Merge branch 'master' into surface-2s-update

2025-06-18 20:03:40 +00:00 · 2019-09-24 07:51:43 -07:00
parent 986b4242e8 45c1c75869
commit 839586fa83
15 changed files with 481 additions and 395 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -15344,7 +15344,7 @@
    },
    {
    "source_path": "devices/surface/surface-dock-updater.md",
-    "redirect_url": "surface/surface-dock-firmware-update",
+    "redirect_url": "/surface/surface-dock-firmware-update",
    "redirect_document_id": true
    },
    {
--- a/devices/surface-hub/surface-hub-recovery-tool.md
+++ b/devices/surface-hub/surface-hub-recovery-tool.md
@ -77,10 +77,7 @@ Install Surface Hub Recovery Tool on the host PC.
 5. When the download is complete, the tool instructs you to connect an SSD drive. If the tool is unable to locate the attached drive, there is a good chance that the cable being used is not reporting the name of the SSD to Windows.  The imaging tool must find the name of the drive as "LITEON L CH-128V2S USB Device" before it can continue.  For more information on how to remove the existing drive from your Surface Hub, see [Surface Hub SSD replacement](surface-hub-ssd-replacement.md).
 ~~~
    ![Connect SSD](images/shrt-drive.png)
 ~~~
 6. When the drive is recognized, click **Start** to begin the re-imaging process. On the warning that all data on the drive will be erased, click **OK**.
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@ -40,7 +40,6 @@
 ### [Surface firmware and driver updates](update.md)
 ### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
 ## Secure
 ### [Manage Surface UEFI settings](manage-surface-uefi-settings.md)
 ### [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)
--- a/devices/surface/get-started.md
+++ b/devices/surface/get-started.md
@ -66,7 +66,7 @@ Harness the power of Surface, Windows, and Office connected together through the
                    </div>
                    <div class="cardText">
                        <h3>Manage</h3>
-                        <p><a href="surface-wireless-connect.md">Optimizing Wi-Fi connectivity for Surface devices</a></p>
+                        <p><a href="surface-wireless-connect.md">Optimize Wi-Fi connectivity for Surface devices</a></p>
                        <p><a href="maintain-optimal-power-settings-on-Surface-devices.md">Best practice power settings for Surface devices</a></p>
                        <p><a href="battery-limit.md">Manage battery limit with UEFI</a></p>
                    </div>
@ -75,7 +75,6 @@ Harness the power of Surface, Windows, and Office connected together through the
        </div>
    </li>
 </ul>
 <ul class="panelContent cardsF">
    <li>
        <div class="cardSize">
@ -124,7 +123,7 @@ Harness the power of Surface, Windows, and Office connected together through the
                <div class="card">
                    <div class="cardText">
                        <h3>Technical specifications</h3>
-                         <P><a href="https://www.microsoft.com/surface/devices/surface-pro/tech-specs" target="_blank">Surface Pro</a><p>
+                         <P><a href="https://www.microsoft.com/surface/devices/surface-pro/tech-specs" target="_blank">Surface Pro</a></p>
                         <P><a href="https://www.microsoft.com/p/surface-book-2/8mcpzjjcc98c?activetab=pivot:techspecstab" target="_blank">Surface Book</a></p>
                         <P><a href="https://www.microsoft.com/surface/devices/surface-studio/tech-specs" target="_blank">Surface Studio</a><p>
                         <P><a href="https://www.microsoft.com/surface/devices/surface-go/tech-specs" target="_blank">Surface Go</a></p>
@ -144,8 +143,7 @@ Harness the power of Surface, Windows, and Office connected together through the
                         <P><a href="surface-diagnostic-toolkit-for-business-intro.md">Surface Diagnostic Toolkit for Business</a></p>
                         <P><a href="surface-enterprise-management-mode.md">SEMM and UEFI</a></p>
                         <P><a href="microsoft-surface-brightness-control.md">Surface Brightness Control</a></p>
-                         <P><a href="microsoft-surface-data-eraser.md">Surface Data Eraser</a></p>
+                         <P><a href="battery-limit.md">Battery Limit setting</a></p>
                    </div>
                </div>
            </div>
--- a/devices/surface/surface-dock-firmware-update.md
+++ b/devices/surface/surface-dock-firmware-update.md
@ -24,6 +24,7 @@ This article explains how to use Microsoft Surface Dock Firmware Update, newly r
 1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703).
    - The file is released in the following naming format: **Surface_Dock_FwUpdate_X.XX.XXX_Win10_XXXXX_XX.XXX.XXXXX_X.MSI** and installs by default to C:\Program Files\SurfaceUpdate.
