diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index db8be2a652..ba40f7eb71 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -13102,8 +13102,36 @@
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md",
-"redirect_url": "/windows/security/threat-protection/windows-defender-atp/secure-score-windows-defender-advanced-threat-protection",
+"redirect_url": "/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection",
"redirect_document_id": true
-}
+},
+{
+"source_path": "windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection",
+"redirect_document_id": true
+},
+
+
+
]
}
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 7386a98046..f6760a6028 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -39,9 +39,9 @@
#### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
### [Understand the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
#### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
-#### [View the Security operations dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md)
-#### [View the Secure score dashboard and improve your secure score](windows-defender-atp\security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
-#### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-windows-defender-advanced-threat-protection.md)
+#### [View the Security operations dashboard](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
+#### [View the Secure Score dashboard and improve your secure score](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
+#### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
###Investigate and remediate threats
####Alerts queue
@@ -93,7 +93,7 @@
##### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
##### [Query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
-### [Enable conditional access to better protect users, devices, and data](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
+#### [Enable conditional access to better protect users, devices, and data](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
###API and SIEM support
#### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md)
@@ -186,11 +186,11 @@
### [Configure Windows Defender ATP Settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
####General
-##### [Update data retention settings](windows-defender-atp\general-settings-windows-defender-advanced-threat-protection.md)
+##### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md)
##### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
##### [Configure automation notifications](windows-defender-atp\configure-automation-notifications-windows-defender-advanced-threat-protection.md)
##### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
-##### [Enable Secure score security controls](windows-defender-atp\enable-security-analytics-windows-defender-advanced-threat-protection.md)
+##### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md)
##### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
####Permissions
@@ -211,7 +211,7 @@
##### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
##### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md)
-### [Configure Windows Defender ATP time zone settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)
+### [Configure Windows Defender ATP time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md)
### [Access the Windows Defender ATP Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
index c0bc2bebbc..f900b3617e 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
@@ -94,8 +94,8 @@ When you enable this feature, you'll be able to share Windows Defender ATP devic
3. Click **Save preferences**.
## Related topics
-- [Update data retention settings](general-settings-windows-defender-advanced-threat-protection.md)
+- [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
- [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
- [Configure automation notifications](configure-automation-notifications-windows-defender-advanced-threat-protection.md)
- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
-- [Enable Secure Score security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md)
+- [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md
index 170568419d..727cdd7358 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
title: Advanced hunting best practices in Windows Defender ATP
-description: Learn about advanced hunting best practices such as what filters and keywords to use to effectively query data.
+description: Learn about Advanced hunting best practices such as what filters and keywords to use to effectively query data.
keywords: advanced hunting, best practices, keyword, filters, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -39,7 +39,7 @@ The following best practices serve as a guideline of query performance best prac
## Query tips and pitfalls
### Unique Process IDs
-Process IDs are recycled in Windows and reused for new processes and therefore can’t serve as a unique identifier for a specific process.
+Process IDs are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process.
To address this issue, Windows Defender ATP created the time process. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time.
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
index 2fff8ca906..f5376084b6 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
title: Advanced hunting reference in Windows Defender ATP
-description: Learn about advanced hunting table reference such as column name, data type, and description
+description: Learn about Advanced hunting table reference such as column name, data type, and description
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
index 66684eb442..f1814c3b38 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
title: Query data using Advanced hunting in Windows Defender ATP
-description: Learn about advanced hunting in Windows Defender ATP and how to query ATP data.
+description: Learn about Advanced hunting in Windows Defender ATP and how to query ATP data.
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -32,10 +32,10 @@ Advanced hunting allows you to proactively hunt for possible threats across your
- **Powerful query language with IntelliSense** - Built on top of a query language that gives you the flexibility you need to take hunting to the next level.
- **Query the stored telemetry** - The telemetry data is accessible in tables for you to query. For example, you can query process creation, network communication, and many other event types.
-- **Links to portal** - Certain query results, such as machine names and file names are actually direct links to the portal, consolidating the advanced hunting query experience and the existing portal investigation experience.
