Merge branch 'master' into MDBranchPhase1ADMXBackedPoliciesSet3

windows/client-management/mdm/policy-csp-restrictedgroups.md

@@ -142,8 +142,8 @@ Here's an example:
 </groupmembership>
 ```
 where:
-- `<accessgroup desc>` contains the local group SID or group name to configure. If an SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for `<accessgroup desc>`.
-- `<member name>` contains the members to add to the group in `<accessgroup desc>`. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. For best results, use SID for `<member name>`. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
+- `<accessgroup desc>` contains the local group SID or group name to configure. If a SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for `<accessgroup desc>`.
+- `<member name>` contains the members to add to the group in `<accessgroup desc>`. A member can be specified as a name or as a SID. For best results, use a SID for `<member name>`. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in AD or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
 - In this example, `Group1` and `Group2` are local groups on the device being configured, and `Group3` is a domain group.
 
 > [!NOTE]

windows/client-management/mdm/policy-csp-update.md

@@ -2918,7 +2918,7 @@ The following list shows the supported values:
 Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
 
 
-Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
+Added in Windows 10, version 1607. Allows IT Admins to pause feature updates for up to 35 days. We recomment that you use the *Update/PauseFeatureUpdatesStartTime* policy if you are running Windows 10, version 1703 or later.
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -2934,7 +2934,7 @@ ADMX Info:
 The following list shows the supported values:
 
 -   0 (default) – Feature Updates are not paused.
--   1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
+-   1 – Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner.
 
 <!--/SupportedValues-->
 <!--/Policy-->
@@ -3047,7 +3047,7 @@ ADMX Info:
 
 <!--/Scope-->
 <!--Description-->
-Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
+Added in Windows 10, version 1607. Allows IT Admins to pause quality updates. For those running Windows 10, version 1703 or later, we recommend that you use *Update/PauseQualityUpdatesStartTime* instead.
 
 <!--/Description-->
 <!--ADMXMapped-->

windows/deployment/volume-activation/activate-using-key-management-service-vamt.md

@@ -20,6 +20,7 @@ ms.topic: article
 # Activate using Key Management Service
 
 **Applies to**
+
 - Windows 10
 - Windows 8.1
 - Windows 8
@@ -30,9 +31,11 @@ ms.topic: article
 
 **Looking for retail activation?**
 
--   [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+- [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/)
+- [Get Help Activating Microsoft Windows 7 or Windows 8.1 ](https://go.microsoft.com/fwlink/p/?LinkId=618644)
 
 There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host:
+
 - Host KMS on a computer running Windows 10
 - Host KMS on a computer running Windows Server 2012 R2
 - Host KMS on a computer running an earlier version of Windows
@@ -43,11 +46,12 @@ Check out [Windows 10 Volume Activation Tips](https://blogs.technet.microsoft.co
 
 Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7.
 Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
-To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft’s activation services.
+To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft activation services.
 
-**Configure KMS in Windows 10**
+### Configure KMS in Windows 10
 
 To activate, use the slmgr.vbs command. Open an elevated command prompt and run one of the following commands:
+
 - To install the KMS key, type `slmgr.vbs /ipk <KmsKey>`.
 - To activate online, type `slmgr.vbs /ato`.
 - To activate by telephone, follow these steps:
@@ -59,18 +63,18 @@ To activate , use the slmgr.vbs command. Open an elevated command prompt and run
 For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032).
 
 ## Key Management Service in Windows Server 2012 R2
+
 Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista.
 
-**Note**  
-You cannot install a client KMS key into the KMS in Windows Server.
+> [!NOTE]
+> You cannot install a client KMS key into the KMS in Windows Server.
 
 This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden.
 
-**Note**  
+> [!NOTE]
+> If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](https://go.microsoft.com/fwlink/p/?LinkId=620687).
 
-If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](https://go.microsoft.com/fwlink/p/?LinkId=620687).
-
-**Configure KMS in Windows Server 2012 R2**
+### Configure KMS in Windows Server 2012 R2
 
 1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials.
 2. Launch Server Manager.
@@ -78,7 +82,7 @@ If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise,
 
    ![Adding the Volume Activation Services role in Server Manager](../images/volumeactivationforwindows81-04.jpg)
 
-   **Figure 4**. Adding the Volume Activation Services role in Server Manager\
+   **Figure 4**. Adding the Volume Activation Services role in Server Manager
 
 4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5).
 
@@ -93,14 +97,14 @@ If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise,
 
    **Figure 6**. Configuring the computer as a KMS host
 
-5. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
+6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
 
    ![Installing your KMS host key](../images/volumeactivationforwindows81-07.jpg)
 
    **Figure 7**. Installing your KMS host key
 
-6. If asked to confirm replacement of an existing key, click **Yes**.