    - Requires Surface devices running at least Windows 10 version 1803 or later.
 2. Click **Start > All Apps > Microsoft Surface Dock Updater.** After you connect Surface Dock to your Surface device, the tool checks the firmware status while running in the background.
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@ -67,10 +67,8 @@ First, you create a default user profile with the customizations that you want,
 3. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=winserver2012-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10).
 ~~~
 >[!NOTE]
 >It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times.
 ~~~
 3. At a command prompt, type the following command and press **ENTER**.
--- a/windows/client-management/mdm/networkproxy-csp.md
+++ b/windows/client-management/mdm/networkproxy-csp.md
@ -40,8 +40,8 @@ Added in Windows 10, version 1803. When set to 0, it enables proxy configuration
 Supported operations are Add, Get, Replace, and Delete.
-> [!NOTE]
+> [!Note]
-> Per user proxy configuration setting is not supported.
+> Per user proxy configuration setting is not supported using a configuration file, only modifying registry settings on a local machine.
 <a href="" id="autodetect"></a>**AutoDetect**
 Automatically detect settings. If enabled, the system tries to find the path to a PAC script.
@ -52,7 +52,7 @@ Valid values:
 <li>1 (default) - Enabled</li>
 </ul>
-The data type is int. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported.
+The data type is integer. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported.
 <a href="" id="setupscripturl"></a>**SetupScriptUrl**
 Address to the PAC script you want to use.
@ -82,4 +82,55 @@ Valid values:
 <li>1 - Do not use proxy server for local addresses</li>
 </ul>
-The data type is int. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported.
+The data type is integer. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported.
 # Configuration Example
 These generic code portions for the options **ProxySettingsPerUser**, **Autodetect**, and **SetupScriptURL** can be used for a specific operation, for example Replace.  Only enter the portion of code needed in the **Replace** section.
 ```xml
 <Replace>
    <CmdID>1</CmdID>
    <Item>
        <Target>
            <LocURI>./Vendor/MSFT/NetworkProxy/ProxySettingsPerUser</LocURI>
        </Target>
        <Meta>
            <Format xmlns="syncml:metinf">int</Format>
            <Type>text/plain</Type>
        </Meta>
        <Data>0</Data>
    </Item>
 </Replace>
 ```
 ```xml
 <Replace>
    <CmdID>2</CmdID>
    <Item>
        <Target>
            <LocURI>./Vendor/MSFT/NetworkProxy/AutoDetect</LocURI>
        </Target>
        <Meta>
            <Format xmlns="syncml:metinf">int</Format>
            <Type>text/plain</Type>
        </Meta>
        <Data>1</Data>
    </Item>
 </Replace> 
 ```
 ```xml
 <Replace>
    <CmdID>3</CmdID>
    <Item>
        <Target>
            <LocURI>./Vendor/MSFT/NetworkProxy/SetupScriptUrl</LocURI>
        </Target>
        <Meta>
            <Format xmlns="syncml:metinf">chr</Format>
            <Type>text/plain</Type>
        </Meta>
        <Data>Insert the proxy PAC URL location here:</Data>
    </Item>
 </Replace>
 ```
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@ -6,17 +6,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: manikadhiman
-ms.date: 01/14/2019
+ms.date: 09/23/2019
 ms.reviewer: 
 manager: dansimp
 ---
 # Policy CSP - Storage
 > [!WARNING]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 <hr/>
 <!--Policies-->
@ -627,7 +623,10 @@ ADMX Info:
 <!--/Scope-->
 <!--Description-->
-If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives."
+If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. 
 > [!Note]
 > To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives."
 Supported values:  
 -  0 - Disable
@ -647,7 +646,10 @@ ADMX Info:
 <!--/SupportedValues-->
 <!--Example-->
 Example for setting the device custom OMA-URI setting to enable this policy:  
 To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```.\[device|user]\vendor\msft\policy\[config|result]\Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1.
 See [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/en-us/intune/custom-settings-windows-10) for information on how to create custom profiles.
 <!--/Example-->
 <!--Validation-->
--- a/windows/deployment/windows-autopilot/existing-devices.md
+++ b/windows/deployment/windows-autopilot/existing-devices.md
@ -9,7 +9,8 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
-audience: itpro
+audience: itpro
 author: greg-lindsay
 ms.author: greglin
 ms.collection: M365-modern-desktop
 ms.topic: article
@ -34,6 +35,7 @@ This topic describes how to convert Windows 7 or Windows 8.1 domain-joined compu
 - Assigned Microsoft Intune Licenses
 - Azure Active Directory Premium
 - Windows 10 version 1809 or later imported into Config Mgr as an Operating System Image
  - **Important**: See [Known issues](known-issues.md) if you are using Windows 10 1903 with Configuration Manager’s built-in **Windows Autopilot existing device** task sequence template. Currently, one of the steps in this task sequence must be edited to work properly with Windows 10, version 1903.