+- **Links to portal** - Certain query results, such as machine names and file names are actually direct links to the portal, consolidating the Advanced hunting query experience and the existing portal investigation experience.
- **Query examples** - A welcome page provides examples designed to get you started and get you familiar with the tables and the query language.
-To get you started in querying your data, you can use the basic or advanced query examples that have some preloaded queries for you to understand the basic query syntax.
+To get you started in querying your data, you can use the basic or Advanced query examples that have some preloaded queries for you to understand the basic query syntax.
@@ -45,7 +45,7 @@ A typical query starts with a table name followed by a series of operators separ
In the following example, we start with the table name **ProcessCreationEvents** and add piped elements as needed.
-
+
First, we define a time filter to review only records from the previous seven days.
@@ -74,9 +74,9 @@ To see a live example of these operators, run them as part of the **Get started*
For more information on the query language and supported operators, see [Query Language](https://docs.loganalytics.io/docs/Language-Reference/).
-## Use exposed tables in advanced hunting
+## Use exposed tables in Advanced hunting
-The following tables are exposed as part of advanced hunting:
+The following tables are exposed as part of Advanced hunting:
- **AlertEvents** - Stores alerts related information
- **MachineInfo** - Stores machines proprties
@@ -126,23 +126,23 @@ These steps guide you on modifying and overwriting an existing query.
2. Select **Delete** and confirm that you want to delete the query.
-## Result set capabilities in advanced hunting
+## Result set capabilities in Advanced hunting
The result set has several capabilities to provide you with effective investigation, including:
- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in the Windows Defender ATP portal.
- You can right-click on a cell in the result set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set.
-
+
-## Filter results in advanced hunting
-In advanced hunting, you can use the advanced filter on the output result set of the query.
+## Filter results in Advanced hunting
+In Advanced hunting, you can use the advanced filter on the output result set of the query.
The filters provide an overview of the result set where
each column has it's own section and shows the distinct values that appear in the column and their prevalence.
You can refine your query based on the filter by clicking the "+" or "-" buttons on the values that you want to include or exclude and click **Run query**.
-
+
The filter selections will resolve as an additional query term and the results will be updated accordingly.
diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
index b8740c9210..1c2c7bb632 100644
--- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Automated investigations in Windows Defender Advanced Threat Protection
+title: Use Automated investigations to investigate and remediate threats
description: View the list of automated investigations, its status, detection source and other details.
keywords: automated, investigation, detection, source, threat types, id, tags, machines, duration, filter export
search.product: eADQiWindows 10XVcnh
@@ -13,7 +13,7 @@ ms.localizationpriority: high
ms.date: 04/16/2018
---
-# Automated investigations in Windows Defender ATP
+# Use Automated investigations to investigate and remediate threats
**Applies to:**
@@ -155,9 +155,12 @@ You'll also have access to the following sections that help you see details of t
- Entities
- Log
- Pending actions
+
>[!NOTE]
>The Pending actions tab is only displayed if there are actual pending actions.
+
- Pending actions history
+
>[!NOTE]
>The Pending actions history tab is only displayed when an investigation is complete.
@@ -178,7 +181,7 @@ Clicking on an alert title brings you the alert page.
### Machines
Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
-Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If the same threat is seen on more than nine machines, you have the option to expand the view from the **Pending actions** view.
+Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
diff --git a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md
index 1fad7fd83a..96bf15ed8c 100644
--- a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Enable conditional access in Windows Defedener ATP
+title: Enable conditional access to better protect users, devices, and data
description: Enable conditional access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant.
keywords: conditional access, block applications, security level, intune,
search.product: eADQiWindows 10XVcnh
@@ -13,7 +13,7 @@ ms.localizationpriority: high
ms.date: 03/05/2018
---
-# Enable conditional access in Windows Defender ATP
+# Enable conditional access to better protect users, devices, and data
**Applies to:**
@@ -37,12 +37,23 @@ The implementation of conditional access in Windows Defender ATP is based on Mic
The compliance policy is used with conditional access to allow only devices that fulfill one or more device compliance policy rules to access applications.
