From 120f74b53e33deee3ba82cf615ea83ac594e3baa Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 18 Mar 2020 16:34:05 -0700
Subject: [PATCH 1/8] Update windows-defender-antivirus-compatibility.md

---
 ...indows-defender-antivirus-compatibility.md | 48 +++++++++++--------
 1 file changed, 29 insertions(+), 19 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 8c86ac5722..6b6e1270e3 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -12,7 +12,6 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 02/25/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -23,21 +22,20 @@ manager: dansimp
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10.
+Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using Microsoft Defender ATP.
+- When endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, Windows Defender Antivirus automatically goes into disabled mode. 
+- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real time protection and and threats are not remediated by Windows Defender Antivirus.) 
+- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [shadow protection (currently in private preview)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection), then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
 
-However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender Antivirus will automatically disable itself.
-
-If you are also using Microsoft Defender Advanced Threat Protection, then Windows Defender Antivirus will enter a passive mode. Important: Real time protection and and threats will not be remediated by Windows Defender Antivirus.
-
-The following matrix illustrates the states that Windows Defender Antivirus will enter when third-party antivirus products or Microsoft Defender ATP are also used. 
+The following table summarizes what happens with Windows Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP. 
 
 
-|   Windows version   |                  Antimalware protection offered by                  | Organization enrolled in Microsoft Defender ATP |     Windows Defender Antivirus state     |
-|---------------------|---------------------------------------------------------------------|-------------------------------------------------|-----------------------------------|
-|     Windows 10      | A third-party product that is not offered or developed by Microsoft |                       Yes                       |           Passive mode            |
-|     Windows 10      | A third-party product that is not offered or developed by Microsoft |                       No                        |      Automatic disabled mode      |
-|     Windows 10      |                         Windows Defender Antivirus                         |                       Yes                       |            Active mode            |
-|     Windows 10      |                         Windows Defender Antivirus                         |                       No                        |            Active mode            |
+| Windows version   | Antimalware protection offered by  | Organization enrolled in Microsoft Defender ATP | Windows Defender Antivirus state     |
+|------|------|-------|-------|
+| Windows 10      | A third-party product that is not offered or developed by Microsoft |                       Yes                       |           Passive mode            |
+| Windows 10      | A third-party product that is not offered or developed by Microsoft |                       No                        |      Automatic disabled mode      |
+| Windows 10      |                         Windows Defender Antivirus                         |                       Yes                       |            Active mode            |
+| Windows 10      |                         Windows Defender Antivirus                         |                       No                        |            Active mode            |
 | Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft |                       Yes                       | Active mode<sup>[[1](#fn1)]</sup> |
 | Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft |                       No                        | Active mode<sup>[[1](#fn1)]<sup>  |
 | Windows Server 2016 or 2019 |                         Windows Defender Antivirus                         |                       Yes                       |            Active mode            |
@@ -60,14 +58,26 @@ See [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defende
 >  
 >Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations). 
 
+## Functionality and features available in each state
 
-This table indicates the functionality and features that are available in each state:
+The following table summarizes the functionality and features that are available in each state:
 
-State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Security intelligence updates](manage-updates-baselines-windows-defender-antivirus.md)
-:-|:-|:-:|:-:|:-:|:-:|:-:
-Passive mode | Windows Defender Antivirus will not be used as the antivirus app, and threats will not be remediated by Windows Defender Antivirus. Files will be scanned and reports will be provided for threat detections which are shared with the Microsoft Defender ATP service.  | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Automatic disabled mode | Windows Defender Antivirus will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] 
-Active mode | Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+|State | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Security intelligence updates](manage-updates-baselines-windows-defender-antivirus.md) |
+|-----|---|---|---|---|---|
+|Active mode <br/> Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] |
+|Passive mode <br/> Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] |
+|Shadow protection enabled <br/> Windows Defender Antivirus is not used as the primary antivirus solution, but can detect and remediate malicious items |[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] |
+|Automatic disabled mode | Windows Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] |
+
+
+
+
+|State |Real-time protection and cloud-delivered protection | Limited periodic scanning availability | File scanning and detection information | Threat remediation | Security intelligence updates |
+|--|--|--|--|--|--|
+|Active mode <br/><br/> Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself). |![yes](images/svg/check-yes.svg) |![no](images/svg/check-no.svg) |![yes](images/svg/check-yes.svg) |![yes](images/svg/check-yes.svg) |![yes](images/svg/check-yes.svg) |
+|Passive mode <br/><br/> Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. |![no](images/svg/check-no.svg) |![no](images/svg/check-no.svg) | |![no](images/svg/check-no.svg) | |
+| | | | | | |
+| | | | | | |
 