 ## Procedures
@ -196,7 +198,7 @@ See the following examples.
   - Click **Next**, and then on the Install Windows page click **Browse** and select a Windows 10 **Image package** and **Image Index**, version 1803 or later.
   - Select the **Partition and format the target computer before installing the operating system** checkbox.
   - Select or clear **Configure task sequence for use with Bitlocker** checkbox. This is optional.
-   - Select or clear **Configure task sequence for use with Bitlocker** checkbox. This is optional.
+   - <u>Product Key</u> and <u>Server licensing mode</u>: Optionally enter a product key and server licensing mode.
   - <u>Randomly generate the local administrator password and disable the account on all support platforms (recommended)</u>: Optional.
   - <u>Enable the account and specify the local administrator password</u>: Optional.
   - Click **Next**, and then on the Configure Network page choose **Join a workgroup** and specify a name (ex: workgroup) next to **Workgroup**.
--- a/windows/deployment/windows-autopilot/known-issues.md
+++ b/windows/deployment/windows-autopilot/known-issues.md
@ -25,9 +25,15 @@ ms.topic: article
 <table>
 <th>Issue<th>More information
-<tr><td>The following known issue will be resolved by installing the KB4517211 update, due to be released in late September 2019:
+<tr><td>Windows Autopilot for existing devices does not work for Windows 10, version 1903; you see screens that you've disabled in your Windows Autopilot profile, such as the Windows 10 License Agreement screen.
-
+<br>&nbsp;<br>
- TPM attestation fails on Windows 10 1903 due to missing AKI extension in EK certificate.  (An additional validation added in Windows 10 1903 to check that the TPM EK certs had the proper attributes according to the TCG specifications uncovered that a number of them don’t, so that validation will be removed).
+This happens because Windows 10, version 1903 deletes the AutopilotConfigurationFile.json file.
 <td>To fix this issue: <ol><li>Edit the Configuration Manager task sequence and disable the <b>Prepare Windows for Capture</b> step.
 <li>Add a new <b>Run command line</b> step that runs <b>c:\windows\system32\sysprep\sysprep.exe /oobe /reboot</b>.</ol>
 <a href="https://oofhours.com/2019/09/19/a-challenge-with-windows-autopilot-for-existing-devices-and-windows-10-1903/">More information</a>
 <tr><td>The following known issue will be resolved by installing the KB4517211 update, due to be released in late September 2019.
 <br>&nbsp;<br>
 TPM attestation fails on Windows 10 1903 due to missing AKI extension in EK certificate.  (An additional validation added in Windows 10 1903 to check that the TPM EK certs had the proper attributes according to the TCG specifications uncovered that a number of them don’t, so that validation will be removed).
 <td>Download and install the KB4517211 update</a>. <br><br>This update is currently pending release.
 <tr><td>The following known issues are resolved by installing the August 30, 2019 KB4512941 update (OS Build 18362.329):
--- a/windows/release-information/windows-message-center.yml
+++ b/windows/release-information/windows-message-center.yml
@ -50,6 +50,7 @@ sections:
    text: "
      <table border ='0'><tr><td width='80%'>Message</td><td width='20%'>Date</td></tr>
      <tr><td><a href = 'https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2019-1367' target='_blank'><b>Advisory: Scripting Engine Memory Corruption Vulnerability (CVE-2019-1367)</b></a><br><div>On September 23, 2019, Microsoft released a security update to address a remote code execution vulnerability in the way the scripting engine handles objects in memory in Internet Explorer. An attacker who successfully exploited the vulnerability could gain the same user permissions as the current user. For example, if a user is logged on with administrative rights, an attacker could take control of an affected system and install programs; view, change, or delete data; or create new accounts with full user rights.&nbsp;Alternatively, an attacker could host a specially crafted website targeting Internet Explorer and then entice a user to open web page or a malicious document attached to an e-mail. For more information about the vulnerability, see the Microsoft Security Guide&nbsp;<a href=\"https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2019-1367\" target=\"_blank\">CVE-2019-1367 | Scripting Engine Memory Corruption Vulnerability</a>.&nbsp;</div><div>&nbsp;</div><div>Mitigation for this vulnerability is available from the&nbsp;<a href=\"https://portal.msrc.microsoft.com\" target=\"_blank\">Microsoft Security Update Guide</a>. For the best protection, we recommend you apply the latest Windows updates and follow security best practices and do not open attachments or documents from an untrusted&nbsp;source. For more information about the vulnerability, see the Microsoft Security Guide:&nbsp;<a href=\"https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2019-1367\" target=\"_blank\">CVE-2019-1367 | Scripting Engine Memory Corruption Vulnerability</a>.&nbsp;</div></td><td>September 22, 2019 <br>11:00 AM PT</td></tr>