-## Understand conditional access
-When a device is found to be at high risk, the signal is communicated to Intune. In Intune, a device compliance policy is used in conjunction with Azure AD conditional access to block access to applications. In parallel, an automated investigation and remediation process is launched.
+## Understand the conditional access flow
+When a device is found to be at high risk, the signal is communicated to Intune.
-A device returns to a compliant state when there is lower risk seen on it. A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated. When the risk is removed either through manual or automated remediation, the device returns to a compliant state and access to applications is granted.
+In Intune, a device compliance policy is used in conjunction with Azure AD conditional access to block access to applications. In parallel, an automated investigation and remediation process is launched.
-The following image shows the conditional access flow in action:
+ A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated.
+
+
+To resolve the high risk found on a device, you'll need to return the device to a compliant state. A device returns to a compliant state when there is no risk seen on it.
+
+There are two ways to address a risk: through manual remediation or automated remediation.
+
+Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure conditional access](#configure-conditional-access).
+
+When the risk is removed either through manual or automated remediation, the device returns to a compliant state and access to applications is granted.
+
+The following example sequence of events explains conditional access in action:
1. A user opens a malicious file and Windows Defender ATP flags the device as high risk.
2. The high risk assessment is passed along to Intune. In parallel, an automated investigation is initiated to remediate the identified threat. A manual remediation can also be done to remediate the identified threat.
@@ -59,11 +70,14 @@ The following image shows the conditional access flow in action:
You'll need to take the following steps to enable conditional access:
1. Turn on the Microsoft Intune connection. For more information, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md).
-2. Turn on the Windows Defender ATP integration in Intune. For more information, see LINK TO THE CONTENT INTUNE WRITER IS MAKING.
+
+2. Turn on the Windows Defender ATP integration in Intune. For more information, see __________
+
- Ensure that machines are enrolled. For more information see, [Set up enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-enroll).
3. Create a device compliance policy in Intune. For more information, see [Create a compliance policy in the Azure portal](https://docs.microsoft.com/en-us/intune/compliance-policy-create-windows#create-a-compliance-policy-in-the-azure-portal).
-3. Define a conditional access policy in AAD. For more information, see [Get started with conditional access in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal-get-started).
+
+4. Define a conditional access policy in AAD. For more information, see [Get started with conditional access in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal-get-started).
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-automation-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-automation-notifications-windows-defender-advanced-threat-protection.md
index 5daa2ec50f..f158d5cac3 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-automation-notifications-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-automation-notifications-windows-defender-advanced-threat-protection.md
@@ -62,8 +62,8 @@ You can configure Windows Defender ATP to send automation notifications to speci
2. Confirm that you want to delete the rule.
## Related topics
-- [Update data retention settings](general-settings-windows-defender-advanced-threat-protection.md)
+- [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
- [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
-- [Enable Secure Score security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md)
+- [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
- [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
index 7532bcb577..3aad64701a 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
@@ -74,8 +74,8 @@ This section lists various issues that you may encounter when using email notifi
3. Check your email application rules that might be catching and moving your Windows Defender ATP email notifications.
## Related topics
-- [Update data retention settings](general-settings-windows-defender-advanced-threat-protection.md)
+- [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
- [Configure automation notifications](configure-automation-notifications-windows-defender-advanced-threat-protection.md)
- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
-- [Enable Secure Score security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md)
+- [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
- [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
index 107b9f3bab..3549f21798 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -122,7 +122,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
- a. In the navigation pane, select **Settings** > **Offboarding**.
+ a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
b. Select Windows 10 as the operating system.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index 1f2dddbfb5..eb61fa329a 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -189,7 +189,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
- a. In the navigation pane, select **Settings** > **Offboarding**.
+ a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
b. Select Windows 10 as the operating system.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 0b627847ad..af8eb22c99 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -127,7 +127,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
- a. In the navigation pane, select **Settings** > **Offboarding**.
+ a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
b. Select Windows 10 as the operating system.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
index e639e16892..bd4f3ab5ad 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
@@ -94,7 +94,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
- a. In the navigation pane, select **Settings** > **Offboarding**.
