Merge branch 'master' into lomayor-ta-report-guide

2025-05-18 16:27:22 +00:00 · 2020-10-27 16:47:23 -07:00 · 2020-10-27 16:47:23 -07:00 · 8ddca6b577
commit 8ddca6b577
parent af620fd49c 8ff9b222a2
110 changed files with 892 additions and 528 deletions
--- a/education/developers.yml
+++ b/education/developers.yml
@ -18,16 +18,16 @@ additionalContent:
        # Card
        - title: UWP apps for education
          summary: Learn how to write universal apps for education.
-          url: https://docs.microsoft.com/en-us/windows/uwp/apps-for-education/
+          url: https://docs.microsoft.com/windows/uwp/apps-for-education/
        # Card
        - title: Take a test API
          summary: Learn how web applications can use the API to provide a locked down experience for taking tests.
-          url: https://docs.microsoft.com/en-us/windows/uwp/apps-for-education/take-a-test-api
+          url: https://docs.microsoft.com/windows/uwp/apps-for-education/take-a-test-api
        # Card
        - title: Office Education Dev center
          summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app
-          url: https://dev.office.com/industry-verticals/edu
+          url: https://developer.microsoft.com/office/edu
        # Card
        - title: Data Streamer
          summary: Bring new STEM experiences into the classroom with real-time data in Excel using Data Streamer. Data Streamer can send data to Excel from a sensor or application.
-          url: https://docs.microsoft.com/en-us/microsoft-365/education/data-streamer
+          url: https://docs.microsoft.com/microsoft-365/education/data-streamer
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@ -0,0 +1,11 @@
 <!-- This file is generated automatically each week. Changes made to this file will be overwritten.-->
 ## Week of October 19, 2020
 | Published On |Topic title | Change |
 |------|------------|--------|
 | 10/22/2020 | [Microsoft 365 Education Documentation for developers](/education/developers) | modified |
 | 10/22/2020 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified |
--- a/education/windows/windows-editions-for-education-customers.md
+++ b/education/windows/windows-editions-for-education-customers.md
@ -30,10 +30,10 @@ Windows 10, version 1607 introduces two editions designed for the unique needs o
 Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
-For Cortana<sup>[1](#footnote1)</sup>,
+For Cortana<sup>[1](#footnote1)</sup>:
 - If you're using version 1607, Cortana is removed.
- If you're using new devices with version 1703, Cortana is turned on by default.
+- If you're using new devices with version 1703 or later, Cortana is turned on by default.
- If you're upgrading from version 1607 to version 1703, Cortana will be enabled.
+- If you're upgrading from version 1607 to version 1703 or later, Cortana will be enabled.
 You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
@ -49,10 +49,10 @@ Customers who deploy Windows 10 Pro are able to configure the product to have si
 Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
-For Cortana<sup>1</sup>,
+For Cortana<sup>1</sup>:
 - If you're using version 1607, Cortana<sup>1</sup> is removed.
- If you're using new devices with version 1703, Cortana is turned on by default.
+- If you're using new devices with version 1703 or later, Cortana is turned on by default.
- If you're upgrading from version 1607 to version 1703, Cortana will be enabled.
+- If you're upgrading from version 1607 to version 1703 or later, Cortana will be enabled.
 You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
--- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md
+++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
@ -18,10 +18,10 @@ ms.date: 10/17/2017
 # Add unsigned app to code integrity policy
 > [!IMPORTANT]
-> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020.
+> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020.
 >
 > Following are the major changes we are making to the service: 
-> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download.
+> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
 > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). 
 > -	DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download).  Note that the certificate used to sign a file can be easily extracted from the signed file itself.  As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.
 >
@ -32,7 +32,7 @@ ms.date: 10/17/2017
 > - Download root cert
 > - Download history of your signing operations 
 >
-> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration.  
+> For any questions, please contact us at DGSSMigration@microsoft.com. 
 **Applies to**
--- a/store-for-business/device-guard-signing-portal.md
+++ b/store-for-business/device-guard-signing-portal.md
@ -18,10 +18,10 @@ ms.date: 10/17/2017
 # Device Guard signing
 > [!IMPORTANT]
-> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020.
+> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020.
 >
 > Following are the major changes we are making to the service: 
-> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download.
+> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
 > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). 
 > -	DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download).  Note that the certificate used to sign a file can be easily extracted from the signed file itself.  As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.
 >
@ -32,7 +32,7 @@ ms.date: 10/17/2017
 > - Download root cert
 > - Download history of your signing operations 
 >
-> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration.  
+> For any questions, please contact us at DGSSMigration@microsoft.com.  
 **Applies to**
--- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
+++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
@ -18,10 +18,10 @@ ms.date: 10/17/2017
 # Sign code integrity policy with Device Guard signing
 > [!IMPORTANT]
-> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020.
+> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020.
 >
 > Following are the major changes we are making to the service: 
-> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download.
+> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
 > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). 
 > -	DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download).  Note that the certificate used to sign a file can be easily extracted from the signed file itself.  As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.
 >
@ -32,7 +32,7 @@ ms.date: 10/17/2017
 > - Download root cert
 > - Download history of your signing operations 
 >
-> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration.  
+> For any questions, please contact us at DGSSMigration@microsoft.com. 
 **Applies to**
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@ -53,7 +53,7 @@ As indicated in the diagram, Microsoft continues to provide support for deep man
 With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can:
-   Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune).
+-   Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/).
 -   Create self-contained provisioning packages built with the [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages).
@ -69,7 +69,7 @@ You can envision user and device management as falling into these two categories
 -   **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
-    -   For corporate devices, they can set up corporate access with [Azure AD Join](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-overview/). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://blogs.technet.microsoft.com/ad/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/), all from the cloud.<br>Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
+    -   For corporate devices, they can set up corporate access with [Azure AD Join](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-overview/). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.<br>Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
    -   Likewise, for personal devices, employees can use a new, simplified [BYOD experience](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/) to add their work account to Windows, then access work resources on the device.
@ -135,6 +135,6 @@ There are a variety of steps you can take to begin the process of modernizing de
 ## Related topics
-   [What is Intune?](https://docs.microsoft.com/intune/introduction-intune)
+-   [What is Intune?](https://docs.microsoft.com//mem/intune/fundamentals/what-is-intune)
 -   [Windows 10 Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)
 -   [Windows 10 Configuration service Providers](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference)
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@ -52,6 +52,7 @@ This node specifies the username for a new local user account.  This setting can
 This node specifies the password for a new local user account.  This setting can be managed remotely. 
 Supported operation is Add.
 GET operation is not supported.  This setting will report as failed when deployed from the Endpoint Manager.
 <a href="" id="users-username-localusergroup"></a>**Users/_UserName_/LocalUserGroup**  
 This optional node specifies the local user group that a local user account should be joined to.  If the node is not set, the new local user account is joined just to the Standard Users group.  Set the value to 2 for Administrators group. This setting can be managed remotely.
--- a/windows/client-management/mdm/change-history-for-mdm-documentation.md
+++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md
@ -20,7 +20,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
 |New or updated article | Description|
 |--- | ---|
-| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 20H2:<br>- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)<br>- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)<br>- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)<br>- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)<br>- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)<br>- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)<br>- [WindowsSandbox/AllowAudioInput](policy-csp-windowssandbox.md#windowssandbox-allowaudioinput)<br>- [WindowsSandbox/AllowClipboardRedirection](policy-csp-windowssandbox.md#windowssandbox-allowclipboardredirection)<br>- [WindowsSandbox/AllowNetworking](policy-csp-windowssandbox.md#windowssandbox-allownetworking)<br>- [WindowsSandbox/AllowPrinterRedirection](policy-csp-windowssandbox.md#windowssandbox-allowprinterredirection)<br>- [WindowsSandbox/AllowVGPU](policy-csp-windowssandbox.md#windowssandbox-allowvgpu)<br>- [WindowsSandbox/AllowVideoInput](policy-csp-windowssandbox.md#windowssandbox-allowvideoinput) |
+| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies<br>- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)<br>- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)<br>- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)<br>- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)<br>- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)<br>- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)<br>- [Update/DisableWUfBSafeguards](policy-csp-update.md#update-disablewufbsafeguards)<br>- [WindowsSandbox/AllowAudioInput](policy-csp-windowssandbox.md#windowssandbox-allowaudioinput)<br>- [WindowsSandbox/AllowClipboardRedirection](policy-csp-windowssandbox.md#windowssandbox-allowclipboardredirection)<br>- [WindowsSandbox/AllowNetworking](policy-csp-windowssandbox.md#windowssandbox-allownetworking)<br>- [WindowsSandbox/AllowPrinterRedirection](policy-csp-windowssandbox.md#windowssandbox-allowprinterredirection)<br>- [WindowsSandbox/AllowVGPU](policy-csp-windowssandbox.md#windowssandbox-allowvgpu)<br>- [WindowsSandbox/AllowVideoInput](policy-csp-windowssandbox.md#windowssandbox-allowvideoinput) |
 ## September 2020
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@ -61,7 +61,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 | New or updated article | Description |
 |-----|-----|
