Merge branch 'master' into tvm-updates

windows/security/identity-protection/credential-guard/credential-guard-manage.md

@@ -141,7 +141,7 @@ You can also check that Windows Defender Credential Guard is running by using th
 DG_Readiness_Tool_v3.6.ps1 -Ready
 ```
 > [!IMPORTANT]
-> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
+> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
 > This is a known issue.
 
 > [!NOTE]

windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md

@@ -33,12 +33,14 @@ This table includes the recommended URLs to add to your Enterprise Cloud Resourc
 
 |If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting<br>(Replace "contoso" with your domain name(s)|
 |-----------------------------|---------------------------------------------------------------------|
-|Office 365 for Business |<ul><li>contoso.sharepoint.com</li><li>contoso-my.sharepoint.com</li><li>contoso-files.sharepoint.com</li><li>tasks.office.com</li><li>protection.office.com</li><li>meet.lync.com</li><li>teams.microsoft.com</li></ul> |
+|Sharepoint Online |<ul><li>contoso.sharepoint.com</li><li>contoso-my.sharepoint.com</li><li>contoso-files.sharepoint.com</li></ul> |
 |Yammer |<ul><li>www.yammer.com</li><li>yammer.com</li><li>persona.yammer.com</li></ul> |
 |Outlook Web Access (OWA) |<ul><li>outlook.office.com</li><li>outlook.office365.com</li><li>attachments.office.net</li></ul> |
 |Microsoft Dynamics |contoso.crm.dynamics.com |
 |Visual Studio Online |contoso.visualstudio.com |
 |Power BI |contoso.powerbi.com |
+|Microsoft Teams |teams.microsoft.com |
+|Other Office 365 services |<ul><li>tasks.office.com</li><li>protection.office.com</li><li>meet.lync.com</li><li>project.microsoft.com</li></ul> |
 
 You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both.
 

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md

@@ -40,7 +40,7 @@ For information on other tables in the advanced hunting schema, see [the advance
 | `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
 | `OSVersion` | string | Version of the operating system running on the machine |
 | `OSArchitecture` | string | Architecture of the operating system running on the machine |
-| `SoftwareVendor` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
+| `SoftwareVendor` | string | Name of the software vendor |
 | `SoftwareName` | string | Name of the software product |
 | `SoftwareVersion` | string | Version number of the software product |
 | `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |

windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md

@@ -134,15 +134,15 @@ GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
 
 ### Block Office applications from creating executable content
 
-This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.
+This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.
 
-This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk.
+ Malware that abuse Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
 
-This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
+This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
 
 Intune name: Office apps/macros creating executable content
 
-Configuration Manager name: Block Office applications from creating executable content
+SCCM name: Block Office applications from creating executable content
 
 GUID: 3B576869-A4EC-4529-8536-B80A7769E899
 

windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md

@@ -63,6 +63,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
 - Each event hub message in Azure Event Hubs contains list of records.
 - Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".
 - For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the machine. Here every event will be decorated with this column as well. See [Machine Groups](machine-groups.md) for more information.
 
 ## Data types mapping:
 

windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md

@@ -64,6 +64,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
 - Each blob contains multiple rows.
 - Each row contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
 - For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the machine. Here every event will be decorated with this column as well. See [Machine Groups](machine-groups.md) for more information.
 
 ## Data types mapping:
 

windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md

@@ -73,7 +73,7 @@ Cyren's web content classification technology is integrated by design into Micro
 
 Learn more at https://www.cyren.com/products/url-filtering.
 
-### Cyren  permissions
+### Cyren Permissions
 
 "Sign in and read user profile" allows Cyren to read your tenant info from your Microsoft Defender ATP account, such as your tenant ID, which will be tied to your Cyren license.
 
@@ -168,4 +168,4 @@ You need to be logged in to an AAD account with either App administrator or Glob
 - [Web protection overview](web-protection-overview.md)
 - [Web threat protection](web-threat-protection.md)
 - [Monitor web security](web-protection-monitoring.md)
-- [Respond to web threats](web-protection-response.md)
+- [Respond to web threats](web-protection-response.md)

windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md

@@ -23,27 +23,26 @@ manager: dansimp
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/powershell/mt173057.aspx).
+You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it at the [PowerShell hub on MSDN](https://docs.microsoft.com/previous-versions/msdn10/mt173057(v=msdn.10)).
 
-For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) topic.
+For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) topic.
 
-PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software. 
+PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
 
 > [!NOTE]
 > PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), or [Windows Defender Antivirus Group Policy ADMX templates](https://support.microsoft.com/kb/927367).
 
-Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell. 
+Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
 
 You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
 
 PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
 
-
 ## Use Windows Defender Antivirus PowerShell cmdlets
 
-1. Click **Start**, type **powershell**, and press **Enter**.
-2. Click **Windows PowerShell** to open the interface. 
-3. Enter the command and parameters.
+1. In the Windows search bar, type **powershell**.
+2. Select **Windows PowerShell** from the results to open the interface.
+3. Enter the PowerShell command and any parameters.
 
 > [!NOTE]
 > You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
@@ -53,6 +52,7 @@ To open online help for any of the cmdlets type the following:
 ```PowerShell
 Get-Help <cmdlet> -Online
 ```
+
 Omit the `-online` parameter to get locally cached help.
 
 ## Related topics

windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md

@@ -43,8 +43,8 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo
 - All clients are running Windows 10 version 1903 or above;
 - All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune;
 
-> [!NOTE]
-> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM) 
+    > [!NOTE]
+    > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM). 
 
 - Some, but not all, apps are deployed using MEMCM;
 - Most users are local administrators on their devices;
@@ -117,7 +117,7 @@ Alice follows these steps to complete this task:
       $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
       $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
       $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
-      Merge-CIPolicy -OutputFilePath = $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
+      Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
       ```
 
 7. If appropriate, add additional signer or file rules to further customize the policy for your organization.