+ a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
b. Select Windows 10 as the operating system.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
index 7bba11a9bd..93429b881b 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
@@ -71,9 +71,13 @@ You can onboard VDI machines using a single entry or multiple entries for each m
6. Test your solution:
a. Create a pool with one machine.
+
b. Logon to machine.
+
c. Logoff from machine.
+
d. Logon to machine with another user.
+
e. **For single entry for each machine**: Check only one entry in the Windows Defender ATP portal.
**For multiple entries for each machine**: Check multiple entries in the Windows Defender ATP portal.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
index 071b3bf438..6de58eff0f 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
@@ -12,7 +12,7 @@ localizationpriority: high
ms.date: 04/16/2018
---
-# Onboard servers
+# Onboard servers to the Windows Defender ATP service
**Applies to:**
@@ -138,7 +138,7 @@ To offboard the server, you can use either of the following methods:
1. Get your Workspace ID:
a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
- b. Select Windows server 2012, 2012R2 and 2016 as the operating system and get your Workspace ID:
+ b. Select **Windows server 2012, 2012R2 and 2016** as the operating system and get your Workspace ID:
diff --git a/windows/security/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md
similarity index 89%
rename from windows/security/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md
index 773515d741..cbcdcb3175 100644
--- a/windows/security/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md
@@ -39,9 +39,9 @@ During the onboarding process, a wizard takes you through the general settings o
## Related topics
-- [Update data retention settings](general-settings-windows-defender-advanced-threat-protection.md)
+- [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
- [Configure alert notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
- [Configure automation notifications](configure-automation-notifications-windows-defender-advanced-threat-protection.md)
- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
-- [Enable Secure Score security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md)
+- [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
- [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
index 471ec2069e..696cfce90c 100644
--- a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
@@ -29,7 +29,7 @@ ms.date: 04/16/2018
Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal.
-1. In the navigation pane, select **Settings** > **Threat intel**.
+1. In the navigation pane, select **Settings** > **APIs** > **Threat intel**.
diff --git a/windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md
similarity index 86%
rename from windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md
index 72a3b87287..1be433e139 100644
--- a/windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md
@@ -39,8 +39,8 @@ Set the baselines for calculating the score of Windows Defender security control
3. Click **Save preferences**.
## Related topics
-- [View the Secure Score dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
-- [Update data retention settings for Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
+- [View the Secure Score dashboard](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
+- [Update data retention settings for Windows Defender ATP](data-retention-settings-windows-defender-advanced-threat-protection.md)
- [Configure alert notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
- [Configure automation notifications in Windows Defender ATP](configure-automation-notifications-windows-defender-advanced-threat-protection.md)
- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
index e5cbafb041..636fa944a1 100644
--- a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
@@ -29,7 +29,7 @@ ms.date: 04/16/2018
Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API.
-1. In the navigation pane, select **Settings** > **API** > **SIEM**.
+1. In the navigation pane, select **Settings** > **APIs** > **SIEM**.