-|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policy settings in Windows 10, version 1809:<br>- ApplicationManagement/LaunchAppAfterLogOn<br>- ApplicationManagement/ScheduleForceRestartForUpdateFailures<br>- Authentication/EnableFastFirstSignIn (Preview mode only)<br>- Authentication/EnableWebSignIn (Preview mode only)<br>- Authentication/PreferredAadTenantDomainName<br>- Browser/AllowFullScreenMode<br>- Browser/AllowPrelaunch<br>- Browser/AllowPrinting<br>- Browser/AllowSavingHistory<br>- Browser/AllowSideloadingOfExtensions<br>- Browser/AllowTabPreloading<br>- Browser/AllowWebContentOnNewTabPage<br>- Browser/ConfigureFavoritesBar<br>- Browser/ConfigureHomeButton<br>- Browser/ConfigureKioskMode<br>- Browser/ConfigureKioskResetAfterIdleTimeout<br>- Browser/ConfigureOpenMicrosoftEdgeWith<br>- Browser/ConfigureTelemetryForMicrosoft365Analytics<br>- Browser/PreventCertErrorOverrides<br>- Browser/SetHomeButtonURL<br>- Browser/SetNewTabPageURL<br>- Browser/UnlockHomeButton<br>- Defender/CheckForSignaturesBeforeRunningScan<br>- Defender/DisableCatchupFullScan<br>- Defender/DisableCatchupQuickScan<br>- Defender/EnableLowCPUPriority<br>- Defender/SignatureUpdateFallbackOrder<br>- Defender/SignatureUpdateFileSharesSources<br>- DeviceGuard/ConfigureSystemGuardLaunch<br>- DeviceInstallation/AllowInstallationOfMatchingDeviceIDs<br>- DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses<br>- DeviceInstallation/PreventDeviceMetadataFromNetwork<br>- DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings<br>- DmaGuard/DeviceEnumerationPolicy<br>- Experience/AllowClipboardHistory<br>- Experience/DoNotSyncBrowserSettings<br>- Experience/PreventUsersFromTurningOnBrowserSyncing<br>- Kerberos/UPNNameHints<br>- Privacy/AllowCrossDeviceClipboard<br>- Privacy/DisablePrivacyExperience<br>- Privacy/UploadUserActivities<br>- Security/RecoveryEnvironmentAuthentication<br>- System/AllowDeviceNameInDiagnosticData<br>- System/ConfigureMicrosoft365UploadEndpoint<br>- System/DisableDeviceDelete<br>- System/DisableDiagnosticDataViewer<br>- Storage/RemovableDiskDenyWriteAccess<br>- TaskManager/AllowEndTask<br>- Update/EngagedRestartDeadlineForFeatureUpdates<br>- Update/EngagedRestartSnoozeScheduleForFeatureUpdates<br>- Update/EngagedRestartTransitionScheduleForFeatureUpdates<br>- Update/SetDisablePauseUXAccess<br>- Update/SetDisableUXWUAccess<br>- WindowsDefenderSecurityCenter/DisableClearTpmButton<br>- WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning<br>- WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl<br>- WindowsLogon/DontDisplayNetworkSelectionUI |
+|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policy settings in Windows 10, version 1809:<br>- ApplicationManagement/LaunchAppAfterLogOn<br>- ApplicationManagement/ScheduleForceRestartForUpdateFailures<br>- Authentication/EnableFastFirstSignIn (Preview mode only)<br>- Authentication/EnableWebSignIn (Preview mode only)<br>- Authentication/PreferredAadTenantDomainName<br>- Browser/AllowFullScreenMode<br>- Browser/AllowPrelaunch<br>- Browser/AllowPrinting<br>- Browser/AllowSavingHistory<br>- Browser/AllowSideloadingOfExtensions<br>- Browser/AllowTabPreloading<br>- Browser/AllowWebContentOnNewTabPage<br>- Browser/ConfigureFavoritesBar<br>- Browser/ConfigureHomeButton<br>- Browser/ConfigureKioskMode<br>- Browser/ConfigureKioskResetAfterIdleTimeout<br>- Browser/ConfigureOpenMicrosoftEdgeWith<br>- Browser/ConfigureTelemetryForMicrosoft365Analytics<br>- Browser/PreventCertErrorOverrides<br>- Browser/SetHomeButtonURL<br>- Browser/SetNewTabPageURL<br>- Browser/UnlockHomeButton<br>- Defender/CheckForSignaturesBeforeRunningScan<br>- Defender/DisableCatchupFullScan<br>- Defender/DisableCatchupQuickScan<br>- Defender/EnableLowCPUPriority<br>- Defender/SignatureUpdateFallbackOrder<br>- Defender/SignatureUpdateFileSharesSources<br>- DeviceGuard/ConfigureSystemGuardLaunch<br>- DeviceInstallation/AllowInstallationOfMatchingDeviceIDs<br>- DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses<br>- DeviceInstallation/PreventDeviceMetadataFromNetwork<br>- DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings<br>- DmaGuard/DeviceEnumerationPolicy<br>- Experience/AllowClipboardHistory<br>- Experience/DoNotSyncBrowserSettings<br>- Experience/PreventUsersFromTurningOnBrowserSyncing<br>- Kerberos/UPNNameHints<br>- Privacy/AllowCrossDeviceClipboard<br>- Privacy/DisablePrivacyExperience<br>- Privacy/UploadUserActivities<br>- Security/RecoveryEnvironmentAuthentication<br>- System/AllowDeviceNameInDiagnosticData<br>- System/ConfigureMicrosoft365UploadEndpoint<br>- System/DisableDeviceDelete<br>- System/DisableDiagnosticDataViewer<br>- Storage/RemovableDiskDenyWriteAccess<br>- TaskManager/AllowEndTask<br>- Update/DisableWUfBSafeguards<br>- Update/EngagedRestartDeadlineForFeatureUpdates<br>- Update/EngagedRestartSnoozeScheduleForFeatureUpdates<br>- Update/EngagedRestartTransitionScheduleForFeatureUpdates<br>- Update/SetDisablePauseUXAccess<br>- Update/SetDisableUXWUAccess<br>- WindowsDefenderSecurityCenter/DisableClearTpmButton<br>- WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning<br>- WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl<br>- WindowsLogon/DontDisplayNetworkSelectionUI |
 | [BitLocker CSP](bitlocker-csp.md) | Added a new node AllowStandardUserEncryption in Windows 10, version 1809. Added support for Windows 10 Pro. |
 | [Defender CSP](defender-csp.md) | Added a new node Health/ProductStatus in Windows 10, version 1809. |
 | [DevDetail CSP](devdetail-csp.md) | Added a new node SMBIOSSerialNumber in Windows 10, version 1809. |
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -5225,6 +5225,9 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-update.md#update-disabledualscan" id="update-disabledualscan">Update/DisableDualScan</a>
  </dd>
  <dd>
    <a href="./policy-csp-update.md#update-disablewufbsafeguards" id="update-disablewufbsafeguards">Update/DisableWUfBSafeguards</a>
  </dd>
  <dd>
    <a href="./policy-csp-update.md#update-engagedrestartdeadline" id="update-engagedrestartdeadline">Update/EngagedRestartDeadline</a>
  </dd>
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@ -7,7 +7,7 @@ ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.localizationpriority: medium
-ms.date: 02/10/2020
+ms.date: 10/21/2020
 ms.reviewer: 
 manager: dansimp
 ---
@ -96,6 +96,9 @@ manager: dansimp
  <dd>
    <a href="#update-disabledualscan">Update/DisableDualScan</a>
  </dd>
  <dd>
    <a href="#update-disablewufbsafeguards">Update/DisableWUfBSafeguards</a>
  </dd>
  <dd>
    <a href="#update-engagedrestartdeadline">Update/EngagedRestartDeadline</a>
  </dd>
@ -2013,6 +2016,85 @@ The following list shows the supported values:
 <hr/>
 <!--Policy-->
 <a href="" id="update-disablewufbsafeguards"></a>**Update/DisableWUfBSafeguards**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Windows Edition</th>
    <th>Supported?</th>
 </tr>
 <tr>
    <td>Home</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Pro</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 </tr>
 <tr>
    <td>Business</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 </tr>
 <tr>
    <td>Education</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 Available in Windows Update for Business (WUfB) devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a WUfB device should skip safeguards.
 Safeguard holds prevent a device with a known compatibility issue from being offered a new OS version. The offering will proceed once a fix is issued and is verified on a held device. The aim of safeguards is to protect the device and user from a failed or poor upgrade experience.
 The safeguard holds protection is provided by default to all the devices trying to update to a new Windows 10 Feature Update version via Windows Update.
 IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the “Disable safeguards for Feature Updates” Group Policy. 
 > [!NOTE]
 > Opting out of the safeguards can put devices at risk from known performance issues. We recommend opting out only in an IT environment for validation purposes. Further, you can leverage the Windows Insider Program for Business Release Preview Channel in order to validate the upcoming Windows 10 Feature Update version without the safeguards being applied.
 >
 > The disable safeguards policy will revert to “Not Configured” on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update. 
 >
 > Disabling safeguards does not guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade as you are bypassing the protection given by Microsoft pertaining to known issues.
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
 -   GP English name: *Disable safeguards for Feature Updates*
 -   GP name: *DisableWUfBSafeguards*
 -   GP path: *Windows Components/Windows Update/Windows Update for Business*
 -   GP ADMX file name: *WindowsUpdate.admx*
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 The following list shows the supported values:
 - 0 (default) - Safeguards are enabled and devices may be blocked for upgrades until the safeguard is cleared.
 - 1 - Safeguards are not enabled and upgrades will be deployed without blocking on safeguards.
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="update-engagedrestartdeadline"></a>**Update/EngagedRestartDeadline**  
--- a/windows/deployment/update/safeguard-holds.md
+++ b/windows/deployment/update/safeguard-holds.md
@ -12,19 +12,20 @@ ms.topic: article
 # Safeguard holds
-Microsoft uses quality and compatibility data to identify issues that might cause a Windows 10 feature update to fail or roll back. When find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
+Microsoft uses quality and compatibility data to identify issues that might cause a Windows 10 feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
 Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows 10.
 The lifespan of holds varies depending on the time required to investigate and fix an issue. During this time Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the hold. Once we release the hold, Windows Update will resume offering new operating system versions to devices.
-Safeguard holds only affect devices that use the Window Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services (WSUS)) to remain aware of known issues that might also be present in their environments.
+
 Safeguard holds only affect devices that use the Window Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services) to remain aware of known issues that might also be present in their environments.
 ## Am I affected by a safeguard hold?
 IT admins can use [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) to monitor various update health metrics for devices in their organization, including ones affected by a safeguard hold that prevents them from updating to a newer operating system version. 
-Queries identify Safeguard IDs for each affected device, giving IT admins a detailed view into the various protections extended to devices. Safeguard IDs for publicly discussed known issues are also included in the [Windows Release Health](https://docs.microsoft.com/windows/release-information/status-windows-10-1903) dashboard, where you can easily find information related to publicly available safeguards.
+Queries identify Safeguard IDs for each affected device, giving IT admins a detailed view into the various protections extended to devices. Safeguard IDs for publicly discussed known issues are also included in the [Windows release health](https://aka.ms/windowsreleasehealth) dashboard, where you can easily find information related to publicly available safeguards.
 On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message:
@ -40,4 +41,4 @@ We recommend that you do not attempt to manually update until issues have been r
 > [!CAUTION]
 > Opting out of a safeguard hold can put devices at risk from known performance issues. We strongly recommend that you complete robust testing to ensure the impact is acceptable before opting out.
-With that in mind, IT admins who stay informed with [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) and the [Windows Release Health](https://docs.microsoft.com/windows/release-information/status-windows-10-1903) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, protection of safeguard holds is reinstated automatically. 
+With that in mind, IT admins who stay informed with [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) and the [Windows release health](https://aka.ms/windowsreleasehealth) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically. 
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@ -13,7 +13,7 @@ ms.author: dansimp
 manager: dansimp
 ms.collection: M365-security-compliance
 ms.topic: article
-ms.date: 07/21/2020
+ms.date: 10/13/2020
 ---
 # Configure Windows diagnostic data in your organization
@ -24,7 +24,7 @@ ms.date: 07/21/2020
 - Windows 10 Education
 - Windows Server 2016 and newer
-This article applies to Windows 10, Windows Server, Surface Hub, and Hololens diagnostic data only. It describes the types of diagnostic data that’s sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers.
+This article applies to Windows 10, Windows Server, Surface Hub, and HoloLens diagnostic data only. It describes the types of diagnostic data that’s sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers.
 >[!IMPORTANT]
 >Microsoft is [increasing transparency](https://blogs.microsoft.com/on-the-issues/2019/04/30/increasing-transparency-and-customer-control-over-data/) by categorizing the data we collect as required or optional. Windows 10 is in the process of updating devices to reflect this new categorization, and during this transition Basic diagnostic data will be recategorized as Required diagnostic data and Full diagnostic data will be recategorized as Optional diagnostic data. For more information, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md).
@ -50,7 +50,9 @@ For example, in an earlier version of Windows 10 there was a version of a video
 Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.
 - **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time.
