Merge remote-tracking branch 'refs/remotes/origin/master' into jdsb

.openpublishing.redirection.json

@@ -13929,5 +13929,10 @@
 "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis",
 "redirect_document_id": false
 },
+{
+"source_path": "windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis",
+"redirect_document_id": false
+},
 ]
 }

devices/surface/windows-autopilot-and-surface-devices.md

@@ -52,6 +52,9 @@ Enrolling Surface devices in Windows Autopilot at the time of purchase is a capa
 
 When you purchase Surface devices from a Surface partner enabled for Windows Autopilot, your new devices can be enrolled in your Windows Autopilot deployment for you by the partner. Surface partners enabled for Windows Autopilot include: 
 
-- [SHI](https://www.shi.com/Surface)
-- [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html)
 - [Atea](https://www.atea.com/)
+- [Connection](https://www.connection.com/brand/microsoft/microsoft-surface) 
+- [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html)
+- [SHI](https://www.shi.com/Surface)
+
+

windows/client-management/mdm/policy-csp-restrictedgroups.md

@@ -113,9 +113,8 @@ Here is an example:
 
 ```
 <groupmembership>
- <accessgroup desc="Administrators">
-    <member name="Contoso\Alice">
-    <member name = "S-188-5-5666-5-688">
+ <accessgroup desc="Group SID for Administrators">
+    <member name = "S-188-5-5666-5-688"/>
   </accessgroup>
 </groupmembership>
 ```

windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md

@@ -22,7 +22,7 @@ ms.date: 10/05/2017
 |Group policy |MDM policy |Description |
 |-------------|-----------|------------|
 |Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock|AboveLock/AllowCortanaAboveLock|Specifies whether an employee can interact with Cortana using voice commands when the system is locked.<p>**Note**<br>This setting only applies to Windows 10 for desktop devices. |
-|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization|Privacy/AllowInputPersonalization|Specifies whether an employee can use voice commands with Cortana in your organization.<p>**In Windows 10, version 1511**<br>Cortana won’t work if this setting is turned off (disabled).<p>**In Windows 10, version 1607 and later**<br>Cortana still works if this setting is turned off (disabled).|
+|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services|Privacy/AllowInputPersonalization|Specifies whether an employee can use voice commands with Cortana in your organization.<p>**In Windows 10, version 1511**<br>Cortana won’t work if this setting is turned off (disabled).<p>**In Windows 10, version 1607 and later**<br>Cortana still works if this setting is turned off (disabled).|
 |None|System/AllowLocation|Specifies whether to allow app access to the Location service.<p>**In Windows 10, version 1511**<br>Cortana won’t work if this setting is turned off (disabled).<p>**In Windows 10, version 1607 and later**<br>Cortana still works if this setting is turned off (disabled).|
 |None|Accounts/AllowMicrosoftAccountConnection|Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.<p>Use this setting if you only want to support Azure AD in your organization.|
 |Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location|Search/AllowSearchToUseLocation|Specifies whether Cortana can use your current location during searches and for location reminders.|

windows/deployment/update/waas-overview.md

@@ -117,8 +117,7 @@ The concept of servicing channels is new, but organizations can use the same man
 
 ### Semi-Annual Channel
 
-In the Semi-Annual servicing channel, feature updates are available as soon as Microsoft releases them. Windows 10, version 1511, had few servicing tool options to delay feature updates, limiting the use of the Semi-Annual servicing channel. Windows 10, version 1607 and onward, includes more servicing tools that can delay feature updates for up to 365 days. This servicing modal is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately.
-Once the latest release went through pilot deployment and testing, you choose the timing at which it goes into broad deployment.
+In the Semi-Annual servicing channel, feature updates are available as soon as Microsoft releases them. Windows 10, version 1511, had few servicing tool options to delay feature updates, limiting the use of the Semi-Annual servicing channel. Windows 10, version 1607 and onward, includes more servicing tools that can delay feature updates for up to 365 days. This servicing model is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment.
 
 When Microsoft officially releases a feature update for Windows 10, it is made available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
 
@@ -146,7 +145,7 @@ Microsoft never publishes feature updates through Windows Update on devices that
 >[!NOTE]
 >Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products).
 
-The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even of you install by using sideloading.
+The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even if you install by using sideloading.
 
 >[!NOTE]
 >If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the Semi-Annual Channel, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports the Semi-Annual Channel.

windows/deployment/update/windows-analytics-FAQ-troubleshooting.md

@@ -79,12 +79,14 @@ If you have deployed images that have not been generalized, then many of them mi
 [![Device Reliability tile showing device count highlighted](images/device-reliability-device-count.png)](images/device-reliability-device-count.png)
 
 If you have devices that appear in other solutions, but not Device Health, follow these steps to investigate the issue:
-1. Confirm that the devices are running Windows10.
-2. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551).
-3. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set).
-4. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information.
-5. Wait 48 hours for activity to appear in the reports.
-6. If you need additional troubleshooting, contact Microsoft Support.
+1. Using the Azure portal, remove the Device Health (appears as DeviceHealthProd on some pages) solution from your Log Analytics workspace. After completing this, add the Device Health solution to you workspace again.
+2. Confirm that the devices are running Windows 10.
+3. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551).
+4. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set).
+5. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information.
+6. Remove the Device Health (appears as DeviceHealthProd on some pages) from your Log Analytics workspace
+7. Wait 48 hours for activity to appear in the reports.
+8. If you need additional troubleshooting, contact Microsoft Support.
 
 
 ### Device crashes not appearing in Device Health Device Reliability

windows/deployment/update/windows-analytics-get-started.md

@@ -169,7 +169,7 @@ These policies are under Microsoft\Windows\DataCollection:
 | CommercialDataOptIn (in Windows 7 and Windows 8) |	1 is required for Upgrade Readiness, which is the only solution that runs on Windows 7 or Windows 8. |
 
 
-You can set these values by using Group Policy (in Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds) or by using Mobile Device Management (in Provider/ProviderID/CommercialID). For more information about deployment using MDM, see the [DMClient CSP](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp) topic in MDM documentation.
+You can set these values by using Group Policy (in Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds) or by using Mobile Device Management (in Provider/*Provider ID*/CommercialID). (If you are using Microsoft Intune, use `MS DM Server` as the provider ID.) For more information about deployment using MDM, see the [DMClient CSP](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp) topic in MDM documentation.
 
 The corresponding preference registry values are available in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** and can be configured by the deployment script. If a given setting is configured by both preference registry settings and policy, the policy values will override. However, the **IEDataOptIn** setting is different--you can only set this with the preference registry keys:
 

windows/deployment/update/windows-as-a-service.md

@@ -25,6 +25,8 @@ Everyone wins when transparency is a top priority. We want you to know when upda
 
 The latest news:
 <ul compact style="list-style: none"> 
+<li><a href="https://blogs.windows.com/windowsexperience/2019/03/06/data-insights-and-listening-to-improve-the-customer-experience">Data, insights and listening to improve the customer experience</a> - March 6, 2019</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Getting-to-know-the-Windows-update-history-pages/ba-p/355079">Getting to know the Windows update history pages</a> - February 21, 2019</li>
 <li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523">Windows Update for Business and the retirement of SAC-T</a> - February 14, 2019</li>
 <li><a href="https://blogs.windows.com/windowsexperience/2019/01/15/application-compatibility-in-the-windows-ecosystem/#A8urpp1QEp6DHzmP.97">Application compatibility in the Windows ecosystem</a> - January 15, 2019</li>
 <li><a href="https://blogs.windows.com/windowsexperience/2018/12/10/windows-monthly-security-and-quality-updates-overview/#UJJpisSpvyLokbHm.97">Windows monthly security and quality updates overview</a> - January 10, 2019</li>

windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md

@@ -6,9 +6,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 ms.sitesec: library
-ms.pagetype: mdt
-author: Jamiejdt
-ms.date: 07/27/2017
+ms.pagetype: mdm
+author: greg-lindsay
 ms.topic: article
 ---
 
@@ -19,9 +18,15 @@ ms.topic: article
 -   Windows 10 Mobile
 
 ## Summary
-This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using Mobile Device Management (MDM). To determine if the device is eligible for an upgrade, see the [How to determine whether an upgrade is available for a device](#howto-upgrade-available) topic in this article.
 
-The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through MDM that can push a management policy to each eligible device to perform the opt-in.
+This article describes how system administrators can upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM). 
+
+>[!IMPORTANT]
+>If you are not a system administrator, see the [Windows 10 Mobile Upgrade & Updates](https://www.microsoft.com/windows/windows-10-mobile-upgrade) page for details about updating your Windows 8.1 Mobile device to Windows 10 Mobile using the [Upgrade Advisor](https://www.microsoft.com/store/p/upgrade-advisor/9nblggh0f5g4).
+
+## Upgrading with MDM
+
+The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. To determine if the device is eligible for an upgrade with MDM, see the [How to determine whether an upgrade is available for a device](#howto-upgrade-available) topic in this article. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through MDM that can push a management policy to each eligible device to perform the opt-in.
 
 If you use a list of allowed applications (app whitelisting) with MDM, verify that system applications are whitelisted before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whitelist) with app whitelisting that could adversely affect the device after you upgrade.
 
@@ -90,7 +95,7 @@ The Windows 10 Mobile Upgrade Advisor app is not designed or intended for Enterp
 
 We recommend that enterprises use a pilot device with the Windows 10 Mobile Upgrade Advisor app installed. The pilot device provides the device model and MO used by the enterprise. When you run the app on the pilot device, it will tell you that either an upgrade is available, that the device is eligible for upgrade, or that an upgrade is not available for this device.
 
-Note: The availability of Windows 10 Mobile as an update for existing Windows Phone 8.1 devices varies by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. To check for compatibility and other important installation information, see the [Windows 10 mobile](https://www.microsoft.com/en/mobile/windows10) page.
+Note: The availability of Windows 10 Mobile as an update for existing Windows Phone 8.1 devices varies by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. To check for compatibility and other important installation information, see the [Windows 10 Mobile FAQ](https://support.microsoft.com/help/10599/windows-10-mobile-how-to-get) page.
 