diff --git a/windows/security/threat-protection/windows-defender-atp/images/Failed.png b/windows/security/threat-protection/windows-defender-atp/images/Failed.png
new file mode 100644
index 0000000000..6cef8a46db
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/Failed.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/No threats found.png b/windows/security/threat-protection/windows-defender-atp/images/No threats found.png
new file mode 100644
index 0000000000..11eb05d7c6
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/No threats found.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/Partially investigated.png b/windows/security/threat-protection/windows-defender-atp/images/Partially investigated.png
new file mode 100644
index 0000000000..430acc7c42
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/Partially investigated.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/Partially remediated.png b/windows/security/threat-protection/windows-defender-atp/images/Partially remediated.png
new file mode 100644
index 0000000000..c3060b51b0
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/Partially remediated.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/Pending.png b/windows/security/threat-protection/windows-defender-atp/images/Pending.png
new file mode 100644
index 0000000000..b5a27d0a58
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/Pending.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/Remediated.png b/windows/security/threat-protection/windows-defender-atp/images/Remediated.png
new file mode 100644
index 0000000000..9f13d8e5dc
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/Remediated.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/Running.png b/windows/security/threat-protection/windows-defender-atp/images/Running.png
new file mode 100644
index 0000000000..5de179503f
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/Running.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/Terminated by system.png b/windows/security/threat-protection/windows-defender-atp/images/Terminated by system.png
new file mode 100644
index 0000000000..f1d7bb0531
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/Terminated by system.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-save-query.PNG b/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-save-query.PNG
index 503af3860f..2da889163c 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-save-query.PNG and b/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-save-query.PNG differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png b/windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png
index 741aa68817..bafa469657 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png and b/windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png
index a532a3cf7a..00185b3daa 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png
index ada5714aab..4fcc40c32c 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-new-alerts-list.png b/windows/security/threat-protection/windows-defender-atp/images/atp-new-alerts-list.png
index 1465e66456..1de15167a2 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-new-alerts-list.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-new-alerts-list.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png b/windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png
index 3ed3f0ced8..f80648993e 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/no-threats-found.png b/windows/security/threat-protection/windows-defender-atp/images/no-threats-found.png
new file mode 100644
index 0000000000..fc3ee208d2
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/no-threats-found.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/no_threats_found.png b/windows/security/threat-protection/windows-defender-atp/images/no_threats_found.png
new file mode 100644
index 0000000000..4db61c4162
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/no_threats_found.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/partially-investigated.png b/windows/security/threat-protection/windows-defender-atp/images/partially-investigated.png
new file mode 100644
index 0000000000..225988f58b
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/partially-investigated.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/partially_investigated.png b/windows/security/threat-protection/windows-defender-atp/images/partially_investigated.png
new file mode 100644
index 0000000000..469ec08f53
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/partially_investigated.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/partially_remediated.png b/windows/security/threat-protection/windows-defender-atp/images/partially_remediated.png
new file mode 100644
index 0000000000..b381112d21
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/partially_remediated.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/terminated-by-system.png b/windows/security/threat-protection/windows-defender-atp/images/terminated-by-system.png
new file mode 100644
index 0000000000..7db354747c
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/terminated-by-system.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/terminated_by_system.png b/windows/security/threat-protection/windows-defender-atp/images/terminated_by_system.png
new file mode 100644
index 0000000000..f2d59131d5
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/terminated_by_system.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
index d3ef52bed9..a8ab760dc1 100644
--- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -28,7 +28,7 @@ You can click on affected machines whenever you see them in the portal to open a
- The [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md)
- The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
-- The [Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- The [Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
- Any individual alert
- Any individual file details view
- Any IP address or domain details view
diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md
index b4e6bdb23d..64234e4330 100644
--- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md
@@ -66,8 +66,8 @@ As part of the process of creating a machine group, you'll:
5. Assign the user groups that can access the machine group you created.
->[!NOTE]
->You can only grant access to Azure AD user groups with assigned RBAC roles.
+ >[!NOTE]
+ >You can only grant access to Azure AD user groups with assigned RBAC roles.
6. Click **Close**.
diff --git a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
index ddb474d04d..1ea023d684 100644
--- a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -84,7 +84,7 @@ Filter the list to view specific machines that are well configured or require at
- **Well configured** - Machines have the Windows Defender security controls well configured.
- **Requires attention** - Machines where improvements can be made to increase the overall security posture of your organization.
-For more information, see [View the Secure Score dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md).
+For more information, see [View the Secure Score dashboard](secure-score-dashboard-windows-defender-advanced-threat-protection.md).
**Malware category alerts**
Filter the list to view specific machines grouped together by the following malware categories:
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
index f387151608..9cce13b284 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
@@ -27,11 +27,11 @@ ms.date: 04/16/2018
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-Create a rule to control which entities are automatically incriminated or exonerated during automated investigations.
+Create a rule to control which entities are automatically incriminated or exonerated during Automated investigations.
-Entities added to the allowed list are considered safe and will not be analyzed during automated investigations.
+Entities added to the allowed list are considered safe and will not be analyzed during Automated investigations.