 - **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
 - **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between apps. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
 ## How Microsoft handles diagnostic data
@ -60,8 +62,11 @@ Use the following sections to learn more about how Microsoft handles diagnostic
 ### Data collection
 Depending on the diagnostic data settings on the device, diagnostic data can be collected via the following methods:
 - Small payloads of structured information referred to as diagnostic data events, managed by the Connected User Experiences and Telemetry component.
 - Diagnostic logs for additional troubleshooting, also managed by the Connected User Experience and Telemetry component. 
 - Crash reporting and crash dumps, managed by [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting).
 Later in this document we provide further details about how to control what’s collected and what data can be included in these different types of diagnostic data.
@ -101,7 +106,7 @@ There are four diagnostic data collection settings. Each setting is described in
 Here’s a summary of the types of data that is included with each setting:
-| | **Diagnostic data off (Security)** | **Required (Basic)** | **Enhanced** |**Optional (Full)**|
+| | Diagnostic data off (Security) | Required (Basic) | Enhanced | Optional (Full) |
 | --- | --- | --- | --- | --- |
 | **Diagnostic data events** | No Windows diagnostic data sent. | Minimum data required to keep the device secure, up to date, and performing as expected. | Additional data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. | Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.|
 | **Crash Metadata** | N/A | Yes | Yes | Yes |
@ -155,9 +160,13 @@ Required diagnostic data includes:
 >We’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. making changes to the enhanced diagnostic data level. For more info about this change, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md).
 Enhanced diagnostic data includes data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. When you choose to send enhanced diagnostic data, required diagnostic data will always be included, and we collect the following additional information:
 - Operating system events that help to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
 - Operating system app events resulting from Microsoft apps and management tools that were downloaded from the Microsoft Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
 - Device-specific events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
 - All crash dump types, except for heap dumps and full dumps. For more information about crash dumps, see [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting).
 ### Optional diagnostic data
@ -165,9 +174,13 @@ Enhanced diagnostic data includes data about the websites you browse, how Window
 Optional diagnostic data, previously labeled as **Full**, includes more detailed information about your device and its settings, capabilities, and device health. Optional diagnostic data also includes data about the websites you browse, device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users. When you choose to send optional diagnostic data, required diagnostic data will always be included, and we collect the following additional information:
 - Additional data about the device, connectivity, and configuration, beyond that collected under required diagnostic data.
 - Status and logging information about the health of operating system and other system components beyond what is collected under required diagnostic data.
 - App activity, such as which programs are launched on a device, how long they run, and how quickly they respond to input.
 - Browser activity, including browsing history and search terms, in Microsoft browsers (Microsoft Edge or Internet Explorer).
 - Enhanced error reporting, including the memory state of the device when a system or app crash occurs (which may unintentionally contain user content, such as parts of a file you were using when the problem occurred). Crash data is never used for Tailored experiences.
 >[!Note]
@ -198,13 +211,14 @@ Use the appropriate value in the table below when you configure the management p
 You can use Group Policy to set your organization’s diagnostic data setting:
- 1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
+1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
 2.  Double-click **Allow Telemetry**.
->[!NOTE]
+2.  Double-click **Allow Telemetry**.
 > If devices in your organization are running Windows 10, 1803 and newer, the user can still use Settings to set the diagnostic data setting to a more restrictive value, unless the **Configure diagnostic data opt-in settings user interface** policy is set.
- 3. In the **Options** box, choose the setting that you want to configure, and then click **OK**.
+    > [!NOTE]
    > If devices in your organization are running Windows 10, 1803 and newer, the user can still use Settings to set the diagnostic data setting to a more restrictive value, unless the **Configure diagnostic data opt-in settings user interface** policy is set.
 3. In the **Options** box, choose the setting that you want to configure, and then click **OK**.
 ### Use MDM to manage diagnostic data collection
@ -213,3 +227,9 @@ Use [Policy Configuration Service Provider (CSP)](https://docs.microsoft.com/win
 ## Limit optional diagnostic data for Desktop Analytics
 For more information about how to limit the diagnostic data to the minimum required by Desktop Analytics, see [Enable data sharing for Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/enable-data-sharing).
 ## Change privacy settings on a single server
 You can also change the privacy settings on a server running either the Azure Stack HCI operating system or Windows Server. For more information, see [Change privacy settings on individual servers](https://docs.microsoft.com/azure-stack/hci/manage/change-privacy-settings).
 To manage privacy settings in your enterprise as a whole, see [Manage enterprise diagnostic data](#manage-enterprise-diagnostic-data).
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@ -12,7 +12,7 @@ ms.author: obezeajo
 manager: robsize
 ms.collection: M365-security-compliance
 ms.topic: article
-ms.date: 6/9/2020
+ms.date: 10/22/2020
 ---
 # Manage connection endpoints for Windows 10 Enterprise, version 2004
@ -60,9 +60,8 @@ The following methodology was used to derive these network endpoints:
 ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2|www.bing.com*|
 |Device metadata|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
 ||The following endpoint is used to retrieve device metadata. If you  turn off traffic for this endpoint, metadata will not be updated for the device.|HTTPS|dmd.metaservices.microsoft.com|
-|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|Diagnostic Data|The following endpoints are used by the Windows Diagnostic Data, Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
 |||TLSv1.2|v10.events.data.microsoft.com|
 |||TLSv1.2|v20.events.data.microsoft.com|
 ||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|*.telecommand.telemetry.microsoft.com|
 |||TLS v1.2|watson.*.microsoft.com|
 |Font Streaming|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@ -21,8 +21,7 @@ ms.custom:
 # Manage Windows Defender Credential Guard
 **Applies to**
-   Windows 10 <=1903 Enterprise and Education SKUs
+-   Windows 10 Enterprise or Education SKUs
 -   Windows 10 >=1909
 -   Windows Server 2016
 -   Windows Server 2019
@ -119,12 +118,15 @@ You can do this by using either the Control Panel or the Deployment Image Servic
 2.  Enable virtualization-based security:
    -   Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
    -   Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
    -   Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
 3.  Enable Windows Defender Credential Guard:
    -   Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
    -   Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
 4.  Close Registry Editor.
@ -145,6 +147,7 @@ DG_Readiness_Tool.ps1 -Enable -AutoReboot
 > [!IMPORTANT]
 > When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
 >
 > This is a known issue.
 ### Review Windows Defender Credential Guard performance
@ -171,6 +174,7 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
 > [!IMPORTANT]
 > When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
 >
 > This is a known issue.
 > [!NOTE]
@ -179,15 +183,25 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
 -   We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised, which is why we recommend turning on Credential Guard as early as possible.
 -   You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
-    -   **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
+
-    -   **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0**
+    - **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
-        -   The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run.
+    
-        -   The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**.
+    - **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0**
-    -   **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
+    
-    -   **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
+        -  The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run.
-    -   **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]  
+        
-    You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
+        -  The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**.
-        -   **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**.  
+        
    - **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
    - **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
    - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]  
      You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
    - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**.  
  - You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command:
    ```powershell
@ -195,10 +209,13 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
    ```
    This command generates the following output:  
    - **0**: Windows Defender Credential Guard is disabled (not running)
    - **1**: Windows Defender Credential Guard is enabled (running)
-    > [!NOTE]  
+    
-    > Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running.
+      > [!NOTE]  
      > Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running.
 ## Disable Windows Defender Credential Guard
@ -207,12 +224,15 @@ To disable Windows Defender Credential Guard, you can use the following set of p
 1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard** -&gt; **Turn on Virtualization Based Security**).
 2. Delete the following registry settings:
   - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
   - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags
 3. If you also wish to disable virtualization-based security delete the following registry settings:
   - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
   - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
     > [!IMPORTANT]
     > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
@ -261,6 +281,7 @@ DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
 > [!IMPORTANT]  
 > When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
 >
 > This is a known issue.
 #### Disable Windows Defender Credential Guard for a virtual machine
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@ -58,11 +58,11 @@ For information about Windows Defender Remote Credential Guard hardware and soft
 When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality.
->[!WARNING]
+> [!WARNING]
 > Enabling Windows Defender Credential Guard on domain controllers is not supported.
 > The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes.
->[!NOTE]
+> [!NOTE]
 > Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
 Applications will break if they require:
@ -140,7 +140,7 @@ The following table lists qualifications for Windows 10, version 1703, which are
 > [!IMPORTANT]
 >
->Regarding **VBS enablement of NX protection for UEFI runtime services**:
+> Regarding **VBS enablement of NX protection for UEFI runtime services**:
 >
 > - This only applies to UEFI runtime service memory, and not UEFI boot service memory.
 >
--- a/windows/security/identity-protection/hello-for-business/hello-faq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.md
@ -45,7 +45,7 @@ The statement "PIN is stronger than Password" is not directed at the strength of
 The **Key Admins** and **Enterprise Key Admins** groups are created when you install the first Windows Server 2016 domain controller into a domain. Domain controllers running previous versions of Windows Server cannot translate the security identifier (SID) to a name.  To resolve this, transfer the PDC emulator domain role to a domain controller running Windows Server 2016.
 ## Can I use a convenience PIN with Azure AD?
-It is currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts. It is only supported for on-premises Domain Joined users and local account users.
+It is currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts (synchronized identities included). It is only supported for on-premises Domain Joined users and local account users.
 ## Can I use an external camera when my laptop is closed or docked?
 No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed.  The product group is aware of this and is investigating this topic further.
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@ -53,7 +53,7 @@ Use the following table to compare different Remote Desktop connection security
 <br />
-|                                                       **Feature**                                                        |                                                           **Remote Desktop**                                                           |                                      **Windows Defender Remote Credential Guard**                                      |                                                                                                                                             **Restricted Admin mode**                                                                                                                                             |
+| Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
 |--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 |                                                 **Protection benefits**                                                  |                                Credentials on the server are not protected from Pass-the-Hash attacks.                                 |  User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing   |                                                                                  User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server                                                                                   |
 |                                                   **Version support**                                                    |                                        The remote computer can run any Windows operating system                                        | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**. <br /><br />For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
@ -67,7 +67,7 @@ Use the following table to compare different Remote Desktop connection security
 <br />
 For further technical information, see [Remote Desktop Protocol](https://msdn.microsoft.com/library/aa383015(v=vs.85).aspx)
-and [How Kerberos works](https://technet.microsoft.com/library/cc961963.aspx(d=robot))
+and [How Kerberos works](https://technet.microsoft.com/library/cc961963.aspx(d=robot)).
 <br />
@ -92,9 +92,12 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r
 The Remote Desktop client device:
-  Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine. 
+-  Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine.
 -  Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user’s signed-in credentials. This requires the user’s account be able to sign in to both the client device and the remote host.
 -  Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
 -  Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.
 The Remote Desktop remote host:
@ -108,9 +111,13 @@ There are no hardware requirements for Windows Defender Remote Credential Guard.
 > [!NOTE]
 > Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain.
 >
 > GPO [Remote host allows delegation of non-exportable credentials](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialsdelegation) should be enabled for delegation of non-exportable credentials.
 - For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication.
 - The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
 - The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard.
 ## Enable Windows Defender Remote Credential Guard
@ -118,15 +125,20 @@ There are no hardware requirements for Windows Defender Remote Credential Guard.
 You must enable Restricted Admin or Windows Defender Remote Credential Guard on the remote host by using the Registry.