 ### How to blacklist the Upgrade Advisor app <a id="howto-blacklist"></a>
 

windows/deployment/volume-activation/install-vamt.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 04/25/2018
+ms.date: 03/11/2019
 ms.topic: article
 ---
 
@@ -18,7 +18,7 @@ This topic describes how to install the Volume Activation Management Tool (VAMT)
 
 ## Install VAMT
 
-You can install VAMT as part of the [Windows Assessment and Deployment Kit (ADK)](https://go.microsoft.com/fwlink/p/?LinkId=526740) for Windows 10.
+You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
 
 >[!IMPORTANT]  
 >VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator. 
@@ -26,24 +26,46 @@ You can install VAMT as part of the [Windows Assessment and Deployment Kit (ADK)
 >[!NOTE]  
 >The VAMT Microsoft Management Console snap-in ships as an x86 package. 
 
-To install SQL Server Express:
-1.  Install the Windows ADK.
-2.  Ensure that **Volume Activation Management Tool** is selected to be installed.
-3.  Click **Install**.
+### Requirements
+
+- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access and all updates applied
+- [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036)
+- [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express)
+
+### Install SQL Server 2017 Express
+
+1. Download and open the [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package.
+2. Select **Basic**.
+3. Accept the license terms.
+4. Enter an install location or use the default path, and then select **Install**.
+5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. 
+    ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png)
+
+### Install VAMT using the ADK
+
+1. Download and open the [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) package.
+2. Enter an install location or use the default path, and then select **Next**.
+3. Select a privacy setting, and then select **Next**.
+4. Accept the license terms.
+5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.)
+6. On the completion page, select **Close**.
+
+### Configure VAMT to connect to SQL Server 2017 Express
+
+1. Open **Volume Active Management Tool 3.1** from the Start menu.
+2. Enter the server instance name and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example.
+
+    ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png)
 
-## Select a Database
 
-VAMT requires a SQL database. After you install VAMT, if you have a computer information list (CIL) that was created in a previous version of VAMT, you must import the list into a SQL database. If you do not have SQL installed, you can [download a free copy of Microsoft SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) and create a new database into which you can import the CIL. 
 
-You must configure SQL installation to allow remote connections and you must provide the corresponding server name in the format: *Machine Name\\SQL Server Name*. If a new VAMT database needs to be created, provide a name for the new database.
 
 ## Uninstall VAMT
 
-To uninstall VAMT via the **Programs and Features** Control Panel:
-1.  Open the **Control Panel** and select **Programs and Features**.
+To uninstall VAMT using the **Programs and Features** Control Panel:
+1.  Open **Control Panel** and select **Programs and Features**.
 2.  Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT.
 
-## Related topics
-- [Install and Configure VAMT](install-configure-vamt.md)
+
  
  

windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md

@@ -4236,7 +4236,7 @@ The following fields are available:
 - **RelatedCV**  The Correlation Vector that was used before the most recent change to a new Correlation Vector.
 - **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to download.
 - **RevisionNumber**  The revision number of the specified piece of content.
-- **ServiceGuid**  A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **ServiceGuid**  A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
 - **Setup360Phase**  Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade.
 - **ShippingMobileOperator**  The mobile operator linked to the device when the device shipped.
 - **StatusCode**  Indicates the result of a Download event (success, cancellation, failure code HResult).
@@ -5132,7 +5132,7 @@ The following fields are available:
 - **RebootReason**  Reason for the reboot.
 
 
-## Windows Store events
+## Microsoft Store events
 
 ### Microsoft.Windows.Store.Partner.ReportApplication
 

windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md

@@ -4128,7 +4128,7 @@ The following fields are available:
 - **HandlerType**  Indicates the kind of content (app, driver, windows patch, etc.)
 - **RevisionNumber**  Unique revision number of Update
 - **ServerId**  Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store.
-- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
 - **SystemBIOSMajorRelease**  Major version of the BIOS.
 - **SystemBIOSMinorRelease**  Minor version of the BIOS.
 - **UpdateId**  Unique Update ID
@@ -4192,7 +4192,7 @@ The following fields are available:
 - **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
 - **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to download.
 - **RevisionNumber**  The revision number of the specified piece of content.
-- **ServiceGuid**  A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **ServiceGuid**  A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
 - **Setup360Phase**  Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade.
 - **ShippingMobileOperator**  The mobile operator linked to the device when the device shipped.
 - **StatusCode**  Indicates the result of a Download event (success, cancellation, failure code HResult).
@@ -5298,7 +5298,7 @@ The following fields are available:
 - **ReportId**  WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
 
 
-## Windows Store events
+## Microsoft Store events
 
 ### Microsoft.Windows.Store.Partner.ReportApplication
 

windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md

@@ -4934,7 +4934,7 @@ The following fields are available:
 - **FlightId**  The specific id of the flight the device is getting
 - **HandlerType**  Indicates the kind of content (app, driver, windows patch, etc.)
 - **RevisionNumber**  Identifies the revision number of this specific piece of content
-- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
 - **SystemBIOSMajorRelease**  Major release version of the system bios
 - **SystemBIOSMinorRelease**  Minor release version of the system bios
 - **UpdateId**  Identifier associated with the specific piece of content
@@ -4997,7 +4997,7 @@ The following fields are available:
 - **RelatedCV**  The Correlation Vector that was used before the most recent change to a new Correlation Vector.
 - **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to download.
 - **RevisionNumber**  The revision number of the specified piece of content.
-- **ServiceGuid**  A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **ServiceGuid**  A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
 - **Setup360Phase**  Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade.
 - **ShippingMobileOperator**  The mobile operator linked to the device when the device shipped.
 - **StatusCode**  Indicates the result of a Download event (success, cancellation, failure code HResult).
@@ -5988,7 +5988,7 @@ The following fields are available:
 - **PertProb**  Constant used in algorithm for randomization.
 
 
-## Windows Store events
+## Microsoft Store events
 
 ### Microsoft.Windows.Store.StoreActivating
 

windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md

@@ -4859,7 +4859,7 @@ The following fields are available:
 - **FlightId**  The specific id of the flight the device is getting
 - **HandlerType**  Indicates the kind of content (app, driver, windows patch, etc.)
 - **RevisionNumber**  Identifies the revision number of this specific piece of content
-- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
 - **SystemBIOSMajorRelease**  Major release version of the system bios
 - **SystemBIOSMinorRelease**  Minor release version of the system bios
 - **UpdateId**  Identifier associated with the specific piece of content
@@ -4935,7 +4935,7 @@ The following fields are available:
 - **RepeatFailCount**  Indicates whether this specific content has previously failed.
 - **RepeatFailFlag**  Indicates whether this specific content previously failed to download.
 - **RevisionNumber**  The revision number of the specified piece of content.
-- **ServiceGuid**  A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **ServiceGuid**  A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
 - **Setup360Phase**  Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade.
 - **ShippingMobileOperator**  The mobile operator linked to the device when the device shipped.
 - **SizeCalcTime**  Time (in seconds) taken to calculate the total download size of the payload.
@@ -5117,7 +5117,7 @@ The following fields are available:
 - **RelatedCV**  The previous correlation vector that was used by the client before swapping with a new one.
 - **RepeatFailCount**  Indicates whether this specific piece of content has previously failed.
 - **RevisionNumber**  Identifies the revision number of this specific piece of content.
-- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.).
 - **StatusCode**  Result code of the event (success, cancellation, failure code HResult).
 - **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
 - **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
@@ -5177,7 +5177,7 @@ The following fields are available:
 - **RelatedCV**  The previous correlation vector that was used by the client before swapping with a new one.
 - **RepeatFailCount**  Indicates whether this specific piece of content previously failed.
 - **RevisionNumber**  Identifies the revision number of this specific piece of content.
-- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.).
 - **StatusCode**  Result code of the event (success, cancellation, failure code HResult).
 - **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
 - **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
@@ -5983,7 +5983,7 @@ The following fields are available:
 - **PertProb**  The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”.
 
 
-## Windows Store events
+## Microsoft Store events
 
 ### Microsoft.Windows.Store.StoreActivating
 

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md

@@ -66,15 +66,21 @@ If you are interested in configuring your environment to use the Windows Hello f
 
 Certificate authorities write CRL distribution points in certificates as they are issued.  If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CRL distribution point.  The domain controller certificate is one the critical components of Azure AD joined devices authenticating to Active Directory
 
-#### Why does Windows need to validate the domain controller certifcate?
+#### Why does Windows need to validate the domain controller certificate?
 
-Windows Hello for Business enforces the strict KDC validation security feature, which enforces a more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met:
+Windows Hello for Business enforces the strict KDC validation security feature, which imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met:
 
 - The domain controller has the private key for the certificate provided.
 - The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**. 
+- Use the **Kerberos Authentication certificate template** instead of any other older template.
 - The domain controller's certificate has the **KDC Authentication** enhanced key usage.
 - The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain.
 
+
+> [!Tip]
+> If you are using Windows Server 2008, **Kerberos Authentication** is not the default template, so make sure to use the correct template when issuing or re-issuing the certificate.
+ 
+
 ## Configuring a CRL Distribution Point for an issuing certificate authority
 
 Use this set of procedures to update your certificate authority that issues your domain controller certificates to include an http-based CRL distribution point. 
@@ -164,7 +170,7 @@ These procedures configure NTFS and share permissions on the web server to allow
 9. Click **Close** in the **cdp Properties** dialog box.
 
 
-### Configure the new CRL distribution point and Publishing location in the issuing certifcate authority
+### Configure the new CRL distribution point and Publishing location in the issuing certificate authority
 
 The web server is ready to host the CRL distribution point.  Now, configure the issuing certificate authority to publish the CRL at the new location and to include the new CRL distribution point
 

windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md

@@ -105,12 +105,12 @@ The following table contains the default BCD validation profile used by BitLocke
 
 This following is a full list of BCD settings with friendly names which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker–protected operating system drive to be unlocked.
 > **Note:**  Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list.
- 
+
 | Hex Value | Prefix | Friendly Name |
 | - | - | - |
-| 0x12000004 | all| description| 
-| 0x12000005| all| locale|
-| 0x12000016| all| targetname| 
+| 0x12000004 | all | description | 
+| 0x12000005 | all | locale | 
+| 0x12000016 | all | targetname | 
 | 0x12000019| all| busparams| 
 | 0x1200001d| all| key| 
 | 0x1200004a| all| fontpath| 
@@ -182,7 +182,7 @@ This following is a full list of BCD settings with friendly names which are igno
 | 0x25000061 | winload| numproc| 
 | 0x25000063 | winload| configflags|
 | 0x25000066| winload| groupsize|
-| 0x25000071 | winload| msi| 
+| 0x25000071 | winload| msi|
 | 0x25000072 | winload| pciexpress| 
 | 0x25000080 | winload| safeboot| 
 | 0x250000a6 | winload| tscsyncpolicy| 

windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md

@@ -591,7 +591,7 @@ WIP can integrate with Microsoft Azure Rights Management to enable secure sharin
 
 To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
 
-Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. 
+Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. This template will be applied to the protected data that is copied to a removable drive.
 