      <tr><td><b>Status of September 2019 “C” release</b><br><div>The optional monthly “C” release for September 2019 for all supported versions of Windows and Windows Server prior to Windows 10, version 1903 and Windows Server, version 1903 will be available in the near term. For more information on the different types of monthly quality updates, see our&nbsp;<a href=\"https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376\" target=\"_blank\">Windows 10 update servicing cadence primer</a>. Follow <a href=\"https://twitter.com/windowsupdate\" target=\"_blank\"><u>@WindowsUpdate</u></a> for the latest on the availability of this release.</div></td><td>September 19, 2019 <br>04:11 PM PT</td></tr>
      <tr><td><b>Plan for change: End of service reminders for Windows 10, versions 1703 and 1803</b><br><div>The&nbsp;Enterprise and Education editions of Windows 10, version 1703 (the Creators Update)&nbsp;will reach end of service on October 8, 2019. The Home, Pro, Pro for Workstations, and IoT Core editions of&nbsp;Windows 10, version 1803&nbsp;(the April 2018 Update) will reach end of service on November 12, 2019. We recommend that you update&nbsp;devices running these versions and editions&nbsp;to the latest version of Windows 10—Windows 10, version 1903—as soon as possible to help keep them protected and your environments secure.</div></td><td>September 13, 2019 <br>03:23 PM PT</td></tr>
      <tr><td><b>September 2019 security update available for all supported versions of Windows</b><br><div>The September 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1903 and all supported versions of Windows. We recommend that you install these updates promptly. To be informed about the latest updates and releases, follow us on Twitter&nbsp;<a href=\"https://twitter.com/windowsupdate\" target=\"_blank\">@WindowsUpdate</a>.</div></td><td>September 10, 2019 <br>09:34 AM PT</td></tr>
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -121,7 +121,7 @@
 #### [Custom detections]()
 ##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
-##### [Create custom detections rules](microsoft-defender-atp/custom-detection-rules.md)
+##### [Create and manage custom detections rules](microsoft-defender-atp/custom-detection-rules.md)
 ### [Management and APIs]()
 #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@ -1,16 +1,16 @@
 ---
-title: Create custom detection rules in Microsoft Defender ATP
+title: Create and manage custom detection rules in Microsoft Defender ATP
 ms.reviewer: 
-description: Learn how to create custom detections rules based on advanced hunting queries
+description: Learn how to create and manage custom detections rules based on advanced hunting queries
-keywords: create custom detections, detections, advanced hunting, hunt, detect, query
+keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: macapara
+ms.author: lomayor
-author: mjcaparas
+author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
@ -19,53 +19,86 @@ ms.topic: article
 ---
-# Create custom detections rules
+# Create and manage custom detections rules
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Create custom detection rules from [Advanced hunting](overview-hunting.md) queries to automatically check for threat indicators and generate alerts whenever these indicators are found.
+Custom detection rules built from [Advanced hunting](overview-hunting.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches.
 >[!NOTE]
->To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.  For the detection rule to work properly and create alerts, the query must return in each row a set of MachineId, ReportId, EventTime which match to an actual event in advanced hunting.
+>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.  
-1. In the navigation pane, select **Advanced hunting**.
+## Create a custom detection rule
 ### 1. Prepare the query.
-2. Select an existing query that you'd like to base the monitor on or create a new query.
+In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results.
-3. Select **Create detection rule**.
+>[!NOTE]
 >To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that don’t use the `project` operator to customize results usually return these common columns.
-4. Specify the alert details:
+### 2. Create new rule and provide alert details.
-    - Alert title
+With the query in the query editor, select **Create detection rule** and specify the following alert details:
    - Severity
    - Category
    - Description
    - Recommended actions
-5. Click **Create**.
+- **Alert title**
 - **Severity**
 - **Category**
 - **Description**
 - **Recommended actions**
-> [!TIP]
+For more information about these alert details, [read about managing alerts](manage-alerts.md).
-> TIP #1: Running the query for the first time before saving it can help you find any mistakes or errors and give you a preview of the data you can expect to be returned.<br>
+
-> When a new detection rule is created, it will run for the first time (it might take a few minutes) and raise any alerts created by this rule. After that, the rule will automatically run every 24 hours. <br>
+### 3. Specify actions on files or machines.