 1. Open Registry Editor on the remote host.
 2. Enable Restricted Admin and Windows Defender Remote Credential Guard:
    - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
    - Add a new DWORD value named **DisableRestrictedAdmin**.
    - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard.
 3. Close Registry Editor.
 You can add this by running the following command from an elevated command prompt:
-```
+```console
 reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
 ```
@ -143,6 +155,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
    ![Windows Defender Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
 3. Under **Use the following restricted mode**:
   - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
     > [!NOTE]
@ -163,7 +176,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
 If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.
-```
+```console
 mstsc.exe /remoteGuard
 ```
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@ -109,9 +109,7 @@ To better understand each component, review the table below:
 <th>Description</th>
 </tr>
 <tr>
-<td>
+<th colspan="2">User</th>
 <p><b>User</b></p>
 </td>
 </tr>
 <tr>
 <td>
@ -138,9 +136,7 @@ To better understand each component, review the table below:
 </td>
 </tr>
 <tr>
-<td>
+<th colspan="2">System</th>
 <p><b>System</b></p>
 </td>
 </tr>
 <tr>
 <td>
@ -248,8 +244,7 @@ To better understand each component, review the table below:
 </td>
 </tr>
 <tr>
-<td>
+<th colspan="2">Kernel</th>
 <p><b>Kernel</b></p>
 </td>
 </tr>
 <tr>
@ -276,9 +271,11 @@ The slider will never turn UAC completely off. If you set it to <b>Never notify<
 -   Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
 -   Automatically deny all elevation requests for standard users.
-> **Important:**  In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
+> [!IMPORTANT]
-> 
+> In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
-> **Warning:**  Universal Windows apps will not work when UAC is disabled.
+
 > [!WARNING]
 > Some Universal Windows Platform apps may not work when UAC is disabled.
 ### Virtualization
@ -291,7 +288,9 @@ Most app tasks operate properly by using virtualization features. Although virtu
 Virtualization is not an option in the following scenarios:
 -   Virtualization does not apply to apps that are elevated and run with a full administrative access token.
 -   Virtualization supports only 32-bit apps. Non-elevated 64-bit apps simply receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations.
 -   Virtualization is disabled if the app includes an app manifest with a requested execution level attribute.
 ### Request execution levels
@ -319,6 +318,8 @@ Before a 32-bit process is created, the following attributes are checked to dete
 -   Key attributes in the resource script data are linked in the executable file.
 -   There are targeted sequences of bytes within the executable file.
-> **Note:**  The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
+> [!NOTE]
-> 
+> The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
-> **Note:**  The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
+
 > [!NOTE]
 > The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@ -82,20 +82,24 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if
 ### Using System information
 1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar.
 2. Check the value of **Kernel DMA Protection**.
   ![Kernel DMA protection in System Information](bitlocker/images/kernel-dma-protection.png)
 3. If the current state of **Kernel DMA Protection** is OFF and **Hyper-V - Virtualization Enabled in Firmware** is NO:
   - Reboot into BIOS settings
   - Turn on Intel Virtualization Technology.
   - Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
   - Reboot system into Windows 10.
->[!NOTE]
+   >[!NOTE]
-> **Hyper-V - Virtualization Enabled in Firmware** is NOT shown when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is shown because this means that **Hyper-V - Virtualization Enabled in Firmware** is YES.
+   > **Hyper-V - Virtualization Enabled in Firmware** is not available when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is displayed. This means that **Hyper-V - Virtualization Enabled in Firmware** is set to Yes and the **Hyper-V** Windows feature is enabled. Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
 4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. 
-For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
+   For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
 ## Frequently asked questions
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -19,11 +19,10 @@
 ### [Deployment phases](microsoft-defender-atp/deployment-phases.md)
 ### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md)
 ### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md)
-### [Phase 3: Onboard]()
+### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md)
-#### [Onboarding overview](microsoft-defender-atp/onboarding.md)
+#### [Onboarding using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/onboarding-endpoint-configuration-manager.md)
-##### [Onboarding using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/onboarding-endpoint-configuration-manager.md)
+#### [Onboarding using Microsoft Endpoint Manager](microsoft-defender-atp/onboarding-endpoint-manager.md)
-##### [Onboarding using Microsoft Endpoint Manager](microsoft-defender-atp/onboarding-endpoint-manager.md)
+#### [Onboard supported devices](microsoft-defender-atp/onboard-configure.md)
 ## [Migration guides](microsoft-defender-atp/migration-guides.md)
 ### [Switch from McAfee to Microsoft Defender for Endpoint]()
@ -397,6 +396,7 @@
 ### [Automated investigation and response (AIR)]()
 #### [Overview of AIR](microsoft-defender-atp/automated-investigations.md)
 #### [Automation levels in AIR](microsoft-defender-atp/automation-levels.md)
 #### [Configure AIR capabilities](microsoft-defender-atp/configure-automated-investigations-remediation.md)
 ### [Advanced hunting]()
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
@ -38,33 +38,12 @@ You can configure this security setting by opening the appropriate policy under
 | Logon events | Description |
 | - | - |
-| 528          | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.                                                                                          |
+| 4624          | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.                                                                                          |
-| 529          | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.                                                                                                     |
+| 4625          | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.                                                                                                     |
-| 530          | Logon failure. A logon attempt was made user account tried to log on outside of the allowed time.                                                                                                               |
+| 4634          | The logoff process was completed for a user.                                                                                                                                                                    |                                                                                                                               
-| 531          | Logon failure. A logon attempt was made using a disabled account.                                                                                                                                               |
+| 4647          | A user initiated the logoff process.                                                                                                                                                                            |
-| 532          | Logon failure. A logon attempt was made using an expired account.                                                                                                                                               |
+| 4648          | A user successfully logged on to a computer using explicit credentials while already logged on as a different user.                                                                                             |
-| 533          | Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer.                                                                                                                |
+| 4779          | A user disconnected a terminal server session without logging off.                                                                                                                                              |
 | 534          | Logon failure. The user attempted to log on with a type that is not allowed.                                                                                                                                    |
 | 535          | Logon failure. The password for the specified account has expired.                                                                                                                                              |
 | 536          | Logon failure. The Net Logon service is not active.                                                                                                                                                             |
 | 537          | Logon failure. The logon attempt failed for other reasons.                                                                                                                                                      |
 | 538          | The logoff process was completed for a user.                                                                                                                                                                    |
 | 539          | Logon failure. The account was locked out at the time the logon attempt was made.                                                                                                                               |
 | 540          | A user successfully logged on to a network.                                                                                                                                                                     |
 | 541          | Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel. |
 | 542          | A data channel was terminated.                                                                                                                                                                                  |
 | 543          | Main mode was terminated.                                                                                                                                                                                       |
 | 544          | Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated.                                                                                        |
 | 545          | Main mode authentication failed because of a Kerberos failure or a password that is not valid.                                                                                                                  |
 | 546          | IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid.                                                  |
 | 547          | A failure occurred during an IKE handshake.                                                                                                                                                                     |
 | 548          | Logon failure. The security ID (SID) from a trusted domain does not match the account domain SID of the client.                                                                                                 |
 | 549          | Logon failure. All SIDs corresponding to untrusted namespaces were filtered out during an authentication across forests.                                                                                        |
 | 550          | Notification message that could indicate a possible denial-of-service attack.                                                                                                                                   |
 | 551          | A user initiated the logoff process.                                                                                                                                                                            |
 | 552          | A user successfully logged on to a computer using explicit credentials while already logged on as a different user.                                                                                             |
 | 682          | A user has reconnected to a disconnected terminal server session.                                                                                                                                               |
 | 683          | A user disconnected a terminal server session without logging off.                                                                                                                                              |
 When event 528 is logged, a logon type is also listed in the event log. The following table describes each logon type.
--- a/windows/security/threat-protection/intelligence/TOC.md
+++ b/windows/security/threat-protection/intelligence/TOC.md
@ -10,7 +10,9 @@
 ### [Macro malware](macro-malware.md)
-### [Phishing](phishing.md)
+### [Phishing attacks](phishing.md)
 #### [Phishing trends and techniques](phishing-trends.md)
 ### [Ransomware](ransomware-malware.md)
--- a/windows/security/threat-protection/intelligence/phishing-trends.md
+++ b/windows/security/threat-protection/intelligence/phishing-trends.md
@ -0,0 +1,69 @@
 ---
 title: Phishing trends and techniques
 ms.reviewer: 
 description: Learn about how to spot phishing techniques
 keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack, spear phishing, whaling
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
 search.appverid: met150
 ---
 # Phishing trends and techniques
 Phishing attacks are scams that often use social engineering bait or lure content. Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign in pages that require users to input credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information.
 Below are some of the most common phishing techniques attackers will employ to try to steal information or gain access to your devices.
 ## Invoice phishing
 In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company. They then provide a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds.
 ## Payment/delivery scam
 You're asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past. However, you aren't aware of any items you have recently purchased from them.
 ## Tax-themed phishing scams
 A common IRS phishing scam is receiving an urgent email letter indicating that you owe money to the IRS. Often the email threatens legal action if you don't access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts.
 ## Downloads
 An attacker sends a fraudulent email requesting you to open or download a document attachment, such as a PDF. The attachment often contains a message asking you to sign in to another site, such as email or file sharing websites, to open the document. When you access these phishing sites using your sign-in credentials, the attacker now has access to your information and can gain additional personal information about you.
 ## Phishing emails that deliver other threats
 Phishing emails are often effective, so attackers sometimes use them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files.
 We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites. These websites use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems.
 ## Spear phishing
 Spear phishing is a targeted phishing attack that involves highly customized lure content. Attackers will typically do reconnaissance work by surveying social media and other information sources about their intended target.
 Spear phishing may involve tricking you into logging into fake sites and divulging credentials. I may also lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer.
 The implanted malware serves as the point of entry for a more sophisticated attack, known as an advanced persistent threat (APT). APTs are designed to establish control and steal data over extended periods. Attackers may try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks.
 ## Whaling
 Whaling is a form of phishing directed at high-level or senior executives within specific companies to gain access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization.
 ## Business email compromise
 Business email compromise (BEC) is a sophisticated scam that targets businesses who frequently work with foreign suppliers or do money wire transfers. One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack. The attacker creates a domain similar to the company they're targeting, or spoofs their email to scam users into releasing personal account information for money transfers.
 ## More information about phishing attacks
 For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog/product/windows/):
 - [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc)
 - [Tax themed phishing and malware attacks proliferate during the tax filing season](https://cloudblogs.microsoft.com/microsoftsecure/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/?source=mmpc)
 - [Phishing like emails lead to tech support scam](https://cloudblogs.microsoft.com/microsoftsecure/2017/08/07/links-in-phishing-like-emails-lead-to-tech-support-scam/?source=mmpc)
--- a/windows/security/threat-protection/intelligence/phishing.md
+++ b/windows/security/threat-protection/intelligence/phishing.md
@ -1,5 +1,5 @@
 ---
-title: Phishing
+title: How to protect against phishing attacks
 ms.reviewer: 
 description: Learn about how phishing work, deliver malware do your devices, and  what you can do to protect yourself
 keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack
@ -16,98 +16,15 @@ ms.topic: article
 search.appverid: met150
 ---
-# Phishing
+# How to protect against phishing attacks
 Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of electronic communication. They try to look like official communication from legitimate companies or individuals.
