alt="Onboard to the Microsoft Defender ATP service" title="Onboard to Microsoft Defender ATP" />
-      <br/> Onboard </a><br>
-        </td>
+        <img src="images/setup.png" alt="Onboard to the Microsoft Defender ATP service" title="Setup" />
+      <br/>Setup </a><br>
+    </td>
     <td align="center">
       <a href="configure">
-        <img src="images/configure.png" alt="Configure capabilities" title="Configure capabilities" />
-      <br/>Configure </a><br>
+        <img src="images/onboard.png" alt="Onboard" title="Onboard" />
+      <br/>Onboard </a><br>
 </td>
-  </tr>
-  <tr>
-    <td style="width:25%; border:0;">
-   
-    </td>
-    <td valign="top" style="width:25%; border:0;">
-    
-</td>
-    <td valign="top" style="width:25%; border:0;">
 
-</td>    
+
   </tr>
 </table>