-Entities added to the blocked list are considered malicious and will be remediated during automated investigations.
+Entities added to the blocked list are considered malicious and will be remediated during Automated investigations.
You can define the conditions for when entities are identified as malicious or safe based on certain attributes such as hash values or certificates.
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md
index 17a0427da5..7f5e14e941 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md
@@ -27,11 +27,11 @@ ms.date: 04/16/2018
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink)
-Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to the cloud for additional inspection during automated investigations.
+Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to the cloud for additional inspection in Automated investigation.
Identify the files and email attachments by specifying the file extension names and email attachment extension names.
-For example, if you add *exe* and *bat* as file or attachment extension names, then all files or attachments with those extensions will automatically be sent to the cloud for additional inspection during an automated investigation.
+For example, if you add *exe* and *bat* as file or attachment extension names, then all files or attachments with those extensions will automatically be sent to the cloud for additional inspection during Automated investigation.
## Add file extension names and attachment extension names.
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md
index d47e5a03ac..2501d6a1f8 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md
@@ -27,7 +27,7 @@ ms.date: 04/16/2018
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink)
-Automation folder exclusions allow you to specify folders that the automated investigation will skip.
+Automation folder exclusions allow you to specify folders that the Automated investigation will skip.
You can control the following attributes about the folder that you'd like to be skipped:
- Folders
@@ -35,13 +35,13 @@ You can control the following attributes about the folder that you'd like to be
- File names
-**Folders**
+**Folders**
You can specify a folder and its subfolders to be skipped. You can use wild cards so that all files under the directory is skipped by the automated investigation.
-**Extensions**
+**Extensions**
You can specify the extensions to exclude in a specific directory. The extensions are a way to prevent an attacker from using an excluded folder to hide an exploit. The extensions explicitly define which files to ignore.
-**File names**
+**File names**
You can specify the file names that you want to be excluded in a specific directory. The names are a way to prevent an attacker from using an excluded folder to hide an exploit. The names explicitly define which files to ignore.
diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index 46687c20e2..f77c91551e 100644
--- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -25,7 +25,7 @@ ms.date: 04/16/2018
[!include[Prerelease information](prerelease.md)]
-There are some minimum requirements for onboarding your network and machines.
+There are some minimum requirements for onboarding machines to the service.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink)
diff --git a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
index d9c79c3483..5eb2d5edb0 100644
--- a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
@@ -97,12 +97,20 @@ Icon | Description
| Memory allocation
| Process injection
| Powershell command run
- | Community center icon
- | Notifications icon
+ | Community center
+ | Notifications
+ | Automated investigation - no threats found
+ | Automated investigation - failed
+ | Automated investigation - partially investigated
+ | Automated investigation - terminated by system
+ | Automated investigation - pending
+ | Automated investigation - running
+ | Automated investigation - remediated
+ | Automated investigation - partially remediated
## Related topics
- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
-- [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
-- [View the Secure Score dashboard and improve your secure score](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
-- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
+- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
index 8a99007f7d..637c0382b9 100644
--- a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
@@ -32,7 +32,7 @@ Use the **Settings** menu to modify general settings, advanced features, enable
Topic | Description
:---|:---
-[Update general settings](general-settings-windows-defender-advanced-threat-protection.md) | Modify your general settings that were previously defined as part of the onboarding process.
+[Update general settings](data-retention-settings-windows-defender-advanced-threat-protection.md) | Modify your general settings that were previously defined as part of the onboarding process.
Permissions | Manage portal access using RBAC as well as machine groups.
APIs | Enable the threat intel and SIEM integration.
Rules | Configure suppressions rules and automation settings.
diff --git a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
index c76f915598..a6b0fe8c19 100644
--- a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
@@ -36,7 +36,7 @@ Turn on the preview experience setting to be among the first to try upcoming fea
2. Toggle the setting between **On** and **Off** and select **Save preferences**.
## Related topics
-- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
+- [Update general settings in Windows Defender ATP](data-retention-settings-windows-defender-advanced-threat-protection.md)
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
index d9f04e4634..28c319ee72 100644
--- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@@ -36,7 +36,7 @@ You'll have access to upcoming features which you can provide feedback on to hel
Turn on the preview experience setting to be among the first to try upcoming features.