 Cybercriminals often attempt to steal usernames, passwords, credit card details, bank account information, or other credentials. They use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank accounts and credit cards. The information can also be sold in cybercriminal underground markets.
 ## What to do if you've been a victim of a phishing scam
 If you feel you've been a victim of a phishing attack:
 1. Contact your IT admin if you are on a work computer. 
 2. Immediately change all passwords associated with the accounts.
 3. Report any fraudulent activity to your bank and credit card company.
 ### Reporting spam
 - **Outlook.com**: If you receive a suspicious email message that asks for personal information, select the check box next to the message in your Outlook inbox. Select the arrow next to **Junk**, and then select **Phishing**.
 - **Microsoft Office Outlook**: While in the suspicious message, select **Report message** from the ribbon, and then select **Phishing**.
 - **Microsoft**: Create a new, blank email message with the one of the following recipients:
    - Junk: junk@office365.microsoft.com
    - Phishing: phish@office365.microsoft.com
    Drag and drop the junk or phishing message into the new message. This will save the junk or phishing message as an attachment in the new message. Don't copy and paste the content of the message or forward the message (we need the original message so we can inspect the message headers). For more information, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis).
 - **Anti-Phishing Working Group**: phishing-report@us-cert.gov. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions, and law enforcement agencies are involved.
 If you’re on a suspicious website:
 - **Microsoft Edge**: While you’re on a suspicious site, select the **More (…) icon** > **Help and feedback** > **Report Unsafe site**. Follow the instructions on the webpage that displays to report the website.
 - **Internet Explorer**: While you’re on a suspicious site, select the gear icon, point to **Safety**, and then select **Report Unsafe Website**. Follow the instructions on the webpage that displays to report the website.
 >[!NOTE]
 >For more information, see [Protect yourself from phishing](https://support.microsoft.com/en-us/help/4033787/windows-protect-yourself-from-phishing).
 ## How phishing works
 Phishing attacks are scams that often use social engineering bait or lure content. For example, during tax season bait content can be tax-filing announcements that attempt to lure you into providing personal information such as your SSN or bank account information.
 Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign in pages that require users to input credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information.
 Another common phishing technique is the use of emails that direct you to open a malicious attachment like a PDF file. The attachment often contains a message asking you to sign in to another site, such as email or file sharing websites, to open the document. When you access these phishing sites using your sign-in credentials, the attacker now has access to your information and can gain additional personal information about you.
 ## Phishing trends and techniques
 ### Invoice phishing
 In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company. They then provide a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds.
 ### Payment/delivery scam
 You're asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past. However, you aren't aware of any items you have recently purchased from them.
 ### Tax-themed phishing scams
 A common IRS phishing scam is receiving an urgent email letter indicating that you owe money to the IRS. Often the email threatens legal action if you don't access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts.
 ### Downloads
 An attacker sends a fraudulent email requesting you to open or download a document, often requiring you to sign in.
 ### Phishing emails that deliver other threats
 Phishing emails are often very effective, so attackers sometimes use them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files.
 We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites. These websites use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems.
 ## Targeted attacks against enterprises
 ### Spear phishing
 Spear phishing is a targeted phishing attack that involves highly customized lure content. Attackers will typically do reconnaissance work by surveying social media and other information sources about their intended target.
 Spear phishing may involve tricking you into logging into fake sites and divulging credentials. I may also lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer.
 The implanted malware serves as the point of entry for a more sophisticated attack, known as an advanced persistent threat (APT). APTs are designed to establish control and steal data over extended periods. Attackers may try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks.
 ### Whaling
 Whaling is a form of phishing directed at high-level or senior executives within specific companies to gain access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization.
 ### Business email compromise
 Business email compromise (BEC) is a sophisticated scam that targets businesses who frequently work with foreign suppliers or do money wire transfers. One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack. The attacker creates a domain similar to the company they're targeting, or spoofs their email to scam users into releasing personal account information for money transfers.
 ## How to protect against phishing attacks
 Social engineering attacks are designed to take advantage of a user's possible lapse in decision-making. Be aware and never provide sensitive or personal information through email or unknown websites, or over the phone. Remember, phishing emails are designed to appear legitimate.
-### Awareness
+## Learn the signs of a phishing scam
 The best protection is awareness and education. Don’t open attachments or links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the URL.
@ -141,9 +58,7 @@ Here are several telltale signs of a phishing scam:
 If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate.
-For more information, download and read this Microsoft [e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments.
+## Software solutions for organizations
 ### Software solutions for organizations
 * [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) and [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) offer protection from the increasing threat of targeted attacks using Microsoft's industry-leading Hyper-V virtualization technology. If a browsed website is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby preventing access to your enterprise data.
@ -151,14 +66,36 @@ For more information, download and read this Microsoft [e-book on preventing soc
 * Use [Office 365 Advanced Threat Protection (ATP)](https://products.office.com/exchange/online-email-threat-protection?ocid=cx-blog-mmpc) to help protect your email, files, and online storage against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection.
-For more tips and software solutions, see [prevent malware infection](prevent-malware-infection.md).
+## What to do if you've been a victim of a phishing scam
 If you feel you've been a victim of a phishing attack:
 1. Contact your IT admin if you are on a work computer
 2. Immediately change all passwords associated with the accounts
 3. Report any fraudulent activity to your bank and credit card company
 ### Reporting spam
 - **Outlook.com**: If you receive a suspicious email message that asks for personal information, select the check box next to the message in your Outlook inbox. Select the arrow next to **Junk**, and then select **Phishing**.
 - **Microsoft Office Outlook**: While in the suspicious message, select **Report message** from the ribbon, and then select **Phishing**.
 - **Microsoft**: Create a new, blank email message with the one of the following recipients:
    - Junk: junk@office365.microsoft.com
    - Phishing: phish@office365.microsoft.com
    Drag and drop the junk or phishing message into the new message. This will save the junk or phishing message as an attachment in the new message. Don't copy and paste the content of the message or forward the message (we need the original message so we can inspect the message headers). For more information, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis).
 - **Anti-Phishing Working Group**: phishing-report@us-cert.gov. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions, and law enforcement agencies are involved.
 ### If you’re on a suspicious website
 - **Microsoft Edge**: While you’re on a suspicious site, select the **More (…) icon** > **Help and feedback** > **Report Unsafe site**. Follow the instructions on the webpage that displays to report the website.
 - **Internet Explorer**: While you’re on a suspicious site, select the gear icon, point to **Safety**, and then select **Report Unsafe Website**. Follow the instructions on the webpage that displays to report the website.
 ## More information about phishing attacks
-For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog/product/windows/):
+- [Protect yourself from phishing](https://support.microsoft.com/help/4033787/windows-protect-yourself-from-phishing)
-
+- [Phishing trends](phishing-trends.md)
-* [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc)
+- [Microsoft e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments.
 * [Tax themed phishing and malware attacks proliferate during the tax filing season](https://cloudblogs.microsoft.com/microsoftsecure/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/?source=mmpc)
 * [Phishing like emails lead to tech support scam](https://cloudblogs.microsoft.com/microsoftsecure/2017/08/07/links-in-phishing-like-emails-lead-to-tech-support-scam/?source=mmpc)
--- a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
@ -25,7 +25,7 @@ ms.topic: article
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 Microsoft Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Microsoft Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV Assessment section in the Update Compliance add-in.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you might encounter when using the Microsoft Defender AV.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
@ -22,7 +22,7 @@ ms.date: 08/17/2020
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
@ -1,5 +1,5 @@
 ---
-title: Manage Windows Defender  in your business
+title: Manage Windows Defender in your business
 description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Microsoft Defender AV
 keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
 search.product: eADQiWindows 10XVcnh
@ -23,16 +23,16 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 You can manage and configure Microsoft Defender Antivirus with the following tools:
- Microsoft Intune
+- Microsoft Intune (now part of Microsoft Endpoint Manager)
- Microsoft Endpoint Configuration Manager
+- Microsoft Endpoint Configuration Manager (now part of Microsoft Endpoint Manager)
 - Group Policy
 - PowerShell cmdlets
 - Windows Management Instrumentation (WMI)
- The mpcmdrun.exe utility
+- The Microsoft Malware Protection Command Line Utility (referred to as the *mpcmdrun.exe* utility
 The articles in this section provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 ## Use Microsoft Intune to configure scanning options
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
@ -1,6 +1,6 @@
 ---
-title: Enable Block at First Sight to detect malware in seconds
+title: Enable block at first sight to detect malware in seconds
-description: Turn on the block at first sight feature to detect and block malware within seconds, and validate that it is configured correctly.
+description: Turn on the block at first sight feature to detect and block malware within seconds.
 keywords: scan, BAFS, malware, first seen, first sight, cloud, defender
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@ -12,7 +12,7 @@ ms.author: deniseb
 ms.reviewer: 
 manager: dansimp
 ms.custom: nextgen
-ms.date: 08/26/2020
+ms.date: 10/22/2020
 ---
 # Turn on block at first sight
@ -24,9 +24,9 @@ ms.date: 08/26/2020
 - Microsoft Defender Antivirus
-Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention. 
+Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments. 
-You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
+You can [specify how long a file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
 >[!TIP]
 >Visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
@ -40,109 +40,75 @@ Microsoft Defender Antivirus uses multiple detection and prevention technologies
 In Windows 10, version 1803 or later, block at first sight can block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
-Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
+Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if the file is a previously undetected file.
 If the cloud backend is unable to make a determination, Microsoft Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe.
 In many cases, this process can reduce the response time for new malware from hours to seconds.
-## Confirm and validate that block at first sight is turned on
+## Turn on block at first sight with Microsoft Intune
-Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Microsoft Defender Antivirus deployments.
+> [!TIP]
 > Microsoft Intune is now part of Microsoft Endpoint Manager.
-### Confirm block at first sight is turned on with Intune
+1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Devices** > **Configuration profiles**.
-1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Microsoft Defender Antivirus**.
+2. Select or create a profile using the **Device restrictions** profile type.
-   > [!NOTE]
+3. In the **Configuration settings** for the Device restrictions profile, set or confirm the following settings under **Microsoft Defender Antivirus**:
   > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.
-2. Verify these settings are configured as follows:
+   - **Cloud-delivered protection**: Enabled
-
+   - **File Blocking Level**: High
-   - **Cloud-delivered protection**: **Enable**
+   - **Time extension for file scanning by the cloud**: 50
-   - **File Blocking Level**: **High**
+   - **Prompt users before sample submission**: Send all data without prompting
   - **Time extension for file scanning by the cloud**: **50**
   - **Prompt users before sample submission**: **Send all data without prompting**
   ![Intune config](images/defender/intune-block-at-first-sight.png)
-   > [!WARNING]
+4. Save your settings.
   > Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus).
-For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+> [!TIP]
 > - Setting the file blocking level to **High** applies a strong level of detection. In the unlikely event that file blocking causes a false positive detection of legitimate files, you can [restore quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus).