 If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. 
 

From b9a4fb23df39b0f27fb347cd0d39f26e6f54ac94 Mon Sep 17 00:00:00 2001
From: Steve DiAcetis <SteveDiAcetis@users.noreply.github.com>
Date: Wed, 18 Mar 2020 16:36:13 -0700
Subject: [PATCH 2/8] Update media-dynamic-update.md

Replace curly quotes with straight quotes.
---
 .../deployment/update/media-dynamic-update.md | 93 +++++++++----------
 1 file changed, 46 insertions(+), 47 deletions(-)

diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 6f79f71c7e..c981469bef 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -8,7 +8,7 @@ itproauthor: jaimeo
 author: SteveDiAcetis
 ms.localizationpriority: medium
 ms.author: jaimeo
-ms.reviewer: 
+ms.reviewer:
 manager: laurawi
 ms.collection: M365-modern-desktop
 ms.topic: article
@@ -88,7 +88,7 @@ The main operating system file (install.wim) contains multiple editions of Windo
 
 ### Additional languages and features
 
-You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image. 
+You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
 
 Optional Components, along with the .Net feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that will result in a larger install.wim. Another option is to install the .Net and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you will have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
 
@@ -108,7 +108,7 @@ These examples are for illustration only, and therefore lack error handling. The
 The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there is a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they are not read-only.
 
 ```
-function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) } 
+function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
 
 Write-Host "$(Get-TS): Starting media refresh"
 
@@ -121,19 +121,19 @@ $LANG = "ja-jp"
 $LANG_FONT_CAPABILITY = "jpan"
 
 # Declare Dynamic Update packages
-$LCU_PATH = “C:\mediaRefresh\packages\LCU.msu”
-$SSU_PATH = “C:\mediaRefresh\packages\SSU_DU.msu”
+$LCU_PATH = "C:\mediaRefresh\packages\LCU.msu"
+$SSU_PATH = "C:\mediaRefresh\packages\SSU_DU.msu"
 $SETUP_DU_PATH = "C:\mediaRefresh\packages\Setup_DU.cab"
-$SAFE_OS_DU_PATH = “C:\mediaRefresh\packages\SafeOS_DU.cab”
-$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu”
+$SAFE_OS_DU_PATH = "C:\mediaRefresh\packages\SafeOS_DU.cab"
+$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu"
 
 # Declare folders for mounted images and temp files
 $WORKING_PATH = "C:\mediaRefresh\temp"
 $MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia"
 $MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
-$MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount”
-$WINRE_MOUNT = $WORKING_PATH + "\WinREMount”
-$WINPE_MOUNT = $WORKING_PATH + "\WinPEMount”
+$MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount"
+$WINRE_MOUNT = $WORKING_PATH + "\WinREMount"
+$WINPE_MOUNT = $WORKING_PATH + "\WinPEMount"
 
 # Mount the language pack ISO
 Write-Host "$(Get-TS): Mounting LP ISO"
@@ -152,7 +152,7 @@ $OS_LP_PATH = $LP_ISO_DRIVE_LETTER + ":\x64\langpacks\" + "Microsoft-Windows-Cli
 # Mount the Features on Demand ISO
 Write-Host "$(Get-TS): Mounting FOD ISO"
 $FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
-$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\" 
+$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
 
 # Create folders for mounting images and storing temporary files
 New-Item -ItemType directory -Path $WORKING_PATH -ErrorAction Stop | Out-Null
@@ -162,7 +162,7 @@ New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
 
 # Keep the original media, make a copy of it for the new, updateed media.
 Write-Host "$(Get-TS): Copying original media to new media path"
-Copy-Item -Path $MEDIA_OLD_PATH“\*” -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
+Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
 Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
 ```
 ### Update WinRE
@@ -177,14 +177,14 @@ It finishes by cleaning and exporting the image to reduce the image size.
 ```
 # Mount the main operating system, used throughout the script
 Write-Host "$(Get-TS): Mounting main OS"
-Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim” -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null  
+Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null  
 
 #
 # update Windows Recovery Environment (WinRE)
 #
-Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim” -Destination $WORKING_PATH"\winre.wim” -Force -Recurse -ErrorAction stop | Out-Null
+Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null
 Write-Host "$(Get-TS): Mounting WinRE"
-Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim” -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null 
+Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
 
 # Add servicing stack update
 Write-Host "$(Get-TS): Adding package $SSU_PATH"
@@ -226,10 +226,10 @@ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
 # Add TTS support for the new language
 if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
     if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
-            
+
         Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
         Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
-            
+
         Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
         Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
     }
@@ -244,35 +244,35 @@ Write-Host "$(Get-TS): Performing image cleanup on WinRE"
 DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
 
 # Dismount
-Dismount-WindowsImage -Path $WINRE_MOUNT  -Save -ErrorAction stop | Out-Null 
+Dismount-WindowsImage -Path $WINRE_MOUNT  -Save -ErrorAction stop | Out-Null
 
 # Export
-Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim”
-Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim” -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim” -ErrorAction stop | Out-Null
-Move-Item -Path $WORKING_PATH"\winre2.wim” -Destination $WORKING_PATH"\winre.wim” -Force -ErrorAction stop | Out-Null
+Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim"
+Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim" -ErrorAction stop | Out-Null
+Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null
 ```
 ### Update WinPE
 