 >[!IMPORTANT]
 >Curly braces -- {} -- are required around the RMS Template ID.

windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md

@@ -63,7 +63,7 @@ This section covers how WIP works with sensitivity labels in specific use cases.
 
 ### User downloads from or creates a document on a work site
 
-If WIP policy is deployed, any document that is downloaded from a work site, or created on a work site, will have WIP protection regradless of whether the document has a sensitivity label.
+If WIP policy is deployed, any document that is downloaded from a work site, or created on a work site, will have WIP protection regardless of whether the document has a sensitivity label.
 
 If the document also has a sensitivity label, which can be Office or PDF files, WIP protection is applied according to the label. 
 

windows/security/threat-protection/TOC.md

@@ -235,11 +235,13 @@
 ###### [Troubleshoot onboarding issues](windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
 ####### [Troubleshoot subscription and portal access issues](windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
    
-##### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/use-apis.md)
-###### Create your app
-####### [Get access on behalf of a user](windows-defender-atp/exposed-apis-create-app-nativeapp.md)
-####### [Get access without a user](windows-defender-atp/exposed-apis-create-app-webapp.md)
-###### [Supported Windows Defender ATP APIs](windows-defender-atp/exposed-apis-list.md)
+##### [Windows Defender ATP API](windows-defender-atp/use-apis.md)
+###### [Get started with Windows Defender ATP APIs](windows-defender-atp/apis-intro.md)
+####### [Hello World](windows-defender-atp/api-hello-world.md)
+####### [Get access with application context](windows-defender-atp/exposed-apis-create-app-webapp.md)
+####### [Get access with user context](windows-defender-atp/exposed-apis-create-app-nativeapp.md)
+###### [APIs](windows-defender-atp/exposed-apis-list.md)
+
 ####### [Advanced Hunting](windows-defender-atp/run-advanced-query-api.md)
 
 ####### [Alert](windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md)
@@ -253,6 +255,33 @@
 ######## [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md)
 ######## [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md)
 
+####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md)
+######## [List machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
+######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
+######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
+######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Add or Remove machine tags](windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md)
+######## [Find machines by IP](windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md)
+
+####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md)
+######## [List Machine Actions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
+######## [Get Machine Action](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
+######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
+######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
+######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md)
+######## [Release machine from isolation](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md)
+######## [Restrict app execution](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md)
+######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
+######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
+######## [Initiate investigation (preview)](windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md)
+
+####### [Indicators (preview)](windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md)
+######## [Submit Indicator](windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md)
+######## [List Indicators](windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md)
+######## [Delete Indicator](windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md)
+
 ####### Domain
 ######## [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md)
 ######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md)
@@ -271,28 +300,6 @@
 ######## [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md)
 ######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
 
-####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md)
-######## [List machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
-######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
-######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
-######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
-######## [Add or Remove machine tags](windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md)
-######## [Find machines by IP](windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md)
-
-
-####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md)
-######## [List Machine Actions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
-######## [Get Machine Action](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
-######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
-######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
-######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md)
-######## [Release machine from isolation](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md)
-######## [Restrict app execution](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md)
-######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
-######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md)
-######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
-######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
-
 ####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md)
 ######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)
 ######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md)
@@ -329,8 +336,8 @@
 ###### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md)
 ###### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md)
 ###### [Configure HP ArcSight to pull alerts](windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md)
-###### [Windows Defender ATP alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md)
-###### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+###### [Windows Defender ATP SIEM alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md)
+###### [Pull alerts using SIEM REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
 ###### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md)
 
 

windows/security/threat-protection/intelligence/virus-initiative-criteria.md

@@ -18,29 +18,25 @@ ms.topic: article
 
 The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with Windows.
 
-Like the [Virus Information Alliance (VIA)](virus-information-alliance-criteria.md) and the [Coordinated Malware Eradication (CME) program](coordinated-malware-eradication.md), MVI aims to share information about the threat landscape that can help your organization protect its customers.
+MVI members will receive access to Windows APIs (such as those used by Windows Defender Antivirus), and other technologies including IOAV, AMSI and Cloud Files, malware telemetry and samples, and invitations to security related events and conferences.
 
-MVI members will receive access to Windows APIs (such as those used by Windows Defender Security Center, IOAV, AMSI and Cloud Files), malware telemetry and samples, and invitations to security related events and conferences.
-
-MVI adds to VIA by requiring members to develop and own antimalware technology, and to be present in the antimalware industry community.
+MVI requires members to develop and own antimalware technology and to be present in the antimalware industry community.
 
 ## Join MVI
 
 A request for membership is made by an individual as a representative of an organization that develops and produces antimalware or antivirus technology.
 
-The base criteria for MVI membership are the same as for VIA, but your organization must also offer an antimalware or antivirus product.
 
 ### Initial selection criteria
 
-Your organization must meet the following eligibility requirements to participate in the MVI program:
+Your organization must meet the following eligibility requirements to qualify for the MVI program:
 
 1. Offer an antimalware or antivirus product that is one of the following:
 
    * Your organization's own creation.
-   * Licensed from another organization, but your organization adds value such as additional Security intelligence.
-   * Developed by using an SDK (engine and other components) from another MVI Partner AM company and your organization adds a custom UI and/or other functionality (white box versions).
+   * Developed by using an SDK (engine and other components) from another MVI Partner company and your organization adds a custom UI and/or other functionality.
 
-2. Have your own malware research team unless you distribute a Whitebox product.
+2. Have your own malware research team unless you build a product based on an SDK.
 
 3. Be active and have a positive reputation in the antimalware industry. Your organization is:
 
@@ -51,10 +47,10 @@ Your organization must meet the following eligibility requirements to participat
 
 5. Be willing to sign a program license agreement.
 
-6. Be willing to adhere to program requirements for AM apps. These requirements define the behavior of AM apps necessary to ensure proper interaction with Windows.
+6. Be willing to adhere to program requirements for antimalware apps. These requirements define the behavior of antimalware apps necessary to ensure proper interaction with Windows.
 
-7. Submit your AM app to Microsoft for periodic performance testing.
+7. Submit your app to Microsoft for periodic performance testing.
 
 ### Apply now
 
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).

windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md

@@ -45,6 +45,9 @@ There are specific network-connectivity requirements to ensure your endpoints ca
     - **Send safe samples automatically**
     - **Send all samples automatically**
 
+        >[!NOTE]
+        >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
+
         > [!WARNING]
         > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
 
@@ -73,6 +76,9 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht
     1. **Send safe samples** (1)
     2. **Send all samples** (3)
 
+        >[!NOTE]
+        >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
+
         > [!WARNING]
         > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
 

windows/security/threat-protection/windows-defender-atp/TOC.md

@@ -232,11 +232,13 @@
 ###### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
   
 
-#### [Use the Windows Defender ATP exposed APIs](use-apis.md)
-##### Create your app
-###### [Get access on behalf of a user](exposed-apis-create-app-nativeapp.md)
-###### [Get access without a user](exposed-apis-create-app-webapp.md)
-##### [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+#### [Windows Defender ATP API](use-apis.md)
+##### [Get started with Windows Defender ATP APIs](apis-intro.md)
+###### [Hello World](api-hello-world.md)
+###### [Get access with application context](exposed-apis-create-app-webapp.md)
+###### [Get access with user context](exposed-apis-create-app-nativeapp.md)
+##### [APIs](exposed-apis-list.md)
+
 ###### [Advanced Hunting](run-advanced-query-api.md)
 
 ###### [Alert](alerts-windows-defender-advanced-threat-protection-new.md)
@@ -250,24 +252,6 @@
 ####### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md)
 ####### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md)
 
-###### Domain
-####### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md)
-####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection-new.md)
-####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection-new.md)
-####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md)
-
-###### [File](files-windows-defender-advanced-threat-protection-new.md)
-####### [Get file information](get-file-information-windows-defender-advanced-threat-protection-new.md)
-####### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md)
-####### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md)
-####### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md)
-
-###### IP
-####### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md)
-####### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection-new.md)
-####### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection-new.md)
-####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
-
 ###### [Machine](machine-windows-defender-advanced-threat-protection-new.md)
 ####### [List machines](get-machines-windows-defender-advanced-threat-protection-new.md)
 ####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
@@ -288,6 +272,30 @@
 ####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md)
 ####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
 ####### [Stop and quarantine file](stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
+####### [Initiate investigation (preview)](initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md)
+
+###### [Indicators (preview)](ti-indicator-windows-defender-advanced-threat-protection-new.md)
+####### [Submit Indicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md)
+####### [List Indicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md)
+####### [Delete Indicator](delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md)
+
+###### Domain
+####### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection-new.md)
+####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md)
+
+###### [File](files-windows-defender-advanced-threat-protection-new.md)
+####### [Get file information](get-file-information-windows-defender-advanced-threat-protection-new.md)
+####### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md)
+
+###### IP
+####### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection-new.md)
+####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
 
 ###### [User](user-windows-defender-advanced-threat-protection-new.md)
 ####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)
@@ -318,8 +326,8 @@
 ##### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 ##### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
 ##### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
-##### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
-##### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+##### [Windows Defender ATP SIEM alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+##### [Pull alerts using SIEM REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
 ##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
 
 

windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md

@@ -104,7 +104,6 @@ Content-type: application/json
     "rbacGroupId": 140,
 	"rbacGroupName": "The-A-Team",
     "riskScore": "Low",
-	"isAadJoined": true,
     "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 	"machineTags": [ "test tag 1", "test tag 2" ]
 }

windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md

@@ -14,16 +14,15 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 12/08/2017
 ---
 
 # Alert resource type
 **Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 [!include[Prerelease information](prerelease.md)]
 
-Represents an alert entity in WDATP.
+Represents an alert entity in Windows Defender ATP.
 