-1. In the navigation pane, select **Settings** > **Advanced features** > **Preview features**.
+1. In the navigation pane, select **Settings** > **General** > **Advanced features** > **Preview features**.
2. Toggle the setting between **On** and **Off** and select **Save preferences**.
diff --git a/windows/security/threat-protection/windows-defender-atp/secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md
similarity index 98%
rename from windows/security/threat-protection/windows-defender-atp/secure-score-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md
index d73226fd3f..86f19add49 100644
--- a/windows/security/threat-protection/windows-defender-atp/secure-score-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md
@@ -52,7 +52,7 @@ The Office 365 Secure Score looks at your settings and activities and compares t
In the example image, the total points for the Windows security controls and Office 365 add up to 437 points.
-You can set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard through the **Settings**. For more information, see [Enable Secure Score security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md).
+You can set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard through the **Settings**. For more information, see [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md).
## Windows Defender security controls
The security controls tile shows a bar graph where each bar represents a Windows Defender security control. Each bar reflects the number of machines that are well configured and those that require **any kind of attention** for each security control. Hovering on top of the individual bars will show exact numbers for each category. Machines that are green are well configured, while machines that are orange require some level of attention.
@@ -353,8 +353,8 @@ You can take the following actions to increase the overall security score of you
## Related topics
- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
- [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
-- [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
-- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-windows-defender-advanced-threat-protection.md)
+- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md
similarity index 98%
rename from windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md
index 6c10661f38..3214689c38 100644
--- a/windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md
@@ -155,6 +155,6 @@ For more information on the service health, see [Check the Windows Defender ATP
## Related topics
- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
- [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
-- [View the Secure Score dashboard and improve your secure score](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
-- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-windows-defender-advanced-threat-protection.md)
+- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
index 056cfd40ef..65714a48d9 100644
--- a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
@@ -57,4 +57,4 @@ When an issue is resolved, it gets recorded in the **Status history** tab.
The **Status history** tab reflects all the historical issues that were seen and resolved. You'll see details of the resolved issues along with the other information that were included while it was being resolved.
### Related topic
-- [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md
similarity index 94%
rename from windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md
index 55147df786..1b25b996dc 100644
--- a/windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md
@@ -53,7 +53,7 @@ Click a section of each chart to get a list of the machines in the corresponding
## Related topics
- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
- [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
-- [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
-- [View the Secure Score dashboard and improve your secure score](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md
diff --git a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
index 0ac90ce911..bc987d35d2 100644
--- a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
@@ -41,8 +41,8 @@ Use the **Threat analytics** dashboard to continually assess and control risk ex
Topic | Description
:---|:---
[Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the portal layout and area descriptions.
-[View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the machines on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
-[View the Secure Score dashboard and improve your secure score](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Secure Score dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place.
-[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-windows-defender-advanced-threat-protection.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to Spectre and Meltdown. Use the charts to quickly identify machines for the presence or absence of mitigations.
+[View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the machines on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
+[View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) | The **Secure Score dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place.
+[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to Spectre and Meltdown. Use the charts to quickly identify machines for the presence or absence of mitigations.
diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
index bb7301d690..646c1f0e2c 100644
--- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
@@ -91,10 +91,9 @@ detect sophisticated cyber-attacks, providing:
Topic | Description
:---|:---
Get started | Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal.
-[Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) | Learn about configuring client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues.
-[Understand the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) | Understand the Security operations and Secure Score dashboard, and how to navigate the portal.
+[Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) | Learn about onboarding client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues.
+[Understand the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal.
Investigate and remediate threats | Investigate alerts, machines, and take response actions to remediate threats.
-Prevent threats | Use conditional access to help better protect your users and enterprise information by making sure only secure devices have access to applications.
API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from the Windows Defender ATP portal.
Reporting | Create and build Power BI reports using Windows Defender ATP data.
Check service health and sensor state | Verify that the service is running and check the sensor state on machines.