 This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media.
 
 ```
-# 
+#
 # update Windows Preinstallation Environment (WinPE)
-# 
+#
 
 # Get the list of images contained within WinPE
-$WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH“\sources\boot.wim”
+$WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim"
 
 Foreach ($IMAGE in $WINPE_IMAGES) {
 
     # update WinPE
     Write-Host "$(Get-TS): Mounting WinPE"
-    Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH“\sources\boot.wim” -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null  
+    Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null  
 
     # Add SSU
     Write-Host "$(Get-TS): Adding package $SSU_PATH"
     Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
-        
+
     # Install lp.cab cab
     Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
     Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null  
@@ -287,7 +287,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
 
             $INDEX = $PACKAGE.PackageName.IndexOf("-Package")
             if ($INDEX -ge 0) {
-                
+
                 $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
                 if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
                     $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
@@ -307,10 +307,10 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
     # Add TTS support for the new language
     if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
         if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
-            
+
             Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
             Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
-            
+
             Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
             Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
         }
@@ -321,7 +321,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
         Write-Host "$(Get-TS): Updating lang.ini"
         DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null
     }    
-    
+
     # Add latest cumulative update
     Write-Host "$(Get-TS): Adding package $LCU_PATH"
     Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null  
@@ -331,28 +331,28 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
     DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
 
     # Dismount
-    Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null 
+    Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null
 
     #Export WinPE
-    Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim”
-    Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH“\sources\boot.wim” -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null
+    Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim"
+    Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null
 
 }
 
-Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH“\sources\boot.wim” -Force -ErrorAction stop | Out-Null
+Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\boot.wim" -Force -ErrorAction stop | Out-Null
 ```
 ### Update the main operating system
 