 # Methods
 Method|Return Type |Description

windows/security/threat-protection/windows-defender-atp/api-hello-world.md

@@ -0,0 +1,189 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Windows Defender ATP API - Hello World 
+
+**Applies to:** 
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## Get Alerts using a simple PowerShell script
+
+### How long it takes to go through this example?
+It only takes 5 minutes done in two steps:
+- Application registration
+- Use examples: only requires copy/paste of a short PowerShell script
+
+### Do I need a permission to connect?
+For the App registration stage, you must have a Global administrator role in your Azure Active Directory (Azure AD) tenant.
+
+### Step 1 - Create an App in Azure Active Directory
+
+1.	Log on to [Azure](https://portal.azure.com) with your Global administrator user.
+
+2.	Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
+
+    ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
+
+3.	In the registration form, enter the following information, then click **Create**.
+
+    - **Name:** Choose your own name. 
+    - **Application type:** Web app / API
+    - **Redirect URI:** `https://127.0.0.1`
+
+	![Image of Create application window](images/webapp-create.png)
+
+4. Allow your App to access Windows Defender ATP and assign it 'Read all alerts' permission:
+
+	- Click **Settings** > **Required permissions** > **Add**.
+
+	![Image of new app in Azure](images/webapp-add-permission.png)
+
+	- Click **Select an API** > **WindowsDefenderATP**, then click **Select**.
+
+	**Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+
+	![Image of API access and API selection](images/webapp-add-permission-2.png)
+
+	- Click **Select permissions** > **Read all alerts** > **Select**.
+
+	![Image of API access and API selection](images/webapp-add-permission-readalerts.png)
+
+	- Click **Done**
+
+	![Image of add permissions completion](images/webapp-add-permission-end.png)
+
+	- Click **Grant permissions**
+
+	**Note**: Every time you add permission you must click on **Grant permissions**.
+
+	![Image of Grant permissions](images/webapp-grant-permissions.png)
+
+5. Create a key for your App:
+
+	- Click **Keys**, type a key name and click **Save**.
+
+	![Image of create app key](images/webapp-create-key.png)
+
+6. Write down your App ID and your Tenant ID:
+
+	- App ID: 
+
+	![Image of created app id](images/webapp-app-id1.png)
+
+	- Tenant ID: Navigate to **Azure Active Directory** > **Properties**
+
+	![Image of create app key](images/api-tenant-id.png)
+
+
+Done! You have successfully registered an application! 
+
+### Step 2 - Get a token using the App and use this token to access the API.
+
+-	Copy the script below to PowerShell ISE or to a text editor, and save it as "**Get-Token.ps1**"
+-	Running this script will generate a token and will save it in the working folder under the name "**Latest-token.txt**".
+
+```
+# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
+# Paste below your Tenant ID, App ID and App Secret (App key).
+ 
+$tenantId = '' ### Paste your tenant ID here
+$appId = '' ### Paste your app ID here
+$appSecret = '' ### Paste your app key here
+ 
+$resourceAppIdUri = 'https://api.securitycenter.windows.com'
+$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
+$authBody = [Ordered] @{
+    resource = "$resourceAppIdUri"
+    client_id = "$appId"
+    client_secret = "$appSecret"
+    grant_type = 'client_credentials'
+}
+$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
+$token = $authResponse.access_token
+Out-File -FilePath "./Latest-token.txt" -InputObject $token
+return $token
+
+```
+
+-	Sanity Check:<br>
+Run the script.<br>
+In your browser go to: https://jwt.ms/ <br>
+Copy the token (the content of the Latest-token.txt file).<br>
+Paste in the top box.<br>
+Look for the "roles" section. Find the Alert.Read.All role.
+
+![Image jwt.ms](images/api-jwt-ms.png)
+
+### Lets get the Alerts!
+
+-	The script below will use **Get-Token.ps1** to access the API and will get the past 48 hours Alerts.
+-   Save this script in the same folder you saved the previous script **Get-Token.ps1**. 
+-	The script creates two files (json and csv) with the data in the same folder as the scripts.
+
+```
+# Returns Alerts created in the past 48 hours.
+ 
+$token = ./Get-Token.ps1       #run the script Get-Token.ps1  - make sure you are running this script from the same folder of Get-Token.ps1
+
+# Get Alert from the last 48 hours. Make sure you have alerts in that time frame.
+$dateTime = (Get-Date).ToUniversalTime().AddHours(-48).ToString("o")       
+
+# The URL contains the type of query and the time filter we create above
+# Read more about other query options and filters at   Https://TBD- add the documentation link
+$url = "https://api.securitycenter.windows.com/api/alerts?`$filter=alertCreationTime ge $dateTime"
+ 
+# Set the WebRequest headers
+$headers = @{ 
+    'Content-Type' = 'application/json'
+    Accept = 'application/json'
+    Authorization = "Bearer $token" 
+}
+
+# Send the webrequest and get the results. 
+$response = Invoke-WebRequest -Method Get -Uri $url -Headers $headers -ErrorAction Stop
+
+# Extract the alerts from the results. 
+$alerts =  ($response | ConvertFrom-Json).value | ConvertTo-Json
+ 
+# Get string with the execution time. We concatenate that string to the output file to avoid overwrite the file
+$dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":", "."}    
+ 
+# Save the result as json and as csv
+$outputJsonPath = "./Latest Alerts $dateTimeForFileName.json"     
+$outputCsvPath = "./Latest Alerts $dateTimeForFileName.csv"
+ 
+Out-File -FilePath $outputJsonPath -InputObject $alerts
+($alerts | ConvertFrom-Json) | Export-CSV $outputCsvPath -NoTypeInformation 
+
+```
+
+You’re all done! You have just successfully:
+-	Created and registered and application
+-	Granted permission for that application to read alerts
+-	Connected the API
+-	Used a PowerShell script to return alerts created in the past 48 hours
+
+
+
+## Related topic
+- [Windows Defender ATP APIs](exposed-apis-list.md)
+- [Access Windows Defender ATP with application context](exposed-apis-create-app-webapp.md)
+- [Access Windows Defender ATP with user context](exposed-apis-create-app-nativeapp.md)

windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md

@@ -18,7 +18,7 @@ ms.topic: article
 ms.date: 10/16/2017
 ---
 
-# Windows Defender ATP alert API fields
+# Windows Defender ATP SIEM alert API fields
 
 **Applies to:**
 

windows/security/threat-protection/windows-defender-atp/apis-intro.md

@@ -1,7 +1,7 @@
 ---
 title: Windows Defender Advanced Threat Protection API overview  
 description: Learn how you can use APIs to automate workflows and innovate based on Windows Defender ATP capabilities
-keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
+keywords: apis, api, wdatp, open api, windows defender atp api, public api, supported apis, alerts, machine, user, domain, ip, file, advanced hunting, query
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -14,48 +14,52 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: conceptual
-ms.date: 09/03/2018
 ---
 
 # Windows Defender ATP API overview
 
-**Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+**Applies to:** 
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
-
-[!include[Prerelease information](prerelease.md)]
+> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
 
 In general, you’ll need to take the following steps to use the APIs:
-- Create an app
-- Get an access token
+- Create an AAD application
+- Get an access token using this application
 - Use the token to access Windows Defender ATP API
 
 
-As a developer, you decide which permissions for Windows Defender ATP your app requests. When a user signs in to your app they (or, in some cases, an administrator) are given a chance to give consent to these permissions. If the user provides consent, your app is given access to the resources and APIs that it has requested. For apps that don't take a signed-in user, permissions can be pre-approved to by an administrator when the app is installed or during sign-up.
+You can access Windows Defender ATP API with **Application Context** or **User Context**.
 
-## Delegated permissions, application permissions, and effective permissions
+- **Application Context: (Recommended)** <br>
+    Used by apps that run without a signed-in user present. for example, apps that run as background services or daemons.
 
-Windows Defender ATP has two types of permissions: delegated permissions and application permissions.
+	Steps that need to be taken to access Windows Defender ATP API with application context:
 
-- **Delegated permissions** <br> 
-    Used by apps that have a signed-in user present. For these apps either the user or an administrator provides consent to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to Windows Defender ATP. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent.
-- **Application permissions** <br>
-    Used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator.
+	1. Create an AAD Web-Application.
+	2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'. 
+	3. Create a key for this Application.
+	4. Get token using the application with its key.
+	5. Use the token to access Windows Defender ATP API
 
-Effective permissions are permissions that your app will have when making requests to Windows Defender ATP. It is important to understand the difference between the delegated and application permissions that your app is granted and its effective permissions when making calls to Windows Defender ATP.
+	For more information, see [Get access with application context](exposed-apis-create-app-webapp.md).
 
-- For delegated permissions, the effective permissions of your app will be the least privileged intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user may be determined by policy or by membership in one or more administrator roles. For more information about administrator roles, see [Assigning administrator roles in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles).
 
-	For example, assume your app has been granted the `Machine.CollectForensics` delegated permission. This permission nominally grants your app permission to collect investigation package from a machine. If the signed-in user has 'Alerts Investigation' permission, your app will be able to collect investigation package from a machine, if the machine belongs to a group the user is exposed to. However, if the signed-in user doesn't have 'Alerts Investigation' permission, your app won't be able to collect investigation package from any machine.
+- **User Context:** <br>
+    Used to perform actions in the API on behalf of a user.
 
-- For application permissions, the effective permissions of your app will be the full level of privileges implied by the permission. For example, an app that has the `Machine.CollectForensics` application permission can collect investigation package from any machine in the organization.
+	Steps that needs to be taken to access Windows Defender ATP API with application context:
+	1. Create AAD Native-Application.
+	2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc. 
+	3. Get token using the application with user credentials.
+	4. Use the token to access Windows Defender ATP API
+
+	For more information, see [Get access with user context](exposed-apis-create-app-nativeapp.md).
 
