diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index a751c426fc..2d78827336 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -9,7 +9,7 @@
#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
#### [Configuration score](microsoft-defender-atp/configuration-score.md)
#### [Security recommendation](microsoft-defender-atp/tvm-security-recommendation.md)
-#### [Remediation](microsoft-defender-atp/tvm-remediation.md)
+#### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
#### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
#### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
#### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
index 28286da43d..c0b6610350 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
@@ -25,6 +25,8 @@ ms.date: 10/08/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+[!include[Prerelease information](prerelease.md)]
+
The [Advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
## Schema tables
@@ -52,4 +54,4 @@ Table and column names are also listed within the Microsoft Defender Security Ce
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
\ No newline at end of file
+- [Learn the query language](advanced-hunting-query-language.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md
index 8d6222dc34..35d38020d6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md
@@ -26,6 +26,8 @@ ms.date: 10/27/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+[!include[Prerelease information](prerelease.md)]
+
Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration. Use this reference to check the latest assessment results and determine whether device are compliant.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
@@ -34,13 +36,13 @@ For information on other tables in the Advanced hunting schema, see [the Advance
|-------------|-----------|-------------|
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
-| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system|
+| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
| Timestamp | datetime |Date and time when the record was generated|
| ConfigurationId | string | Unique identifier for a specific configuration |
| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) |
-| IsCompliant | string | Indicates whether the configuration or policy is properly configured |
+| IsCompliant | boolean | Indicates whether the configuration or policy is properly configured |
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md
index a8ca8d8c52..857a5731c6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md
@@ -26,6 +26,8 @@ ms.date: 10/27/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+[!include[Prerelease information](prerelease.md)]
+
The DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema contains information about the various secure configuration TVM checks during assessments related to your organization. An example of a security configuration is to block JavaScript or VBScript from launching downloaded executable content to prevent accidentally downloading malicious files in your network. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md
index 138f8a0e3f..fcf0c2e4bd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md
@@ -42,8 +42,8 @@ For information on other tables in the Advanced hunting schema, see [the Advance
| OSArchitecture | string | Architecture of the operating system running on the machine|
| SoftwareVendor | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape|
| SoftwareName | string | Name of the software product|
-|SoftwareVersion | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system|
-| CveId | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape|
+|SoftwareVersion | string | Version number of the software product|
+| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system|
| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape|
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md
index 68260d0b2c..757ad9858c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md
@@ -26,6 +26,8 @@ ms.date: 10/27/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+[!include[Prerelease information](prerelease.md)]
+
The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains information about the vulnerabilities Threat & Vulnerability Management assesses devices for. Use this reference along with DeviceTvmSoftwareInventoryVulnerabilities to construct queries that return information on the metadata related to the vulnerabilities in your inventory.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
@@ -34,7 +36,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance
|-------------|-----------|-------------|
| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system|
| CvssScore | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS)|
-| IsExploitAvailable | string | Indicates whether exploit code for the vulnerability is publicly available|
+| IsExploitAvailable | boolean | Indicates whether exploit code for the vulnerability is publicly available|
| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape|
| LastModifiedTime | datetime | Date and time the item or related metadata was last modified|
| PublishedDate | datetime | Date vulnerability was disclosed to public|
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
index 4eafbbefa8..6a076bfb65 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
@@ -60,7 +60,7 @@ See how you can [improve your security configuration](https://docs.microsoft.com
>- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
>
>To download the security updates:
->1. Go to [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/home.aspx).
+>1. Go to [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/home.aspx).
>2. Key-in the security update KB number that you need to download, then click **Search**.
## Related topics
@@ -68,7 +68,7 @@ See how you can [improve your security configuration](https://docs.microsoft.com
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
+- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancellation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancellation.png
new file mode 100644
index 0000000000..27b00fdd87
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancellation.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-confirmation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-confirmation.png
new file mode 100644
index 0000000000..d0eb92e377
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-confirmation.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dashboard.png
new file mode 100644
index 0000000000..3f8ead879c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-details.png
new file mode 100644
index 0000000000..9acba5c77f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dropdown.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dropdown.png
new file mode 100644
index 0000000000..31d16836b0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dropdown.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-filters.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-filters.png
new file mode 100644
index 0000000000..6cafba6c3d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-filters.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-flyout.png
new file mode 100644
index 0000000000..e01d9f53a5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-flyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-impact.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-impact.png
new file mode 100644
index 0000000000..072835588a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-impact.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-list.png
new file mode 100644
index 0000000000..dbd99451af
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-list.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png
new file mode 100644
index 0000000000..98d59f5c07
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index 3a670e00a5..eecae45f38 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -62,7 +62,7 @@ Microsoft Defender ATP’s Threat & Vulnerability Management allows security adm
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
+- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index 2e352baa0e..c9129e6196 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -47,6 +47,8 @@ The following features are included in the preview release:
- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table)
You can now use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase.
+
+ - [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
You can now use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.
- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index d52680c6a8..df00947476 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -143,12 +143,17 @@ When an exception is created for a recommendation, the recommendation is no long
2. Click the top-most recommendation. A flyout panel opens with the recommendation details.
3. Click **Exception options**.
+
4. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
+> 
+
5. Click **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
+
6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
+
## Use Advanced hunting query to search for machines with High active alerts or critical CVE public exploit
@@ -179,7 +184,7 @@ ComputerName=any(ComputerName) by MachineId, AlertId
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
+- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Advanced hunting overview](overview-hunting.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index 1704845ac8..668b2a1cb4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -53,7 +53,7 @@ Area | Description
(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, **Software inventory**, and **Weaknesses**.