 > - For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
 > - For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
-For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
+## Turn on block at first sight with Microsoft Endpoint Manager
-### Turn on block at first sight with Microsoft Endpoint Configuration Manager
+> [!TIP]
 > If you're looking for Microsoft Endpoint Configuration Manager, it's now part of Microsoft Endpoint Manager.
-1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**.
+1. In Microsoft Endpoint Manager ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), go to **Endpoint security** > **Antivirus**.
-2. Click **Home** > **Create Antimalware Policy**.
+2. Select an existing policy, or create a new policy using the **Microsoft Defender Antivirus** profile type.
-3. Enter a name and a description, and add these settings:
+3. Set or confirm the following configuration settings:
   - **Real time protection**
   - **Advanced**
   - **Cloud Protection Service**
-4. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
+   - **Turn on cloud-delivered protection**: Yes
-   ![Enable real-time protection](images/defender/sccm-real-time-protection.png)
+   - **Cloud-delivered protection level**: High
   - **Defender Cloud Extended Timeout in Seconds**: 50
-5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
+   :::image type="content" source="images/endpointmgr-antivirus-cloudprotection.png" alt-text="Block at first sight settings in Endpoint Manager":::
   ![Enable Advanced settings](images/defender/sccm-advanced-settings.png)
-6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking suspicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds.
+4. Apply the Microsoft Defender Antivirus profile to a group, such as **All users**, **All devices**, or **All users and devices**.
   ![Enable Cloud Protection Service](images/defender/sccm-cloud-protection-service.png)
-7. Click **OK** to create the policy.
+## Turn on block at first sight with Group Policy
-### Confirm block at first sight is turned on with Group Policy
+> [!NOTE]
 > We recommend using Intune or Microsoft Endpoint Manager to turn on block at first sight. 
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. 
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration** > **Administrative templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS**. 
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**:
+3. In the MAPS section, double-click **Configure the 'Block at First Sight' feature**, and set it to **Enabled**, and then select **OK**.
-    1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
+    > [!IMPORTANT]
    2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**.
    > [!WARNING]
    > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function.
-4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Real-time Protection**:
+4. In the MAPS section, double-click **Send file samples when further analysis is required**, and set it to **Enabled**. Under **Send file samples when further analysis is required**, select **Send all samples**, and then click **OK**.
-    1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**, and then click **OK**.
+5. If you changed any settings, redeploy the Group Policy Object across your network to ensure all endpoints are covered.
-    2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**.
+## Confirm block at first sight is enabled on individual clients
 5. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MpEngine**:
    1. Double-click **Select cloud protection level** and ensure the option is set to **Enabled**. 
    2. Ensure that **Select cloud blocking level** section on the same page is set to **High blocking level**, and then click **OK**.
 If you had to change any of the settings, you should redeploy the Group Policy Object across your network to ensure all endpoints are covered.
 ### Confirm block at first sight is turned on with Registry editor
 1. Start Registry Editor.
 2. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet`, and make sure that 
    1. **SpynetReporting** key is set to **1**
    2. **SubmitSamplesConsent** key is set to either **1** (Send safe samples) or **3** (Send all samples)
 3. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection`, and make sure that
    1. **DisableIOAVProtection** key is set to **0**
    2. **DisableRealtimeMonitoring** key is set to **0**
 4. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine`, and make sure that the **MpCloudBlockLevel** key is set to **2**
 ### Confirm Block at First Sight is enabled on individual clients
 You can confirm that block at first sight is enabled on individual clients using Windows security settings.
@ -157,24 +123,43 @@ Block at first sight is automatically enabled as long as **Cloud-delivered prote
 3. Confirm that **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
 > [!NOTE]
-> If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
+> - If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. 
 > - Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
-### Validate block at first sight is working
+## Validate block at first sight is working
-You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
+To validate that the feature is working, follow the guidance in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
 ## Turn off block at first sight
-> [!WARNING]
+> [!CAUTION]
-> Turning off block at first sight will lower the protection state of the endpoint and your network.
+> Turning off block at first sight will lower the protection state of your device(s) and your network.
-You may choose to disable block at first sight if you want to retain the prerequisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
+You might choose to disable block at first sight if you want to retain the prerequisite settings without actually using block at first sight protection. You might do temporarily turn block at first sight off if you are experiencing latency issues or you want to test the feature's impact on your network. However, we do not recommend disabling block at first sight protection permanently.
 ### Turn off block at first sight with Microsoft Endpoint Manager
 1. Go to Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
 2. Go to **Endpoint security** > **Antivirus**, and then select your Microsoft Defender Antivirus policy.
 3. Under **Manage**, choose **Properties**.
 4. Next to **Configuration settings**, choose **Edit**.
 5. Change one or more of the following settings:
   - Set **Turn on cloud-delivered protection** to **No** or **Not configured**.
   - Set **Cloud-delivered protection level** to **Not configured**.
   - Clear the **Defender Cloud Extended Timeout In Seconds** box.
 6. Review and save your settings.
 ### Turn off block at first sight with Group Policy
 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and then click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 3. Expand the tree through **Windows components** > **Microsoft Defender Antivirus** > **MAPS**.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
@ -22,7 +22,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 You can configure how users of the endpoints on your network can interact with Microsoft Defender Antivirus.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
@ -22,7 +22,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
@ -22,7 +22,7 @@ ms.date: 10/21/2020
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 > [!IMPORTANT]
 > Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md).
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 By default, Microsoft Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 You can configure Microsoft Defender Antivirus with a number of tools, including:
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
@ -22,7 +22,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 Microsoft Defender Antivirus uses several methods to provide threat protection:
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ ms.custom: nextgen
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 When Microsoft Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Microsoft Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans. 
--- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@ -16,24 +16,24 @@ ms.reviewer:
 manager: dansimp
 ---
-# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation
+# Customize, initiate, and review the results of Microsoft Defender Antivirus scans & remediation
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans. 
 ## In this section
-Topic | Description
+| Article | Description |
---|---
+|:---|:---|
-[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
+|[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning |
-[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
+|[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning |
-[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
+|[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder |
-[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
+|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans |
-[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
+|[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app |
-[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using  Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
+|[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using  Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app |
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 You can deploy, manage, and report on Microsoft Defender Antivirus in a number of ways.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 Depending on the management tool you are using, you may need to specifically enable or configure Microsoft Defender Antivirus protection. 
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
@ -22,7 +22,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 In addition to standard on-premises or hardware configurations, you can also use Microsoft Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 - [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge)
 > [!NOTE]
--- a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
@ -22,7 +22,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 Use this guide to determine how well Microsoft Defender Antivirus protects you from viruses, malware, and potentially unwanted applications.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/images/endpointmgr-antivirus-cloudprotection.png
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/images/endpointmgr-antivirus-cloudprotection.png
--- a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 Microsoft Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 Microsoft Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 Microsoft Defender Antivirus lets you determine when it should look for and download updates.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ ms.date: 10/21/2020
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@ -23,7 +23,7 @@ ms.date: 09/28/2020
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 ## Overview
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
@ -22,7 +22,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 Microsoft Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
@ -22,7 +22,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Security.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 You can use Group Policy to prevent users on endpoints from seeing the Microsoft Defender Antivirus interface. You can also prevent them from pausing scans.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).  
--- a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain a quarantined file is not a threat, you can restore it.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 After a Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results. 
--- a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
@ -11,8 +11,8 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 09/30/2020
+ms.date: 10/26/2020
-ms.reviewer: 
+ms.reviewer: pauhijbr
 manager: dansimp
 ---
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 > [!NOTE]
 > By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default. 
@ -32,7 +32,7 @@ In addition to always-on real-time protection and [on-demand](run-scan-microsoft
 You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
-This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10).
 ## To configure the Group Policy settings described in this article
@ -74,12 +74,12 @@ Scheduled scans will run at the day and time you specify. You can use Group Poli
 ### Use Group Policy to schedule scans
-Location | Setting | Description | Default setting (if not configured)
+| Location | Setting | Description | Default setting (if not configured) |
---|---|---|---
+|:---|:---|:---|:---|
-Scan | Specify the scan type to use for a scheduled scan | Quick scan
+|Scan | Specify the scan type to use for a scheduled scan | Quick scan |
-Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never
+|Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never |
-Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am
+| Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.). | 2 a.m. |
-Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours. <br>In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled
+| Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours. <br>In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled |
 ### Use PowerShell cmdlets to schedule scans
@ -119,9 +119,9 @@ You can set the scheduled scan to only occur when the endpoint is turned on but
 ### Use Group Policy to schedule scans
-Location | Setting | Description | Default setting (if not configured)
+|Location | Setting | Description | Default setting (if not configured) |
---|---|---|---
+|:---|:---|:---|:---|
-Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled
+|Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled |
 ### Use PowerShell cmdlets
@ -152,10 +152,10 @@ Some threats may require a full scan to complete their removal and remediation.
 ### Use Group Policy to schedule remediation-required scans
-Location | Setting | Description | Default setting (if not configured)
+| Location | Setting | Description | Default setting (if not configured) |
---|---|---|---
+|---|---|---|---|
-Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never
+|Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never |
-Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
+|Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. |
 ### Use PowerShell cmdlets
@ -190,10 +190,10 @@ You can enable a daily quick scan that can be run in addition to your other sche
 ### Use Group Policy to schedule daily scans
-Location | Setting | Description | Default setting (if not configured)
+| Location | Setting | Description | Default setting (if not configured)| 
---|---|---|---
+|:---|:---|:---|:---|
-Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never
+|Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never |
-Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
+|Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. |
 ### Use PowerShell cmdlets to schedule daily scans
--- a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
@ -1,6 +1,6 @@
 ---
-title: Specify cloud-delivered protection level in Microsoft Defender Antivirus
+title: Specify the cloud-delivered protection level for Microsoft Defender Antivirus
-description: Set the aggressiveness of cloud-delivered protection in Microsoft Defender Antivirus.
+description: Set your level of cloud-delivered protection for Microsoft Defender Antivirus.
 keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@ -10,7 +10,7 @@ ms.sitesec: library
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.date: 08/12/2020
+ms.date: 10/26/2020
 ms.reviewer: 
 manager: dansimp
 ms.custom: nextgen
@ -25,56 +25,63 @@ ms.custom: nextgen
 - Microsoft Defender Antivirus
-You can specify the level of cloud-protection offered by Microsoft Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager.
+You can specify your level of cloud-delivered protection offered by Microsoft Defender Antivirus by using Microsoft Endpoint Manager (recommended) or Group Policy.
->[!NOTE]
+> [!TIP]
->The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
+> Cloud protection is not simply protection for files that are stored in the cloud. The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and devices (also called endpoints). Cloud protection with Microsoft Defender Antivirus uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional security intelligence updates. 
 > Microsoft Intune and Microsoft Endpoint Configuration Manager are now part of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). 
 ## Use Intune to specify the level of cloud-delivered protection
-1. Sign in to the [Azure portal](https://portal.azure.com).
+## Use Microsoft Endpoint Manager to specify the level of cloud-delivered protection
-2. Select **All services > Intune**.
+
-3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
-4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**.
+
-5. On the **File Blocking Level** switch, select one of the following:
+2. Choose **Endpoint security** > **Antivirus**.
 3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
 4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**.