 
 ## Related topics
-- [Supported Windows Defender ATP APIs](exposed-apis-list.md)
-- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md)
-- [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)
+- [Windows Defender ATP APIs](exposed-apis-list.md)
+- [Access Windows Defender ATP with application context](exposed-apis-create-app-webapp.md)
+- [Access Windows Defender ATP with user context](exposed-apis-create-app-nativeapp.md)

windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md

@@ -107,7 +107,7 @@ The following steps assume that you have completed all the required steps in [Be
      <td>Browse to the location of the *wdatp-connector.properties* file. The name must match the file provided in the .zip that you downloaded.</td>
      <tr>
      <td>Refresh Token</td>
-     <td>You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM settings** page or using the restutil tool. <br><br> For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). </br> </br>**Get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool. </br></br> b. Type: `arcsight restutil token -config` from the bin directory. A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d.	A refresh token is shown in the command prompt. </br></br> e. Copy and paste it into the **Refresh Token** field.
+     <td>You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM settings** page or using the restutil tool. <br><br> For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). </br> </br>**Get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool. </br></br> b. Type: `arcsight restutil token -config` from the bin directory.For example: **arcsight restutil boxtoken -proxy proxy.location.hp.com:8080** A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d.	A refresh token is shown in the command prompt. </br></br> e. Copy and paste it into the **Refresh Token** field.
      </td>
      </tr>
      </tr>

windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md

@@ -165,6 +165,9 @@ If at least one of the connectivity options returns a (200) status, then the Win
 
 However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
 
+> [!NOTE]
+> When the TelemetryProxyServer is set, in Registry or via Group Policy, Windows Defender ATP will fall back to direct if it can't access the defined proxy.
+
 ## Related topics
 - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md

@@ -22,7 +22,6 @@ ms.date: 10/16/2017
 
 **Applies to:**
 
-
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) 

windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/29/2018
 ---
 
 

windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md

@@ -1,6 +1,6 @@
 ---
-title: Delete Ti Indicator.
-description: Deletes Ti Indicator entity by ID.
+title: Delete Indicator API.
+description: Deletes Indicator entity by ID.
 keywords: apis, public api, supported apis, delete, ti indicator, entity, id
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -14,33 +14,33 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 12/08/2017
 ---
 
-# Delete TI Indicator API
+# Delete Indicator API
+
+**Applies to:**  
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 [!include[Prerelease information](prerelease.md)]
 
 >[!Note]
-> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information)
+> Currently this API is supported only for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information)
 
 
-**Applies to:**
-
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-Retrieves a TI Indicator entity by ID.
+- Deletes an Indicator entity by ID.
 
 ## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
 
 Permission type |	Permission	|	Permission display name
 :---|:---|:---
 Application |	Ti.ReadWrite |	'Read and write TI Indicators'
+Application |	Ti.ReadWrite.All |	'Read and write Indicators'
 
 
 ## HTTP request
 ```
-Delete https://api.securitycenter.windows.com/api/tiindicators/{id}
+Delete https://api.securitycenter.windows.com/api/indicators/{id}
 ```
 
 [!include[Improve request performance](improverequestperformance-new.md)]
@@ -57,8 +57,8 @@ Authorization | String | Bearer {token}. **Required**.
 Empty
 
 ## Response
-If TI Indicator exist and deleted successfully - 204 OK without content.
-If TI Indicator with the specified id was not found - 404 Not Found.
+If Indicator exist and deleted successfully - 204 OK without content.
+If Indicator with the specified id was not found - 404 Not Found.
 
 ## Example
 
@@ -67,7 +67,7 @@ If TI Indicator with the specified id was not found - 404 Not Found.
 Here is an example of the request.
 
 ```
-DELETE https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f
+DELETE https://api.securitycenter.windows.com/api/indicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f
 ```
 
 **Response**

windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md

@@ -19,33 +19,30 @@ ms.date: 09/03/2018
 
 # Use Windows Defender ATP APIs
 
-**Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 [!include[Prerelease information](prerelease.md)]
 
 
-This page describe how to create an application to get programmatical access to Windows Defender ATP on behalf of a user.
+This page describes how to create an application to get programmatic access to Windows Defender ATP on behalf of a user.
 
-If you need programmatical access Windows Defender ATP without a user, refer to [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md).
+If you need programmatic access Windows Defender ATP without a user, refer to [Access Windows Defender ATP with application context](exposed-apis-create-app-webapp.md).
 
 If you are not sure which access you need, read the [Introduction page](apis-intro.md).
 
-Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
 
 In general, you’ll need to take the following steps to use the APIs:
-- Create an app
-- Get an access token
+- Create an AAD application
+- Get an access token using this application
 - Use the token to access Windows Defender ATP API
 
-This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission.
+This page explains how to create an AAD application, get an access token to Windows Defender ATP and validate the token.
 
 >[!NOTE]
-> When accessing Windows Defender ATP API on behalf of a user, you will need the correct app permission and user permission.
+> When accessing Windows Defender ATP API on behalf of a user, you will need the correct App permission and user permission.
 > If you are not familiar with user permissions on Windows Defender ATP, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). 
 
 >[!TIP]
@@ -53,7 +50,7 @@ This page explains how to create an app, get an access token to Windows Defender
 
 ## Create an app
 
-1.	Log on to [Azure](https://portal.azure.com).
+1.	Log on to [Azure](https://portal.azure.com) with user that has Global Administrator role.
 
 2.	Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
 
@@ -78,13 +75,10 @@ This page explains how to create an app, get an access token to Windows Defender
 
     ![Image of API access and API selection](images/webapp-add-permission-2.png)
 
-6. Click **Select permissions** > check **Read alerts** and **Collect forensics** > **Select**.
+6. Click **Select permissions** > **Check the desired permissions** > **Select**.
 	
 	>[!IMPORTANT]
     >You need to select the relevant permissions. 'Read alerts' and 'Collect forensics' are only an example.
-
-    ![Image of select permissions](images/nativeapp-select-permissions.png)
-
 	For instance,
 
     - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
@@ -92,6 +86,8 @@ This page explains how to create an app, get an access token to Windows Defender
 
        To determine which permission you need, look at the **Permissions** section in the API you are interested to call.
 
+    ![Image of select permissions](images/nativeapp-select-permissions.png)
+
 
 7. Click **Done**
 
@@ -116,39 +112,51 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co
 
 ### Using C#
 
-The  code was below tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
-
-- Create a new Console Application
-- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
-- Add the below using
+- Copy/Paste the below class in your application.
+- Use **AcquireUserTokenAsync** method with the your application ID, tenant ID, user name and password to acquire a token.
 
 	```
-	using Microsoft.IdentityModel.Clients.ActiveDirectory;
-	```
+	namespace WindowsDefenderATP
+	{
+		using System.Net.Http;
+		using System.Text;
+		using System.Threading.Tasks;
+		using Newtonsoft.Json.Linq;
 
-- Copy/Paste the below code in your application (pay attention to the comments in the code)
+		public static class WindowsDefenderATPUtils
+		{
+			private const string Authority = "https://login.windows.net";
 
-	```
-	const string authority = "https://login.windows.net";
-	const string wdatpResourceId = "https://api.securitycenter.windows.com";
+			private const string WdatpResourceId = "https://api.securitycenter.windows.com";
 
-	string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
-	string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
+			public static async Task<string> AcquireUserTokenAsync(string username, string password, string appId, string tenantId)
+			{
+				using (var httpClient = new HttpClient())
+				{
+					var urlEncodedBody = $"resource={WdatpResourceId}&client_id={appId}&grant_type=password&username={username}&password={password}";
 
-	string username = "SecurityAdmin123@microsoft.com"; // Paste your username here
-	string password = GetPasswordFromSafePlace(); // Paste your own password here for a test, and then store it in a safe place! 
+					var stringContent = new StringContent(urlEncodedBody, Encoding.UTF8, "application/x-www-form-urlencoded");
 
-	UserPasswordCredential userCreds = new UserPasswordCredential(username, password);
+					using (var response = await httpClient.PostAsync($"{Authority}/{tenantId}/oauth2/token", stringContent).ConfigureAwait(false))
+					{
+						response.EnsureSuccessStatusCode();
 
-	AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}");
-	AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, appId, userCreds).GetAwaiter().GetResult();
-	string token = authenticationResult.AccessToken;
+						var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
+
+						var jObject = JObject.Parse(json);
+
+						return jObject["access_token"].Value<string>();
+					}
+				}
+			}
+		}
+	}
 	```
 
 ## Validate the token
 
 Sanity check to make sure you got a correct token:
-- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
+- Copy/paste into [JWT](https://jwt.ms) the token you got in the previous step in order to decode it
 - Validate you get a 'scp' claim with the desired app permissions
 - In the screenshot below you can see a decoded token acquired from the app in the tutorial:
 
@@ -168,12 +176,11 @@ Sanity check to make sure you got a correct token:
 
 	request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
 
-	var response = await httpClient.SendAsync(request).ConfigureAwait(false);
+	var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
 