**Dashboards** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data.
**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information.
-**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information.
+**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation and exception](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information.
**Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information.
**Weaknesses** | See the list of common vulnerabilities and exposures, the severity, its common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines are there. You can select each item in the list and it opens a flyout panel with the vulnerability description and other details. See [Weaknesses](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) for more information.
(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, and **Top exposed machines**.
@@ -73,7 +73,7 @@ See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/t
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
+- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
index 8eebb66298..fca24b4b1f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -42,7 +42,7 @@ Reduce the exposure score by addressing what needs to be remediated based on the
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Configuration score](configuration-score.md)
- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
+- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index 674d4b0309..99b1ae6759 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -1,6 +1,6 @@
---
-title: Remediation
-description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).
+title: Remediation and exception
+description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations or filing exceptions provided there are compensation controls. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).
keywords: microsoft defender atp tvm remediation, mdatp tvm, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/11/2019
---
-# Remediation
+# Remediation and exception
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -47,11 +47,62 @@ When you submit a remediation request from Threat & Vulnerability Management, it
It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune.
-You also have the option to export all remediation activity data to CSV for records, reporting purposes, or if you want to notify your IT administration counterpart that a remediation ticket has been submitted.
The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task.
-However, if the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The exceptions you've filed will also show up in the **Remediation** page, in the **Exceptions** tab.
+## When to file for exception instead of remediating issues
+You can file exceptions to exclude certain recommendation from showing up in reports and affecting risk scores or secure scores.
+
+When you select a security recommendation, it opens up a flyout screen with details and options for your next step. You can either **Open software page**, choose from **Remediation options**, go through **Exception options** to file for exceptions, or **Report inaccuracy**.
+
+Select **Exception options** and a flyout screen opens.
+
+
+
+### Exception justification
+If the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The following list details the justifications behind the exception options:
+
+- **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a machine, third party antivirus
+- **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow
+- **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive
+- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization
+- **Other** - False positive
+
+
+ 
+
+### Exception visibility
+The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab.
+However, you also have the option to filter your view based on exception justification, type, and status.
+
+
+
+Aside from that, there's also an option to **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard.
+
+
+
+Clicking the link opens up to the **Security recommendations** page, where you can select the item exempted item with details.
+
+
+
+### Actions on exceptions
+- Cancel - You can cancel the exceptions you've filed any time
+- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change, which adversely affect the exposure impact associated with a recommendation that had previously been excluded
+
+### Exception status
+- **Canceled** - The exception has been canceled and is no longer in effect
+- **Expired** - The exception that you've filed is no longer in effect
+- **In effect** - The exception that you've filed is in progress
+
+### Exception impact on scores
+Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Secure Score (for configurations) of your organization in the following manner:
+- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores
+- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control.
+- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Secure Score results out of the exception option that you made
+
+The exception impact shows on both the Security recommendations page column and in the flyout pane.
+
+
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index 02878e9531..ee75d061da 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -84,7 +84,7 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
-- [Remediation](tvm-remediation.md)
+- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index a7ff6812ce..e1d39cdf5d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -63,6 +63,6 @@ You can report a false positive when you see any vague, inaccurate version, inco
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Security recommendation](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
+- [Remediation and exception](tvm-remediation.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index c10b32a219..7eefec6595 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/11/2019
+ms.date: 10/31/2019
---
# Weaknesses
**Applies to:**
@@ -126,6 +126,6 @@ You can report a false positive when you see any vague, inaccurate, missing, or
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Security recommendation](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
+- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
index 8d498f43b4..e3afd90910 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
@@ -19,12 +19,12 @@ ms.topic: article
# Create and manage roles for role-based access control
**Applies to:**
-
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-roles-abovefoldlink)
+[!include[Prerelease information](prerelease.md)]
+
## Create roles and assign the role to an Azure Active Directory group
The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you have already created Azure Active Directory user groups.
@@ -37,25 +37,31 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
- **Role name**
- **Description**
- **Permissions**
- - **View data** - Users can view information in the portal.
- - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
- - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
- - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups.
+ - **View data** - Users can view information in the portal.
+ >[!NOTE]
+ >To view Threat & Vulnerability Management data, select **Threat and vulnerability management**.
+
+ - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
+ - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
+ >[!NOTE]
+ >To enable your Security operation personnel to choose remediation options and file exceptions, select **Threat and vulnerability management - Remediation handling**, and **Threat and vulnerability management - Exception handling**.
+
+ - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups.
> [!NOTE]
> This setting is only available in the Microsoft Defender ATP administrator (default) role.
- - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
+ - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
- - **Live response capabilities** - Users can take basic or advanced live response commands.
- - Basic commands allow users to:
- - Start a live response session
- - Run read only live response commands on a remote machine
- - Advanced commands allow users to:
- - Run basic actions
- - Download a file from the remote machine
- - View a script from the files library
- - Run a script on the remote machine from the files library take read and write commands.
+ - **Live response capabilities** - Users can take basic or advanced live response commands.
+ - Basic commands allow users to:
+ - Start a live response session
+ - Run read only live response commands on a remote machine
+ - Advanced commands allow users to:
+ - Run basic actions
+ - Download a file from the remote machine
+ - View a script from the files library
+ - Run a script on the remote machine from the files library take read and write commands.
For more information on the available commands, see [Investigate machines using Live response](live-response.md).