 5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following:
    1. **High**: Applies a strong level of detection.
-    2. **High +**: Uses the **High** level and applies additional protection measures (may impact client performance).
+    2. **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance).
    3. **Zero tolerance**: Blocks all unknown executables.
-8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
+6. Choose **Review + save**, and then choose **Save**. 
-For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles)
+> [!TIP]
 > Need some help? See the following resources:
 > - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
 > - [Add endpoint protection settings in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-configure)
 ## Use Configuration Manager to specify the level of cloud-delivered protection
 See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
 ## Use Group Policy to specify the level of cloud-delivered protection
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx).
 2. Right-click the Group Policy Object you want to configure, and then click **Edit**.
-3.  In the **Group Policy Management Editor** go to **Computer configuration**. 
+3.  In the **Group Policy Management Editor** go to **Computer Configuration** > **Administrative templates**.
-4.  Click **Administrative templates**.
+4.  Expand the tree to **Windows Components** > **Microsoft Defender Antivirus** > **MpEngine**.
-5.  Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**.
+5.  Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
 6.  Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
    - **Default blocking level** provides strong detection without increasing the risk of detecting legitimate files.
    - **Moderate blocking level** provides moderate only for high confidence detections
-    - **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives).
+    - **High blocking level** applies a strong level of detection while optimizing client performance (but can also give you a greater chance of false positives).
-    - **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives).
+    - **High + blocking level** applies additional protection measures (might impact client performance and increase your chance of false positives).
    - **Zero tolerance blocking level** blocks all unknown executables.
    > [!WARNING]
    > While unlikely, setting this switch to **High** or **High +** may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection).
-7. Click **OK**.
+6. Click **OK**.
 7. Deploy your updated Group Policy Object. See [Group Policy Management Console](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx)
 > [!TIP]
 > Are you using Group Policy Objects on premises? See how they translate in the cloud. [Analyze your on-premises group policy objects using Group Policy analytics in Microsoft Endpoint Manager - Preview](https://docs.microsoft.com/mem/intune/configuration/group-policy-analytics). 
 ## Related articles
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
@ -22,7 +22,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 If you encounter a problem with Microsoft Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
@ -22,7 +22,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 > [!IMPORTANT]
 > On March 31, 2020, the Microsoft Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
@ -22,7 +22,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) to configure and manage Microsoft Defender Antivirus on your endpoints.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
@ -11,7 +11,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 10/26/2018
 ms.reviewer: 
 manager: dansimp
 ---
@ -23,15 +23,25 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-If you are using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Microsoft Defender Antivirus scans.
+If you were using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can now use Microsoft Endpoint Manager to manage Microsoft Defender Antivirus scans.
-In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Microsoft Defender Antivirus.
+1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Endpoint Security**.
-See the [Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager.
+2. Under **Manage**, choose **Antivirus**.
-For Microsoft Intune, consult the [Microsoft Intune library](https://docs.microsoft.com/intune/introduction-intune) and [Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+3. Select your Microsoft Defender Antivirus policy. 
 4. Under **Manage**, choose **Properties**.
 5. Next to **Configuration settings**, choose **Edit**.
 6. Expand the **Scan** section, and review or edit your scanning settings.
 7. Choose **Review + save**
 Need help? See [Manage endpoint security in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security).
 ## Related articles
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it at the [PowerShell hub on MSDN](https://docs.microsoft.com/previous-versions/msdn10/mt173057(v=msdn.10)).
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings.
--- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
@ -17,7 +17,7 @@ ms.custom: asr
 # Configure Microsoft Defender Application Guard policy settings
 **Applies to:** 
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain.
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@ -8,7 +8,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.date: 02/19/2019
+ms.date: 10/21/2020
 ms.reviewer: 
 manager: dansimp
 ms.custom: asr
@ -17,7 +17,7 @@ ms.custom: asr
 # Prepare to install Microsoft Defender Application Guard
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 ## Review system requirements
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@ -18,7 +18,7 @@ ms.custom: asr
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
@ -45,11 +45,13 @@ For information on other tables in the advanced hunting schema, see [the advance
 | `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
 | `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
 | `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured |
-
+| `IsApplicable` | boolean | Indicates whether the configuration or policy applies to the device |
 | `Context`	| string | Additional contextual information about the configuration or policy |
 | `IsExpectedUserImpactCompliant` | boolean | Indicates whether there will be user impact if the configuration or policy is applied |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@ -72,8 +72,9 @@ Field numbers match the numbers in the images below.
 > |                  | LogOnUsers                | sourceUserId        | contoso\liz-bean;   contoso\jay-hardee                                             | The domain and user of the   interactive logon user/s at the time of the event. Note: For devices on   Windows 10 version 1607, the domain information will not be available. |
 > |                  | InternalIPv4List          | No mapping          | 192.168.1.7, 10.1.14.1                                                             | List of IPV4 internal IPs for active network interfaces.                                                                                                                                                                               |
 > |                  | InternalIPv6List          | No mapping          | fd30:0000:0000:0001:ff4e:003e:0009:000e,   FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces.                                                                                                                                                                               |
-| | LinkToMTP | flexString1 | `https://security.microsoft.com/alert/da637370718981685665_16349121` | Value available for every Detection.
+| | LinkToMTP | No mapping | `https://security.microsoft.com/alert/da637370718981685665_16349121` | Value available for every Detection.
-| | IncidentLinkToMTP | flexString1 | `"https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection.
+| | IncidentLinkToMTP | No mapping | `"https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection.
 | | IncidentLinkToWDATP | No mapping | `https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection.
 > | Internal   field | LastProcessedTimeUtc      | No mapping          | 2017-05-07T01:56:58.9936648Z                                                       | Time when event arrived at the   backend. This field can be used when setting the request parameter for the range of time that detections are retrieved.                         |
 > |                  | Not part of the schema    | deviceVendor        |                                                                                    | Static value in the ArcSight   mapping - 'Microsoft'.                                                                                                                          |
 > |                  | Not part of the schema    | deviceProduct       |                                                                                    | Static value in the ArcSight   mapping - 'Microsoft Defender ATP'.                                                                                                               |
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@ -11,7 +11,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: deniseb
 author: denisebmsft
-ms.date: 09/30/2020
+ms.date: 10/21/2020
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
@ -27,15 +27,21 @@ ms.custom: AIR
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806)
 > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
 Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively. 
 Watch the following video to see how automated investigation and remediation works:
 > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bOeh]
 Automated investigation uses various inspection algorithms and processes used by analysts to examine alerts and take immediate action to resolve breaches. These capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
 > [!TIP]
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink).
 ## How the automated investigation starts
@ -72,28 +78,19 @@ If an incriminated entity is seen in another device, the automated investigation
 ## How threats are remediated
-Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically takes action to remediate threats.
+As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. 
-> [!NOTE]
+As verdicts are reached, automated investigations can result in one or more remediation actions. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. (See [Remediation actions](manage-auto-investigation.md#remediation-actions).)  
 > Microsoft Defender for Endpoint tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
-You can configure the following levels of automation:
+Depending on the [level of automation](automation-levels.md) set for your organization, remediation actions can occur automatically or only upon approval by your security operations team. 
-|Automation level | Description|
+All remediation actions, whether pending or completed, can be viewed in Action Center. If necessary, your security operations team can undo a remediation action. (See [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).)
 |---|---|
 |**Full - remediate threats automatically** | All remediation actions are performed automatically. Remediation actions that were taken can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.<br/><br/>***This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* <br/><br/>*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.* |
 |**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md). <br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). |
 |**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folders can include the following examples: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*` |
 |**Semi - require approval for any remediation** | Approval is required for any remediation action. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/>*This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*<br/><br/>*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
 |**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. <br/><br/>***This option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)* |
 > [!IMPORTANT]
 > If your tenant already has device groups defined, then the automation level settings are not changed for those device groups.
 ## Next steps
- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
+- [Get an overview of the automated investigations dashboard](manage-auto-investigation.md)
 - [Learn more about automation levels](automation-levels.md)
 - [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
--- a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
@ -0,0 +1,62 @@
 ---
 title: Automation levels in automated investigation and remediation
 description: Get an overview of automation levels and how they work in Microsoft Defender for Endpoint
 keywords: automated, investigation, level, defender atp
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.technology: windows
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: deniseb
 author: denisebmsft
 ms.date: 10/22/2020
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: 
 - m365-security-compliance 
 - m365initiative-defender-endpoint 
 ms.topic: conceptual
 ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
 ms.custom: AIR
 ---
 # Automation levels in automated investigation and remediation capabilities
 Automated investigation and remediation (AIR) capabilities in Microsoft Defender for Endpoint can be configured to one of several levels of automation. Your automation level affects whether remediation actions following AIR investigations are taken automatically or only upon approval.  
 - *Full automation* (recommended) means remediation actions are taken automatically on artifacts determined to be malicious.
 - *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. (See the table in [Levels of automation](#levels-of-automation).)
 - All remediation actions, whether pending or completed, are tracked in the Action Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). 
 > [!TIP]
 > For best results, we recommend using full automation when you [configure AIR](configure-automated-investigations-remediation.md). Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers who are using lower levels of automation. Full automation can help free up your security operations resources to focus more on your strategic initiatives.
 ## Levels of automation
 The following table describes each level of automation and how it works.
 |Automation level | Description|
 |:---|:---|
 |**Full - remediate threats automatically** <br/>(also referred to as *full automation*)| With full automation, remediation actions are performed automatically. All remediation actions that are taken can be viewed in the [Action Center](auto-investigation-action-center.md) on the **History** tab. If necessary, a remediation action can be undone.<br/><br/>***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.*  |
 |**Semi - require approval for any remediation** <br/>(also referred to as *semi-automation*)| With this level of semi-automation, approval is required for *any* remediation action. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.<br/><br/>*This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*|
 |**Semi - require approval for core folders remediation** <br/>(also a type of *semi-automation*)  | With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are in core folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`).<br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. <br/><br/>Pending actions for files or executables in core folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab. <br/><br/>Actions that were taken on files or executables in other folders can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab. |
 |**Semi - require approval for non-temp folders remediation** <br/>(also a type of *semi-automation*)| With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are *not* in temporary folders. <br/><br/>Temporary folders can include the following examples: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*`<br/><br/>Remediation actions can be taken automatically on files or executables that are in temporary folders. <br/><br/>Pending actions for files or executables that are not in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.<br/><br/>Actions that were taken on files or executables in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **History** tab.   |
 |**No automated response** <br/>(also referred to as *no automation*) | With no automation, automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. However, other threat protection features, such as [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus), can be in effect, depending on how your antivirus and next-generation protection features are configured.<br/><br/>***Using the *no automation* option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up your automation level to full automation (or at least semi-automation)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)*. |
 ## Important points about automation levels
 - Full automation has proven to be reliable, efficient, and safe, and is recommended for all customers. Full automation frees up your critical security resources so they can focus more on your strategic initiatives.
 - New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default.
 - If your security team has defined device groups with a level of automation, those settings are not changed by the new default settings that are rolling out. 
 - You can keep your default automation settings, or change them according to your organizational needs. To change your settings, [set your level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
 ## Next steps
 - [Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint](configure-automated-investigations-remediation.md)
 - [Visit the Action Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
@ -31,7 +31,7 @@ ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
 If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). 