-> TIP #2: Since the detection automatically runs every 24 hours, it's best to query data in the last 24 hours.
+Your custom detection rule can automatically take actions on files or machines that are returned by the query.
 #### Actions on machines
 These actions are applied to machines in the `MachineId` column of the query results:
 - **Isolate machine** — applies full network isolation, preventing the machine from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about machine isolation](respond-machine-alerts.md#isolate-machines-from-the-network)
 - **Collect investigation package** — collects machine information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines)
 - **Run antivirus scan** — performs a full Windows Defender Antivirus scan on the machine
 - **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the machine
 #### Actions on files
 These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
 - **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected machine groups. This scope is independent of the scope of the rule.
 - **Quarantine file** — deletes the file from its current location and places a copy in quarantine
 ### 4. Click **Create** to save and turn on the rule.
 When saved, the custom detection rule immediately runs. It runs again every 24 hours to check for matches, generate alerts, and take response actions.
 ## Manage existing custom detection rules
-View existing rules in your network, see the last results of each rule, navigate to view all alerts that were created by each rule. You can also modify existing rules.
+In **Settings** > **Custom detections**, you can view the list of existing custom detection rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
-1. In the navigation pane, select **Settings** > **Custom detections**. You'll see all the detections  created in the system.
+### View existing rules
-2. Select one of the rules to take any of the following actions:
+To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information:
   - Open related alerts - See all the alerts that were raised based to this rule
   - Run - Run the selected detection immediately. 
-   > [!NOTE]
+- **Last run** — when a rule was last run to check for query matches and generate alerts
-   > The next run for the query will be in 24 hours after the last run.
+- **Last run status** — whether a rule ran successfully
 - **Next run** — the next scheduled run
 - **Status** — whether a rule has been turned on or off
-   - Edit - Modify the settings of the rule.
+### View rule details, modify rule, and run rule
   - Modify query - View and edit the query itself. 
   - Turn off - Stop the query from running.
   - Delete
 To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. This opens a page about the custom detection rule with the following information:
 - General information about the rule, including the details of the alert, run status, and scope
 - List of triggered alerts
 - List of triggered actions
 ![Custom detection rule page](images/atp-custom-detection-rule-details.png)<br>
 *Custom detection rule page*
 You can also take the following actions on the rule from this page:
 - **Run** — run the rule immediately. This also resets the interval for the next run.
 - **Edit** — modify the rule without changing the query
 - **Modify query** — edit the query in Advanced hunting
 - **Turn on** / **Turn off** — enable the rule or stop it from running
 - **Delete** — turn off the rule and remove it
 >[!TIP]
 >To quickly view information and take action on an item in a table, use the selection column [&#10003;] at the left of the table.
 ## Related topic
 - [Custom detections overview](overview-custom-detections.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/images/atp-custom-detection-rule-details.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/atp-custom-detection-rule-details.png
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
@ -1,16 +1,16 @@
 ---
-title: Custom detections overview
+title: Overview of custom detections in Microsoft Defender ATP
 ms.reviewer: 
-description: Understand how you can leverage the power of advanced hunting to create custom detections
+description: Understand how you can use Advanced hunting to create custom detections and generate alerts
-keywords: custom detections, detections, advanced hunting, hunt, detect, query
+keywords: custom detections, alerts, detection rules, advanced hunting, hunt, query, response actions, interval, mdatp, microsoft defender atp
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: macapara
+ms.author: lomayor
-author: mjcaparas
+author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
@ -23,18 +23,16 @@ ms.topic: conceptual
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured machines. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions.
-Alerts in Microsoft Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious events or emerging threats.
+Custom detections work with [Advanced hunting](overview-hunting.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches.
-This can be done by leveraging the power of [Advanced hunting](overview-hunting.md) through the creation of custom detection rules. 
+Custom detections provide:
-Custom detections are queries that run periodically every 24 hours and can be configured so that when the query meets the criteria you set, alerts are created and are surfaced in Microsoft Defender Security Center. These alerts will be treated like any other alert in the system.
+- Alerts from rule-based detections built from Advanced hunting queries
-
+- Automatic response actions that apply to files and machines
 This capability is particularly useful for scenarios when you want to pro-actively prevent threats and be notified quickly of emerging threats.
 >[!NOTE]
 >To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
 ## Related topic
- [Create custom detection rules](custom-detection-rules.md)
+- [Create and manage custom detection rules](custom-detection-rules.md)