 For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
 
 Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .Net), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
- 
+
 You can install Optional Components, along with the .Net feature, offline, but that will require the device to be restarted. This is why the script installs .Net and Optional Components after cleanup and before export.
 
 ```
-# 
+#
 # update Main OS
-# 
+#
 
 # Add servicing stack update
 Write-Host "$(Get-TS): Adding package $SSU_PATH"
@@ -385,20 +385,20 @@ Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOU
 
 # Add latest cumulative update
 Write-Host "$(Get-TS): Adding package $LCU_PATH"
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null 
+Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
 
 # Copy our updated recovery image from earlier into the main OS
-# Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file 
+# Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file
 # into each edition to enable single instancing
-Copy-Item -Path $WORKING_PATH"\winre.wim” -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim” -Force -Recurse -ErrorAction stop | Out-Null
+Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null
 
 # Perform image cleanup
 Write-Host "$(Get-TS): Performing image cleanup on main OS"
 DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
 
 #
-# Note: If I wanted to enable additional Optional Components, I'd add these here. 
-# In addition, we'll add .Net 3.5 here as well. Both .Net and Optional Components might require 
+# Note: If I wanted to enable additional Optional Components, I'd add these here.
+# In addition, we'll add .Net 3.5 here as well. Both .Net and Optional Components might require
 # the image to be booted, and thus if we tried to cleanup after installation, it would fail.
 #
 
@@ -413,9 +413,9 @@ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorActio
 Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Save -ErrorAction stop | Out-Null
 
 # Export
-Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim”
-Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH“\sources\install.wim” -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim” -ErrorAction stop | Out-Null
-Move-Item -Path $WORKING_PATH"\install2.wim” -Destination $MEDIA_NEW_PATH“\sources\install.wim” -Force -ErrorAction stop | Out-Null
+Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
+Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
+Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
 ```
 
 ### Update remaining media files
@@ -446,8 +446,7 @@ Remove-Item -Path $WORKING_PATH -Recurse -Force -ErrorAction stop | Out-Null
 # Dismount ISO images
 Write-Host "$(Get-TS): Dismounting ISO images"
 Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null
-Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null 
+Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
 