-To configure automated investigation and remediation, you [turn on the features](#turn-on-automated-investigation-and-remediation), and then you [set up device groups](#set-up-device-groups).
+To configure automated investigation and remediation, [turn on the features](#turn-on-automated-investigation-and-remediation), and then [set up device groups](#set-up-device-groups).
 ## Turn on automated investigation and remediation
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
@ -41,6 +41,14 @@ ms.date: 04/24/2018
 > For Windows Server 2019, you may need to replace NT AUTHORITY\Well-Known-System-Account with NT AUTHORITY\SYSTEM of the XML file that the Group Policy preference creates.
 ## Onboard devices using Group Policy
 [![Image of the PDF showing the various deployment paths](images/onboard-gp.png)](images/onboard-gp.png#lightbox)
 Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)  or  [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender ATP. 
 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
    a.  In the navigation pane, select **Settings** > **Onboarding**.
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
@ -40,6 +40,10 @@ For more information on enabling MDM with Microsoft Intune, see [Device enrollme
 ## Onboard devices using Microsoft Intune
 [![Image of the PDF showing onboarding devices to Microsoft Defender ATP using Microsoft Intune](images/onboard-intune.png) ](images/onboard-intune-big.png#lightbox)
 Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)  or  [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender ATP. 
 Follow the instructions from [Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
 For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
@ -54,6 +58,7 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh
 > After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md).
 Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)  or  [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender ATP. 
 ## Offboard and monitor devices using Mobile Device Management tools
 For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
@ -52,6 +52,14 @@ Starting in Configuration Manager version 2002, you can onboard the following op
 ### Onboard devices using System Center Configuration Manager
 [![Image of the PDF showing the various deployment paths](images/onboard-config-mgr.png)](images/onboard-config-mgr.png#lightbox)
 Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)  or  [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender ATP. 
 1. Open the Configuration Manager configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
    a. In the navigation pane, select **Settings** > **Onboarding**.
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
@ -40,6 +40,13 @@ You can also manually onboard individual devices to Microsoft Defender ATP. You
 > To deploy at scale, use [other deployment options](configure-endpoints.md). For example, you can deploy an onboarding script to more than 10 devices in production with the script available in [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md).
 ## Onboard devices 
 [![Image of the PDF showing the various deployment paths](images/onboard-script.png)](images/onboard-script.png#lightbox)
 Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)  or  [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender ATP. 
 1.  Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
    1. In the navigation pane, select **Settings** > **Onboarding**.
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@ -109,11 +109,12 @@ See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/
 If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list.
 The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
-|**Item**|**Description**|
+|**Spreadsheet of domains list**|**Description**|
 |:-----|:-----|
-|[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-docs-pr/blob/prereq-urls/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)<br/> [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)  | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS. 
+|![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)<br/>  | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) 
 If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning.
--- a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
@ -1,6 +1,6 @@
 ---
 title: Deployment phases
-description: Learn how deploy Microsoft Defender ATP by preparing, setting up, and onboarding endpoints to that service
+description: Learn how to deploy Microsoft Defender ATP by preparing, setting up, and onboarding endpoints to that service
 keywords: deploy, prepare, setup, onboard, phase, deployment, deploying, adoption, configuring
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@ -29,23 +29,25 @@ ms.topic: article
 There are three phases in deploying Microsoft Defender ATP:
-|Phase | Desription | 
+|Phase | Description | 
 |:-------|:-----|
 | ![Phase 1: Prepare](images/prepare.png)<br>[Phase 1: Prepare](prepare-deployment.md)| Learn about what you need to consider when deploying Microsoft Defender ATP: <br><br>- Stakeholders and sign-off <br> - Environment considerations <br>- Access <br> - Adoption order
 |  ![Phase 2: Setup](images/setup.png) <br>[Phase 2: Setup](production-deployment.md)|  Take the initial steps to access Microsoft Defender Security Center. You'll be guided on:<br><br>- Validating the licensing <br>  - Completing the setup wizard within the portal<br>- Network configuration|
-|  ![Phase 3: Onboard](images/onboard.png) <br>[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them. You'll be guided on:<br><br>- Using Microsoft Endpoint Configuration Manager to onboard devices<br>- Configure capabilities 
+|  ![Phase 3: Onboard](images/onboard.png) <br>[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them. 
- The deployment guide will guide you through the recommended path in deploying Microsoft Defender ATP. 
+The deployment guide will guide you through the recommended path in deploying Microsoft Defender ATP. 
-There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard devices to Microsoft Defender ATP](onboard-configure.md).
+If you're unfamiliar with the general deployment planning steps, check out the [Plan deployment](deployment-strategy.md) topic to get a  high-level overview of the general deployment steps and methods.
 ## In Scope
 The following is in scope for this deployment guide:
-   Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service
+-   Use of Microsoft Endpoint Configuration Manager and Microsoft Endpoint Manager to onboard endpoints into the service and configure capabilities
 -   Enabling Microsoft Defender ATP endpoint detection and response (EDR)  capabilities
 -   Enabling Microsoft Defender ATP endpoint protection platform (EPP)
    capabilities
@ -54,11 +56,6 @@ The following is in scope for this deployment guide:
    -   Attack surface reduction
 -   Enabling Microsoft Defender ATP endpoint detection and response (EDR)
    capabilities including automatic investigation and remediation
 -   Enabling Microsoft Defender ATP threat and vulnerability management (TVM)
 ## Out of scope
--- a/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
@ -1,5 +1,5 @@
 ---
-title: Plan your Microsoft Defender ATP deployment strategy
+title: Plan your Microsoft Defender ATP deployment 
 description: Select the best Microsoft Defender ATP deployment strategy for your environment
 keywords: deploy, plan, deployment strategy, cloud native, management, on prem, evaluation, onboarding, local, group policy, gp, endpoint manager, mem
 search.product: eADQiWindows 10XVcnh
@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
-# Plan your Microsoft Defender ATP deployment strategy
+# Plan your Microsoft Defender ATP deployment 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@ -27,24 +27,51 @@ ms.topic: article
 Depending on the requirements of your environment, we've put together material to help guide you through the various options you can adopt to deploy Microsoft Defender ATP. 
 These are the general steps you need to take to deploy Microsoft Defender ATP:
-You can deploy Microsoft Defender ATP using various management tools. In general the following management tools are supported:
+![Image of deployment flow](images/onboarding-flow-diagram.png)
- Group policy
+- Identify architecture
- Microsoft Endpoint Configuration Manager
+- Select deployment method
- Mobile Device Management tools
+- Configure capabilities
 - Local script
-## Microsoft Defender ATP deployment strategy
+## Step 1: Identify architecture
 We understand that every enterprise environment is unique, so we've provided several options to give you the flexibility in choosing how to deploy the service.
-Depending on your environment, some tools are better suited for certain architectures.
+Depending on your environment, some tools are better suited for certain architectures. 
 Use the following material to select the appropriate Microsoft Defender ATP architecture that best suites your organization.
 |**Item**|**Description**|
 |:-----|:-----|
 |[![Thumb image for Microsoft Defender ATP deployment strategy](images/mdatp-deployment-strategy.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)<br/> [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)  \| [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li>
 ## Step 2: Select deployment method
 Microsoft Defender ATP supports a variety of endpoints that you can onboard to the service. 
 The following table lists the supported endpoints and the corresponding deployment tool that you can use so that you can plan the deployment appropriately.
 | Endpoint     | Deployment tool                       |
 |--------------|------------------------------------------|
 | **Windows**  |  [Local script (up to 10 devices)](configure-endpoints-script.md) <br>  [Group Policy](configure-endpoints-gp.md) <br>  [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br>   [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md)   |
 | **macOS**    | [Local script](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md) |
 | **Linux Server** | [Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)|
 | **iOS**      | [App-based](ios-install.md)                                |
 | **Android**  | [Microsoft Endpoint Manager](android-intune.md)               | 
 ## Step 3: Configure capabilities
 After onboarding endpoints, configure the security capabilities in Microsoft Defender ATP so that you can maximize the robust security protection available in the suite. Capabilities include:
 - Endpoint detection and response
 - Next-generation protection
 - Attack surface reduction
 ## Related topics
 - [Deployment phases](deployment-phases.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@ -52,8 +52,13 @@ You must have **Manage security settings** permissions to:
 - Reset password
 - Create simulations 
 If you enabled role-based access control (RBAC) and created at least a one machine group, users must have access to All machine groups.
 For more information, see [Create and manage roles](user-roles.md).
 Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink)
--- a/windows/security/threat-protection/microsoft-defender-atp/images/deployment-strategy-big.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/deployment-strategy-big.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/onboard-config-mgr.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-config-mgr.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/onboard-configure-diagram.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-configure-diagram.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/onboard-gp.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-gp.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/onboard-intune-big.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-intune-big.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/onboard-intune.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-intune.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/onboard-script.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-script.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/onboarding-flow-diagram.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/onboarding-flow-diagram.png
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
@ -338,6 +338,18 @@ Specify whether to show or hide the status menu icon in the top-right corner of
 | **Data type** | Boolean |
 | **Possible values** | false (default) <br/> true |
 #### Show / hide option to send feedback
 Specify whether users can submit feedback to Microsoft by going to `Help` > `Send Feedback`.
 |||
 |:---|:---|
 | **Domain** | `com.microsoft.wdav` |
 | **Key** | userInitiatedFeedback |
 | **Data type** | String |
 | **Possible values** | enabled (default) <br/> disabled |
 | **Comments** | Available in Microsoft Defender ATP version 101.19.61 or higher. |
 ### Endpoint detection and response preferences
 Manage the preferences of the endpoint detection and response (EDR) component of Microsoft Defender ATP for Mac.
@ -626,6 +638,8 @@ The following templates contain entries for all settings described in this docum
    <dict>
        <key>hideStatusMenuIcon</key>
        <false/>
        <key>userInitiatedFeedback</key>
 		<string>enabled</string>
    </dict>
 </dict>
 </plist>
@ -766,6 +780,8 @@ The following templates contain entries for all settings described in this docum
                <dict>
                    <key>hideStatusMenuIcon</key>
                    <false/>
                    <key>userInitiatedFeedback</key>
 		            <string>enabled</string>
                </dict>
            </dict>
        </array>
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@ -43,6 +43,12 @@ ms.topic: conceptual
 > 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md).
 > 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update.
 ## 101.09.61
 - Added a new managed preference for [disabling the option to send feedback](mac-preferences.md#show--hide-option-to-send-feedback)
 - Status menu icon now shows a healthy state when the product settings are managed. Previously, the status menu icon was displaying a warning or error state, even though the product settings were managed by the administrator
 - Performance improvements & bug fixes
 ## 101.09.50
 - This product version has been validated on macOS Big Sur 11 beta 9
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
@ -97,10 +97,9 @@ After you've enabled the service, you may need to configure your network or fire
 The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.
-
+|**Spreadsheet of domains list**|**Description**|
 |**Item**|**Description**|
 |:-----|:-----|
-|[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)<br/> [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)  | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS. 
+|![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)<br/>  | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) 
--- a/Show More
+++ b/Show More