 	// Do something useful with the response
 	```
 
 ## Related topics
-- [Windows Defender ATP APIs](apis-intro.md)
-- [Supported Windows Defender ATP APIs](exposed-apis-list.md)
-- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md)
+- [Windows Defender ATP APIs](exposed-apis-list.md)
+- [Access Windows Defender ATP with application context](exposed-apis-create-app-webapp.md)

windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md

@@ -19,32 +19,30 @@ ms.date: 09/03/2018
 
 # Create an app to access Windows Defender ATP without a user
 
-**Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 [!include[Prerelease information](prerelease.md)]
 
-This page describes how to create an application to get programmatical access to Windows Defender ATP without a user.
+This page describes how to create an application to get programmatic access to Windows Defender ATP without a user.
 
-If you need programmatical access Windows Defender ATP on behalf of a user, see [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)
+If you need programmatic access Windows Defender ATP on behalf of a user, see [Get access wtih user context](exposed-apis-create-app-nativeapp.md)
 
-If you are not sure which access you need, see [Use Windows Defender ATP APIs](apis-intro.md).
+If you are not sure which access you need, see [Get started](apis-intro.md).
 
 Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
 
 In general, you’ll need to take the following steps to use the APIs:
-- Create an app
-- Get an access token
+- Create an AAD application
+- Get an access token using this application
 - Use the token to access Windows Defender ATP API
 
-This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission.
+This page explains how to create an AAD application, get an access token to Windows Defender ATP and validate the token.
 
 ## Create an app
 
-1.	Log on to [Azure](https://portal.azure.com).
+1.	Log on to [Azure](https://portal.azure.com) with user that has Global Administrator role.
 
 2.	Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
 
@@ -54,9 +52,9 @@ This page explains how to create an app, get an access token to Windows Defender
 
     ![Image of Create application window](images/webapp-create.png)
 
-    - **Name:** WdatpEcosystemPartner
+    - **Name:** Choose your own name. 
     - **Application type:** Web app / API
-    - **Redirect URI:** `https://WdatpEcosystemPartner.com` (The URL where user can sign in and use your app. You can change this URL later.)
+    - **Redirect URI:** `https://127.0.0.1`
 
 
 4.	Click **Settings** > **Required permissions** > **Add**.
@@ -69,18 +67,17 @@ This page explains how to create an app, get an access token to Windows Defender
 
     ![Image of API access and API selection](images/webapp-add-permission-2.png)
 
-6. Click **Select permissions** > **Run advanced queries** > **Select**.
+6. Click **Select permissions** > **Check the desired permissions** > **Select**.
 	
-	**Important note**: You need to select the relevant permission. 'Run advanced queries' is only an example!
-
-    ![Image of select permissions](images/webapp-select-permission.png)
+	**Important note**: You need to select the relevant permissions. 'Run advanced queries' is only an example!
 
 	For instance,
 
 	- To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
 	- To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission
+	- To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
 
-	To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
+    ![Image of select permissions](images/webapp-select-permission.png)
 
 7. Click **Done**
 
@@ -94,7 +91,7 @@ This page explains how to create an app, get an access token to Windows Defender
 
 	![Image of Grant permissions](images/webapp-grant-permissions.png)
 
-9. Click **Keys** and type a key name and click **Save**.
+9. Click **Keys**, type a key name and click **Save**.
 
 	**Important**: After you save, **copy the key value**. You won't be able to retrieve after you leave!
 
@@ -102,9 +99,9 @@ This page explains how to create an app, get an access token to Windows Defender
 
 10. Write down your application ID.
     
-	![Image of app ID](images/webapp-get-appid.png)
+	![Image of created app id](images/webapp-app-id1.png)
 
-11. Set your application to be multi-tenanted
+11. **For Windows Defender ATP Partners only** - Set your application to be multi-tenanted
 	
 	This is **required** for 3rd party apps (for example, if you create an application that is intended to run in multiple customers tenant).
 
@@ -114,26 +111,54 @@ This page explains how to create an app, get an access token to Windows Defender
 
 	![Image of multi tenant](images/webapp-edit-multitenant.png)
 
+	- Application consent for your multi-tenant App:
+	
+	You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with Windows Defender ATP application on behalf of your customer.
 
-## Application consent
-You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with WDATP application on behalf of your customer.
+	You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory.
 
-You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory.
+	Consent link is of the form: 
 
-Consent link is of the form: 
+	```
+	https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true​
+	```
 
-```
-https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true​
-```
-
-where 00000000-0000-0000-0000-000000000000​ should be replaced with your Azure application ID
+	where 00000000-0000-0000-0000-000000000000​ should be replaced with your Azure application ID
 
 
-## Get an access token
+- **Done!** You have successfully registered an application! 
+- See examples below for token acquisition and validation.
+
+## Get an access token examples:
 
 For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
 
-### Using C#
+### Using PowerShell 
+
+```
+# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
+# Paste below your Tenant ID, App ID and App Secret (App key).
+ 
+$tenantId = '' ### Paste your tenant ID here
+$appId = '' ### Paste your app ID here
+$appSecret = '' ### Paste your app key here
+ 
+$resourceAppIdUri = 'https://api.securitycenter.windows.com'
+$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
+$authBody = [Ordered] @{
+    resource = "$resourceAppIdUri"
+    client_id = "$appId"
+    client_secret = "$appSecret"
+    grant_type = 'client_credentials'
+}
+$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
+$token = $authResponse.access_token
+Out-File -FilePath "./Latest-token.txt" -InputObject $token
+return $token
+
+```
+
+### Using C#:
 
 >The below code was tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
 
@@ -161,9 +186,6 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co
 	string token = authenticationResult.AccessToken;
 	```
 
-### Using PowerShell 
-
-Refer to [Get token using PowerShell](run-advanced-query-sample-powershell.md#get-token)
 
 ### Using Python
 
@@ -177,7 +199,7 @@ Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token)
 - Open a command window
 - ​Set CLIENT_ID to your Azure application ID
 - Set CLIENT_SECRET to your Azure application secret
-- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access WDATP application
+- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Windows Defender ATP application
 - Run the below command:
 
 ```
@@ -195,7 +217,7 @@ You will get an answer of the form:
 Sanity check to make sure you got a correct token:
 - Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
 - Validate you get a 'roles' claim with the desired permissions
-- In the screenshot below you can see a decoded token acquired from an app with permissions to all of Wdatp's roles:
+- In the screenshot below you can see a decoded token acquired from an app with permissions to all of Windows Defender ATP's roles:
 
 ![Image of token validation](images/webapp-decoded-token.png)
 
@@ -213,12 +235,11 @@ Sanity check to make sure you got a correct token:
 
 	request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
 
-	var response = await httpClient.SendAsync(request).ConfigureAwait(false);
+	var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
 
 	// Do something useful with the response
 	```
 
 ## Related topics
-- [Windows Defender ATP APIs](apis-intro.md)
 - [Supported Windows Defender ATP APIs](exposed-apis-list.md)
 - [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)

windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md

@@ -19,7 +19,7 @@ ms.date: 09/24/2018
 
 # Windows Defender ATP APIs using PowerShell
 **Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 [!include[Prerelease information](prerelease.md)]
 
@@ -48,7 +48,7 @@ Set-ExecutionPolicy -ExecutionPolicy Bypass
 - Run the below
 
 > - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
-> - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP)
+> - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Windows Defender ATP)
 > - $appSecret: Secret of your AAD app
 > - $suspiciousUrl: The URL
 

windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md

@@ -64,7 +64,6 @@ Content-type: application/json
             "rbacGroupId": 140,
 			"rbacGroupName": "The-A-Team",
             "riskScore": "High",
-			"isAadJoined": true,
             "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
         },
@@ -149,7 +148,6 @@ Content-type: application/json
             "rbacGroupId": 140,
 			"rbacGroupName": "The-A-Team",
             "riskScore": "High",
-			"isAadJoined": true,
             "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
         },
@@ -191,7 +189,6 @@ Content-type: application/json
             "rbacGroupId": 140,
 			"rbacGroupName": "The-A-Team",
             "riskScore": "High",
-			"isAadJoined": true,
             "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
         },
@@ -233,7 +230,6 @@ Content-type: application/json
             "rbacGroupId": 140,
 			"rbacGroupName": "The-A-Team",
             "riskScore": "High",
-			"isAadJoined": true,
             "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
         },
@@ -278,5 +274,23 @@ Content-type: application/json
 }
 ```
 
+### Example 7
+
+- Get the count of open alerts for a specific machine:
+
+```
+HTTP GET  https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?$filter=status ne 'Resolved'
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+
+4
+
+```
+
 ## Related topic
 - [Windows Defender ATP APIs](apis-intro.md)

windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md

@@ -14,14 +14,15 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 12/08/2017
 ---
 
 # File resource type
+**Applies to:**
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 [!include[Prerelease information](prerelease.md)]
 
-Represent a file entity in WDATP.
+Represent a file entity in Windows Defender ATP.
 
 # Methods
 Method|Return Type |Description
@@ -49,5 +50,5 @@ fileProductName | String | Product name.
 signer | String | File signer.
 issuer | String | File issuer.
 signerHash | String | Hash of the signing certificate.
-isValidCertificate | Boolean | Was signing certificate successfully verified by WDATP agent.
+isValidCertificate | Boolean | Was signing certificate successfully verified by  Windows Defender ATP agent.
 

windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md

@@ -102,7 +102,6 @@ Content-type: application/json
 			"rbacGroupId": 140,
 			"rbacGroupName": "The-A-Team",
 			"riskScore": "Low",
-			"isAadJoined": true,
 			"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 			"machineTags": [ "test tag 1", "test tag 2" ]
         }

windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -98,7 +98,6 @@ Content-type: application/json
             "rbacGroupId": 140,
 			"rbacGroupName": "The-A-Team",
             "riskScore": "Low",
-			"isAadJoined": true,
             "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 			"machineTags": [ "test tag 1", "test tag 2" ]
         },
@@ -117,7 +116,6 @@ Content-type: application/json
 			"rbacGroupId": 140,
 			"rbacGroupName": "The-A-Team",
             "riskScore": "Low",
-			"isAadJoined": false,
             "aadDeviceId": null,
 			"machineTags": [ "test tag 1" ]
         }

windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -98,7 +98,6 @@ Content-type: application/json
             "healthStatus": "Active",
             "rbacGroupId": 140,
             "riskScore": "Low",
-			"isAadJoined": true,
             "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 			"machineTags": [ "test tag 1", "test tag 2" ]
         },
@@ -116,7 +115,6 @@ Content-type: application/json
             "healthStatus": "Inactive",
 			"rbacGroupId": 140,
             "riskScore": "Low",
-			"isAadJoined": false,
             "aadDeviceId": null,
 			"machineTags": [ "test tag 1" ]
         }

windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -98,7 +98,6 @@ Content-type: application/json
             "rbacGroupId": 140,
             "riskScore": "Low",
 			"rbacGroupName": "The-A-Team",
-			"isAadJoined": true,
             "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 			"machineTags": [ "test tag 1", "test tag 2" ]
         },
@@ -117,7 +116,6 @@ Content-type: application/json
 			"rbacGroupId": 140,
 			"rbacGroupName": "The-A-Team",
             "riskScore": "Low",
-			"isAadJoined": false,
             "aadDeviceId": null,
 			"machineTags": [ "test tag 1" ]
         }

windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md

@@ -99,7 +99,6 @@ Content-type: application/json
     "rbacGroupId": 140,
 	"rbacGroupName": "The-A-Team",
     "riskScore": "Low",
-	"isAadJoined": true,
     "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 	"machineTags": [ "test tag 1", "test tag 2" ]
 }

windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md

@@ -14,18 +14,16 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 12/08/2017
 ---
 
 # List machines API
 
 **Applies to:**
-
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 [!include[Prerelease information](prerelease.md)]
 
-- Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days.
+- Retrieves a collection of machines that have communicated with  Windows Defender ATP cloud on the last 30 days.
 - Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
 - The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId".
 - See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md

@@ -1,96 +0,0 @@
----
-title: Get Ti Indicator by ID API
-description: Retrieves Ti Indicator entity by ID.
-keywords: apis, public api, supported apis, get, ti indicator, entity, id
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
-ms.date: 12/08/2017
----
-
-# Get TI Indicator by ID API
-
-[!include[Prerelease information](prerelease.md)]
-
->[!Note]
-> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information)
-
-
-**Applies to:**
-
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-Retrieves a TI Indicator entity by ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
-
-Permission type |	Permission	|	Permission display name
-:---|:---|:---
-Application |	Ti.ReadWrite |	'Read and write TI Indicators'
-
-
-## HTTP request
-```
-GET https://api.securitycenter.windows.com/api/tiindicators/{id}
-```
-
-[!include[Improve request performance](improverequestperformance-new.md)]
-
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and TI Indicator exists - 200 OK with the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the body.
-If TI Indicator with the specified id was not found - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators/$entity",
-    "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
-    "indicatorType": "FileSha1",
-    "title": "test",
-    "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
-    "createdBy": "45097602-0cfe-4cc6-925f-9f453233e62c",
-    "expirationTime": "2020-12-12T00:00:00Z",
-    "action": "AlertAndBlock",
-    "severity": "Informational",
-    "description": "test",
-    "recommendedActions": "TEST"
-}
-
-```

windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md

@@ -1,7 +1,7 @@
 ---
-title: List TiIndicators API
-description: Use this API to create calls related to get TiIndicators collection
-keywords: apis, public api, supported apis, TiIndicators collection
+title: List Indicators API
+description: Use this API to create calls related to get Indicators collection
+keywords: apis, public api, supported apis, Indicators collection
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -17,32 +17,32 @@ ms.topic: article
 ms.date: 12/08/2017
 ---
 
-# List TiIndicators API
+# List Indicators API
+
+**Applies to:** 
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 [!include[Prerelease information](prerelease.md)]
 
 >[!Note]
-> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information)
+> Currently this API is supported only for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information)
 
 
-**Applies to:**
-
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
- Gets collection of TI Indicators.
- Get TI Indicators collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+- Gets collection of TI Indicators.
+- Get TI Indicators collection API supports [OData V4 queries](https://www.odata.org/documentation/).
 
 ## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
 
 Permission type |	Permission	|	Permission display name
 :---|:---|:---
-Application |	Ti.ReadWrite |	'Read and write TI Indicators'
+Application |	Ti.ReadWrite |	'Read and write Indicators'
+Application |	Ti.ReadWrite.All |	'Read and write All Indicators'
 
 
 ## HTTP request
 ```
-GET https://api.securitycenter.windows.com/api/tiindicators
+GET https://api.securitycenter.windows.com/api/indicators
 ```
 
 [!include[Improve request performance](improverequestperformance-new.md)]
@@ -58,20 +58,19 @@ Authorization | String | Bearer {token}. **Required**.
 Empty
 
 ## Response
-If successful, this method returns 200, Ok response code with a collection of [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities.
+If successful, this method returns 200, Ok response code with a collection of [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities.
 
 >[!Note]
-> The response will only include TI Indicators that submitted by the calling Application. 
+> If the Application has 'Ti.ReadWrite.All' permission, it will be exposed to all Indicators. Otherwise, it will be exposed only to the Indicators it created.
 
-
-## Example
+## Example 1:
 
 **Request**
 
-Here is an example of a request that gets all TI Indicators
+Here is an example of a request that gets all Indicators
 