 Write-Host "$(Get-TS): Media refresh completed!"
 ```
-

From b6cfdb7b7501cb606bdaa5d59341f019fbd59b6f Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 18 Mar 2020 17:04:44 -0700
Subject: [PATCH 3/8] Update windows-defender-antivirus-compatibility.md

---
 ...indows-defender-antivirus-compatibility.md | 26 ++++++++-----------
 1 file changed, 11 insertions(+), 15 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 6b6e1270e3..bbb6d5cdc6 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -62,22 +62,18 @@ See [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defende
 
 The following table summarizes the functionality and features that are available in each state:
 
-|State | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Security intelligence updates](manage-updates-baselines-windows-defender-antivirus.md) |
-|-----|---|---|---|---|---|
-|Active mode <br/> Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] |
-|Passive mode <br/> Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] |
-|Shadow protection enabled <br/> Windows Defender Antivirus is not used as the primary antivirus solution, but can detect and remediate malicious items |[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] |
-|Automatic disabled mode | Windows Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] |
-
-
-
-
-|State |Real-time protection and cloud-delivered protection | Limited periodic scanning availability | File scanning and detection information | Threat remediation | Security intelligence updates |
+|State |[Real-time protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) |
 |--|--|--|--|--|--|
-|Active mode <br/><br/> Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself). |![yes](images/svg/check-yes.svg) |![no](images/svg/check-no.svg) |![yes](images/svg/check-yes.svg) |![yes](images/svg/check-yes.svg) |![yes](images/svg/check-yes.svg) |
-|Passive mode <br/><br/> Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. |![no](images/svg/check-no.svg) |![no](images/svg/check-no.svg) | |![no](images/svg/check-no.svg) | |
-| | | | | | |
-| | | | | | |
+|Active mode <br/><br/>  |![yes](images/svg/check-yes.svg) |![no](images/svg/check-no.svg) |![yes](images/svg/check-yes.svg) |![yes](images/svg/check-yes.svg) |![yes](images/svg/check-yes.svg) |
+|Passive mode  |![no](images/svg/check-no.svg) |![no](images/svg/check-no.svg) |![yes](images/svg/check-yes.svg) |![no](images/svg/check-no.svg) |![yes](images/svg/check-yes.svg) |
+|Shadow protection enabled  |![no](images/svg/check-no.svg) |![no](images/svg/check-no.svg) |![yes](images/svg/check-yes.svg) |![yes](images/svg/check-yes.svg) |![yes](images/svg/check-yes.svg) |
+|Automatic disabled mode  |![no](images/svg/check-no.svg) |![yes](images/svg/check-yes.svg) |![no](images/svg/check-no.svg) |![no](images/svg/check-no.svg) |![no](images/svg/check-no.svg) |
+
+- In Active mode, Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself).
+- In Passive mode, Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service.
+- When shadow protection is turned on, Windows Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
+- Windows Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
+
 
 If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. 
 

From 0869f0edb20e82c032c1d956d76bceaa40505098 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 18 Mar 2020 17:14:51 -0700
Subject: [PATCH 4/8] Update windows-defender-antivirus-compatibility.md

---
 ...indows-defender-antivirus-compatibility.md | 23 ++++++++++---------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index bbb6d5cdc6..929e933d47 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -22,11 +22,15 @@ manager: dansimp
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
+## Overview
+
 Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using Microsoft Defender ATP.
 - When endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, Windows Defender Antivirus automatically goes into disabled mode. 
 - If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real time protection and and threats are not remediated by Windows Defender Antivirus.) 
 - If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [shadow protection (currently in private preview)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection), then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
 
+## Antivirus and Microsoft Defender ATP
+
 The following table summarizes what happens with Windows Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP. 
 
 
@@ -50,7 +54,6 @@ If you are Using Windows Server, version 1803 and Windows 2019, you can enable p
 
 See [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations.
 
-
 >[!IMPORTANT]
 >Windows Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019.  
 >  
@@ -66,32 +69,30 @@ The following table summarizes the functionality and features that are available
 |--|--|--|--|--|--|
 |Active mode <br/><br/>  |![yes](images/svg/check-yes.svg) |![no](images/svg/check-no.svg) |![yes](images/svg/check-yes.svg) |![yes](images/svg/check-yes.svg) |![yes](images/svg/check-yes.svg) |
 |Passive mode  |![no](images/svg/check-no.svg) |![no](images/svg/check-no.svg) |![yes](images/svg/check-yes.svg) |![no](images/svg/check-no.svg) |![yes](images/svg/check-yes.svg) |
-|Shadow protection enabled  |![no](images/svg/check-no.svg) |![no](images/svg/check-no.svg) |![yes](images/svg/check-yes.svg) |![yes](images/svg/check-yes.svg) |![yes](images/svg/check-yes.svg) |
+|[Shadow protection enabled](shadow-protection.md)  |![no](images/svg/check-no.svg) |![no](images/svg/check-no.svg) |![yes](images/svg/check-yes.svg) |![yes](images/svg/check-yes.svg) |![yes](images/svg/check-yes.svg) |
 |Automatic disabled mode  |![no](images/svg/check-no.svg) |![yes](images/svg/check-yes.svg) |![no](images/svg/check-no.svg) |![no](images/svg/check-no.svg) |![no](images/svg/check-no.svg) |
 
 - In Active mode, Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself).
 - In Passive mode, Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service.
-- When shadow protection is turned on, Windows Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
+- When [shadow protection (currently in private preview)](shadow-protection.md) is turned on, Windows Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
 - Windows Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
 
+## Keep the following points in mind
 