 ```
-GET https://api.securitycenter.windows.com/api/tiindicators
+GET https://api.securitycenter.windows.com/api/indicators
 ```
 
 **Response**
@@ -82,22 +81,23 @@ Here is an example of the response.
 HTTP/1.1 200 Ok
 Content-type: application/json
 {
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators",
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators",
     "value": [
         {
-            "indicator": "12.13.14.15",
+            "indicatorValue": "12.13.14.15",
             "indicatorType": "IpAddress",
             "title": "test",
             "creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z",
             "createdBy": "45097602-1234-5678-1234-9f453233e62c",
             "expirationTime": "2020-12-12T00:00:00Z",
-            "action": "AlertAndBlock",
+            "action": "Alert",
             "severity": "Informational",
             "description": "test",
-            "recommendedActions": "test"
+            "recommendedActions": "test",
+			"rbacGroupNames": []
         },
         {
-            "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
+            "indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
             "indicatorType": "FileSha1",
             "title": "test",
             "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
@@ -106,8 +106,48 @@ Content-type: application/json
             "action": "AlertAndBlock",
             "severity": "Informational",
             "description": "test",
-            "recommendedActions": "TEST"
+            "recommendedActions": "TEST",
+			"rbacGroupNames": [ "Group1", "Group2" ]
         }
+		...
+    ]
+}
+```
+
+## Example 2:
+
+**Request**
+
+Here is an example of a request that gets all Indicators with 'AlertAndBlock' action 
+
+```
+GET https://api.securitycenter.windows.com/api/indicators?$filter=action eq 'AlertAndBlock'
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators",
+    "value": [
+        {
+            "indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
+            "indicatorType": "FileSha1",
+            "title": "test",
+            "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
+            "createdBy": "45097602-1234-5678-1234-9f453233e62c",
+            "expirationTime": "2020-12-12T00:00:00Z",
+            "action": "AlertAndBlock",
+            "severity": "Informational",
+            "description": "test",
+            "recommendedActions": "TEST",
+			"rbacGroupNames": [ "Group1", "Group2" ]
+        }
+		...
     ]
 }
 ```

windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md

@@ -14,17 +14,14 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 12/08/2017
 ---
 
 # Get user information API
+**Applies to:**
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 [!include[Prerelease information](prerelease.md)]
 
-**Applies to:**
-
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
 Retrieve a User entity by key (user name).
 
 ## Permissions

windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -101,7 +101,6 @@ Content-type: application/json
             "rbacGroupId": 140,
 			"rbacGroupName": "The-A-Team",
             "riskScore": "Low",
-			"isAadJoined": true,
             "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 			"machineTags": [ "test tag 1", "test tag 2" ]
         },
@@ -120,7 +119,6 @@ Content-type: application/json
 			"rbacGroupId": 140,
 			"rbacGroupName": "The-A-Team",
             "riskScore": "Low",
-			"isAadJoined": false,
             "aadDeviceId": null,
 			"machineTags": [ "test tag 1" ]
         }

windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,98 @@
+---
+title: Initiate machine investigation API
+description: Use this API to create calls related to initiating an investigation on a machine.
+keywords: apis, graph api, supported apis, initiate AutoIR investigation
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Initiate machine investigation API (Preview)
+**Applies to:**
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Initiate AutoIR investigation on a machine.
+
+>[!Note]
+> This page focuses on performing an automated investigation on a machine. See [Automated Investigation](automated-investigations-windows-defender-advanced-threat-protection.md) for more information.
+
+## Limitations
+1. The number of executions is limited (up to 5 calls per hour).
+2. For Automated Investigation limitations, see [Automated Investigation](automated-investigations-windows-defender-advanced-threat-protection.md).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.ReadWrite.All	 |	'Read and write all alerts'
+Delegated (work or school account) |	Alert.ReadWrite |	'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/InitiateInvestigation
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Comment |	String |	Comment to associate with the action. **Required**.
+
+## Response
+If successful, this method returns 200 OK response code with object that holds the investigation ID in the "value" parameter. If machine was not found - 404 Not Found.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/InitiateInvestigation
+Content-type: application/json
+{
+  "Comment": "Initiate an investigation on machine fb9ab6be3965095a09c057be7c90f0a2"
+}
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 200 Created
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.Int64",
+    "value": 5146
+}
+
+```

windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md

@@ -57,7 +57,7 @@ When accessing [Windows Defender Security Center](https://SecurityCenter.Windows
 
 1. Each time you access the portal you will need to validate that you are authorized to access the product. This **Set up your permissions** step will only be available if you are not currently authorized to access the product.
 
-	![Image of Set up your permissions for WDATP](images\atp-setup-permissions-wdatp-portal.png)
+	![Image of Set up your permissions for Windows Defender ATP](images\atp-setup-permissions-wdatp-portal.png)
 
 	Once the authorization step is completed, the **Welcome** screen will be displayed.
 

windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md

@@ -14,10 +14,11 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 11/11/2018
 ---
 
 # Machine resource type
+**Applies to:**
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 
 # Methods
@@ -35,18 +36,17 @@ Property |	Type	|	Description
 :---|:---|:---
 id | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) identity.
 computerDnsName | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) fully qualified name.
-firstSeen | DateTimeOffset | First date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP.
-lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP.
+firstSeen | DateTimeOffset | First date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by Windows Defender ATP.
+lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by Windows Defender ATP.
 osPlatform | String | OS platform.
 osVersion | String | OS Version.
 lastIpAddress | String | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md).
 lastExternalIpAddress | String | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet.
-agentVersion | String | Version of WDATP agent.
+agentVersion | String | Version of Windows Defender ATP agent.
 osBuild | Nullable long | OS build number.
 healthStatus | Enum | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication"
 rbacGroupId | Int | RBAC Group ID.
 rbacGroupName | String | RBAC Group Name.
-riskScore | Nullable Enum | Risk score as evaluated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
-isAadJoined | Nullable Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined.
+riskScore | Nullable Enum | Risk score as evaluated by Windows Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
 aadDeviceId | Nullable Guid | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined).
 machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags.

windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md

@@ -20,7 +20,7 @@ ms.date: 12/08/2017
 # MachineAction resource type
 
 **Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 [!include[Prerelease information](prerelease.md)]
 
@@ -35,7 +35,7 @@ Method|Return Type |Description
 [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Restrict application execution.
 [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Remove application execution restriction.
 [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Run an AV scan using Windows Defender (when applicable).
-[Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)|[Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Offboard [machine](machine-windows-defender-advanced-threat-protection-new.md) from WDATP.
+[Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)|[Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Offboard [machine](machine-windows-defender-advanced-threat-protection-new.md) from Windows Defender ATP.
 