 If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. 
 
-Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender Antivirus will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
+When Windows Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
     
-In passive and automatic disabled mode, you can still [manage updates for Windows Defender Antivirus](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+In passive and automatic disabled mode, you can still [manage updates for Windows Defender Antivirus](manage-updates-baselines-windows-defender-antivirus.md); however, you can't move Windows Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
 
- If you uninstall the other product, and choose to use Windows Defender Antivirus to provide protection to your endpoints, Windows Defender Antivirus will automatically return to its normal active mode.
+If you uninstall the other product, and choose to use Windows Defender Antivirus to provide protection to your endpoints, Windows Defender Antivirus will automatically return to its normal active mode.
 
 >[!WARNING]
->You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app.
->  
->This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks.
->
->It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md).
+>You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md).
     
 
 ## Related topics
 
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
 - [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md)
+- [Shadow protection in next-generation protection](shadow-protection.md)

From 48760e09a6bdf6941ce8ca721b8a6125d938a1d0 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 18 Mar 2020 17:48:17 -0700
Subject: [PATCH 5/8] Update windows-defender-antivirus-compatibility.md

---
 .../windows-defender-antivirus-compatibility.md               | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 929e933d47..e4fe09ea80 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -24,8 +24,8 @@ manager: dansimp
 
 ## Overview
 
-Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using Microsoft Defender ATP.
-- When endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, Windows Defender Antivirus automatically goes into disabled mode. 
+Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
+- When endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, Windows Defender Antivirus automatically goes into disabled mode. 
 - If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real time protection and and threats are not remediated by Windows Defender Antivirus.) 
 - If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [shadow protection (currently in private preview)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection), then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
 

From 7d9a8c2c5c7fab928ce5312b1054665dae51931b Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 18 Mar 2020 20:33:27 -0700
Subject: [PATCH 6/8] Update windows-defender-antivirus-compatibility.md

---
 .../windows-defender-antivirus-compatibility.md                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index e4fe09ea80..fa3ddcc966 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -75,7 +75,7 @@ The following table summarizes the functionality and features that are available
 - In Active mode, Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself).
 - In Passive mode, Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service.
 - When [shadow protection (currently in private preview)](shadow-protection.md) is turned on, Windows Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
-- Windows Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
+- In Automatic disabled mode, Windows Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
 
 ## Keep the following points in mind
 

From a763aef204559e74185944b1c7db7a34a0efbfd5 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 19 Mar 2020 05:12:26 -0700
Subject: [PATCH 7/8] Update windows-defender-antivirus-compatibility.md

---
 .../windows-defender-antivirus-compatibility.md           | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index fa3ddcc966..42d5606841 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -67,10 +67,10 @@ The following table summarizes the functionality and features that are available
 
 |State |[Real-time protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) |
 |--|--|--|--|--|--|
-|Active mode <br/><br/>  |![yes](images/svg/check-yes.svg) |![no](images/svg/check-no.svg) |![yes](images/svg/check-yes.svg) |![yes](images/svg/check-yes.svg) |![yes](images/svg/check-yes.svg) |
-|Passive mode  |![no](images/svg/check-no.svg) |![no](images/svg/check-no.svg) |![yes](images/svg/check-yes.svg) |![no](images/svg/check-no.svg) |![yes](images/svg/check-yes.svg) |
-|[Shadow protection enabled](shadow-protection.md)  |![no](images/svg/check-no.svg) |![no](images/svg/check-no.svg) |![yes](images/svg/check-yes.svg) |![yes](images/svg/check-yes.svg) |![yes](images/svg/check-yes.svg) |
-|Automatic disabled mode  |![no](images/svg/check-no.svg) |![yes](images/svg/check-yes.svg) |![no](images/svg/check-no.svg) |![no](images/svg/check-no.svg) |![no](images/svg/check-no.svg) |
+|Active mode <br/><br/>  |Yes |No |Yes |Yes |Yes |
+|Passive mode  |No |No |Yes |No |Yes |
+|[Shadow protection enabled](shadow-protection.md)  |No |No |Yes |Yes |Yes |
+|Automatic disabled mode  |No |Yes |No |No |No |
 
 - In Active mode, Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself).
 - In Passive mode, Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service.

From f0fba1e951296b2406364f60bf0130dd69a9694e Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 19 Mar 2020 05:12:57 -0700
Subject: [PATCH 8/8] Update windows-defender-antivirus-compatibility.md

---
 .../windows-defender-antivirus-compatibility.md                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 42d5606841..33827edea0 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -65,7 +65,7 @@ See [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defende
 
 The following table summarizes the functionality and features that are available in each state:
 
-|State |[Real-time protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) |
+|State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) |
 |--|--|--|--|--|--|
 |Active mode <br/><br/>  |Yes |No |Yes |Yes |Yes |
 |Passive mode  |No |No |Yes |No |Yes |