 # Properties
 Property |	Type	|	Description

windows/security/threat-protection/windows-defender-atp/machineactionsnote.md

@@ -3,4 +3,4 @@ ms.date: 08/28/2017
 author: zavidor
 ---
 >[!Note]
-> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via WDATP.
+> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via Windows Defender ATP.

windows/security/threat-protection/windows-defender-atp/management-apis.md

@@ -61,7 +61,7 @@ Managed security service provider | Get a quick overview on managed security ser
 ## Related topics
 - [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
 - [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-- [Use the Windows Defender ATP exposed APIs](use-apis.md)
+- [Windows Defender ATP Public API](use-apis.md)
 - [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
 - [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
 - [Role-based access control](rbac-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md

@@ -14,16 +14,15 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 12/08/2017
 ---
 
 # Offboard machine API
 **Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 [!include[Prerelease information](prerelease.md)]
 
-Offboard machine from WDATP.
+Offboard machine from Windows Defender ATP.
 
 [!include[Machine actions note](machineactionsnote.md)]
 

windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md

@@ -1,7 +1,7 @@
 ---
-title: Submit or Update Ti Indicator API
-description: Use this API to submit or Update Ti Indicator.
-keywords: apis, graph api, supported apis, submit, ti, ti indicator, update
+title: Submit or Update Indicator API
+description: Use this API to submit or Update Indicator.
+keywords: apis, graph api, supported apis, submit, ti, indicator, update
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -17,32 +17,32 @@ ms.topic: article
 ms.date: 12/08/2017
 ---
 
-# Submit or Update TI Indicator API
+# Submit or Update Indicator API
+
+**Applies to:** 
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 [!include[Prerelease information](prerelease.md)]
 
 >[!Note]
-> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information)
+> Currently this API is supported only for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information)
 
 
-**Applies to:**
-
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-- Submits or Updates new [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
+- Submits or Updates new [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
 
 
 ## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
 
 Permission type |	Permission	|	Permission display name
 :---|:---|:---
-Application |	Ti.ReadWrite |	'Read and write TI Indicators'
+Application |	Ti.ReadWrite |	'Read and write Indicators'
+Application |	Ti.ReadWrite.All |	'Read and write All Indicators'
 
 
 ## HTTP request
 ```
-POST https://api.securitycenter.windows.com/api/tiindicators
+POST https://api.securitycenter.windows.com/api/indicators
 ```
 
 [!include[Improve request performance](improverequestperformance-new.md)]
@@ -60,10 +60,10 @@ In the request body, supply a JSON object with the following parameters:
 
 Parameter |	Type	| Description
 :---|:---|:---
-indicator | String | Identity of the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. **Required**
+indicatorValue | String | Identity of the [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. **Required**
 indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
 action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required**
-title | String | TI indicator alert title. **Optional**
+title | String | Indicator alert title. **Optional**
 expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional**
 severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional**
 description | String | Description of the indicator. **Optional**
@@ -71,8 +71,8 @@ recommendedActions | String | TI indicator alert recommended actions. **Optional
 
 
 ## Response
-- If successful, this method returns 200 - OK response code and the created / updated [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the response body.
-- If not successful: this method return 400 - Bad Request / 409 - Conflict with the failure reason. Bad request usually indicates incorrect body and Conflict can happen if you try to submit a TI Indicator with existing indicator value but with different Indicator type or Action.  
+- If successful, this method returns 200 - OK response code and the created / updated [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the response body.
+- If not successful: this method return 400 - Bad Request / 409 - Conflict with the failure reason. Bad request usually indicates incorrect body and Conflict can happen if you try to submit an Indicator that conflicts with an existing Indicator type or Action.  
 
 ## Example
 
@@ -81,10 +81,10 @@ recommendedActions | String | TI indicator alert recommended actions. **Optional
 Here is an example of the request.
 
 ```
-POST https://api.securitycenter.windows.com/api/tiindicators
+POST https://api.securitycenter.windows.com/api/indicators
 Content-type: application/json
 {
-	"indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
+	"indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
 	"indicatorType": "FileSha1",
 	"title": "test",
 	"expirationTime": "2020-12-12T00:00:00Z",
@@ -103,8 +103,8 @@ Here is an example of the response.
 HTTP/1.1 200 OK
 Content-type: application/json
 {
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
-    "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators/$entity",
+    "indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
     "indicatorType": "FileSha1",
     "title": "test",
     "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
@@ -113,7 +113,8 @@ Content-type: application/json
     "action": "AlertAndBlock",
     "severity": "Informational",
     "description": "test",
-    "recommendedActions": "TEST"
+    "recommendedActions": "TEST",
+	"rbacGroupNames": []
 }
 
 ```

windows/security/threat-protection/windows-defender-atp/prerelease.md

@@ -1,6 +1,6 @@
 ---
 ms.date: 08/28/2017
 ---
->[!IMPORTANT]
 
+>[!IMPORTANT]
 >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md

@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Pull Windows Defender ATP alerts using REST API
+# Pull Windows Defender ATP alerts using SIEM REST API
 
 **Applies to:**
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md

@@ -18,22 +18,19 @@ ms.date: 09/03/2018
 ---
 
 # Advanced hunting API
-**Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
 [!include[Prerelease information](prerelease.md)]
 
-
-
 This API allows you to run programmatic queries that you are used to running from [Windows Defender ATP Portal](https://securitycenter.windows.com/hunting).
 
 
 ## Limitations
-This API is a beta version only and is currently restricted to the following actions:
-1. ​You can only run a query on data from the last 30 days
+1. You can only run a query on data from the last 30 days
 2. The results will include a maximum of 10,000 rows
-3. The number of executions is limited​ (up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day)
+3. The number of executions is limited (up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day)
+4. The maximal execution time of a single request is 10 minutes.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@@ -45,7 +42,7 @@ Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries'
 
 >[!Note]
 > When obtaining a token using user credentials:
->- The user needs to have 'Global Admin' AD role (note: will be updated soon to 'View Data')
+>- The user needs to have 'View Data' AD role
 >- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
 
 ## HTTP request
@@ -135,7 +132,7 @@ Content-Type: application/json​
 
 ## T​roubl​eshoot issues
 
-- Error: (403) Forbidden
+- Error: (403) Forbidden / (401) Unauthorized
 	
 	
     If you get this error when calling Windows Defender ATP API, your token might not include the necessary permission.

windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md

@@ -19,7 +19,7 @@ ms.date: 09/24/2018
 
 # Advanced Hunting using PowerShell
 **Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 [!include[Prerelease information](prerelease.md)]
 
@@ -65,7 +65,7 @@ $aadToken = $response.access_token
 
 where
 - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
-- $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP)
+- $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Windows Defender ATP)
 - $appSecret: Secret of your AAD app
 
 ## Run query

windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md

@@ -65,7 +65,7 @@ aadToken = jsonResponse["access_token"]
 
 where
 - tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
-- appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP)
+- appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Windows Defender ATP)
 - appSecret: Secret of your AAD app
 
 ## Run query

windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md

@@ -1,7 +1,7 @@
 ---
-title: TiIndicator resource type
-description: TiIndicator entity description.
-keywords: apis, supported apis, get, TiIndicator, recent
+title: Indicator resource type
+description: Indicator entity description.
+keywords: apis, supported apis, get, TiIndicator, Indicator, recent
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -17,33 +17,33 @@ ms.topic: article
 ms.date: 12/08/2017
 ---
 
-# TI(threat intelligence) Indicator resource type
+# Indicator resource type
 
-**Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+**Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 [!include[Prerelease information](prerelease.md)]
 
 Method|Return Type |Description
 :---|:---|:---
-[List TI Indicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) Collection | List [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities.
-[Get TI Indicator by ID](get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Gets the requested [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
-[Submit TI Indicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Submits [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
-[Delete TI Indicator](delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | No Content | Deletes [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
+[List Indicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) | [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) Collection | List [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities.
+[Submit Indicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Submits [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
+[Delete Indicator](delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | No Content | Deletes [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
 
+- See the corresponding [page](https://securitycenter.windows.com/preferences2/custom_ti_indicators/files) in the portal: 
 
 # Properties
 Property |	Type	|	Description
 :---|:---|:---
-indicator | String | Identity of the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
+indicatorValue | String | Identity of the [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
 indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url"
-title | String | Ti indicator alert title.
+title | String | Indicator alert title.
 creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created.
 createdBy | String | Identity of the user/application that submitted the indicator.
 expirationTime | DateTimeOffset | The expiration time of the indicator
 action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed"
 severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High"
 description | String | Description of the indicator.
-recommendedActions | String | TI indicator alert recommended actions.
+recommendedActions | String | Indicator alert recommended actions.
+rbacGroupNames | List of strings | RBAC group names where the indicator is exposed. Empty list in case it exposed to all groups.
 
 

windows/security/threat-protection/windows-defender-atp/use-apis.md

@@ -1,7 +1,7 @@
 ---
-title: Use the Windows Defender Advanced Threat Protection APIs  
+title: Windows Defender ATP Public API 
 description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
-keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file
+keywords: apis, api, wdatp, open api, windows defender atp api, public api, alerts, machine, user, domain, ip, file
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -17,14 +17,15 @@ ms.topic: conceptual
 ms.date: 11/28/2018
 ---
 
-# Use the Windows Defender ATP exposed APIs
+# Windows Defender ATP Public API
 
-**Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+
+> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 ## In this section
 Topic | Description
 :---|:---
-Create your app | Learn how to create an application to get programmatical access to Windows Defender ATP [on behalf of a user](exposed-apis-create-app-nativeapp.md) or [without a user](exposed-apis-create-app-webapp.md).
-Supported Windows Defender ATP APIs | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. Examples include APIs for [alert resource type](alerts-windows-defender-advanced-threat-protection-new.md), [domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md), or even actions such as [isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md).
+[Windows Defender ATP API overview](apis-intro.md) | Learn how to access to Windows Defender ATP Public API and on which context. 
+[Supported Windows Defender ATP APIs](exposed-apis-list.md) | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. Examples include APIs for [alert resource type](alerts-windows-defender-advanced-threat-protection-new.md), [domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md), or even actions such as [isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md).
 How to use APIs - Samples | Learn how to use Advanced hunting APIs and multiple APIs such as PowerShell. Other examples include [schedule advanced hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) or [OData queries](exposed-apis-odata-samples.md).

windows/whats-new/whats-new-windows-10-version-1803.md

@@ -135,7 +135,7 @@ Portions of the work done during the offline phases of a Windows update have bee
 
 ### Co-management
 
-Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
+Intune and System Center Configuration Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
 
 For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803)