-7. After the product key is installed, you must activate it. Click **Next** (Figure 8).
+7. If asked to confirm replacement of an existing key, click **Yes**.
+8. After the product key is installed, you must activate it. Click **Next** (Figure 8).
 
    ![Activating the software](../images/volumeactivationforwindows81-08.jpg)
 
@@ -124,13 +128,14 @@ You can verify KMS volume activation from the KMS host server or from the client
 To verify that KMS volume activation works, complete the following steps:
 
 1. On the KMS host, open the event log and confirm that DNS publishing is successful.
-2.  On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.<p>
+2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.
+
    The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
-3.  On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr /dlv**, and then press ENTER.<p>
+3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr.vbs /dlv**, and then press ENTER.
 
    The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
 
-For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://go.microsoft.com/fwlink/p/?LinkId=733639).
+For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://docs.microsoft.com/windows-server/get-started/activation-slmgr-vbs-options).
 
 ## Key Management Service in earlier versions of Windows
 
@@ -144,4 +149,5 @@ If you have already established a KMS infrastructure in your organization for an
 For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590).
 
 ## See also
+
 - [Volume Activation for Windows 10](volume-activation-windows-10.md)

windows/deployment/volume-activation/introduction-vamt.md

@@ -19,10 +19,11 @@ ms.topic: article
 
 The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012.
 
-**Note**  
-VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
+> [!NOTE]
+> VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
 
 ## In this Topic
+
 - [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
 - [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
 - [Enterprise Environment](#bkmk-enterpriseenvironment)
@@ -31,12 +32,13 @@ VAMT can be installed on, and can manage, physical or virtual instances. VAMT ca
 ## <a href="" id="bkmk-managingmak"></a>Managing Multiple Activation Key (MAK) and Retail Activation
 
 You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
+
 - **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
 - **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
 
 ## <a href="" id="bkmk-managingkms"></a>Managing Key Management Service (KMS) Activation
 
-In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
+In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.\
 VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
 
 ## <a href="" id="bkmk-enterpriseenvironment"></a>Enterprise Environment
@@ -55,6 +57,7 @@ The following screenshot shows the VAMT graphical user interface.
 ![VAMT user interface](images/vamtuserinterfaceupdated.jpg)
 
 VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
+
 - **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
 - **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
 - **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
@@ -62,6 +65,5 @@ VAMT provides a single, graphical user interface for managing activations, and f
 - **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
 
 ## Related topics
+
 - [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
- 
- 

windows/security/threat-protection/TOC.md

@@ -544,6 +544,7 @@
 ####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
 ####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
 ####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-machine.md)
+####### [Set device value](microsoft-defender-atp/set-device-value.md)
 
 ###### [Machine Action]()
 ####### [Machine Action methods and properties](microsoft-defender-atp/machineaction.md)

windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md

@@ -71,6 +71,30 @@ All our updates contain:
 * integration improvements (Cloud, MTP)  
 <br/>
 <details>
+<summary> September-2020 (Platform: 4.18.2009.X | Engine: 1.1.17500.4)</summary>
+
+&ensp;Security intelligence update version: **1.325.10.0**  
+&ensp;Released: **October 01, 2020**  
+&ensp;Platform: **4.18.2009.X**  
+&ensp;Engine: **1.1.17500.4**  
+&ensp;Support phase: **Security and Critical Updates**
+    
+### What's new
+*Admin permissions are required to restore files in quarantine
+*XML formatted events are now supported
+*CSP support for ignoring exclusion merge
+*New management interfaces for:
++UDP Inspection
++Network Protection on Server 2019
++IP Address exclusions for Network Protection
+*Improved visibility into TPM measurements
+*Improved Office VBA module scanning
+
+### Known Issues
+No known issues  
+<br/>
+</details>
+<details>
 <summary> August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)</summary>
 
 &ensp;Security intelligence update version: **1.323.9.0**  
@@ -84,7 +108,7 @@ All our updates contain:
 * Improved scan event telemetry
 * Improved behavior monitoring for memory scans
 * Improved macro streams scanning
-* Added "AMRunningMode" to Get-MpComputerStatus Powershell CmdLet
+* Added "AMRunningMode" to Get-MpComputerStatus PowerShell CmdLet
 
 ### Known Issues
 No known issues  
@@ -116,7 +140,7 @@ No known issues
 &ensp;Released: **June 22, 2020**  
 &ensp;Platform: **4.18.2006.10**  
 &ensp;Engine: **1.1.17200.2**  
-&ensp;Support phase: **Security and Critical Updates**
+&ensp;Support phase: **Technical upgrade Support (Only)**
     
 ### What's new
 * Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)

windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md

@@ -10,8 +10,8 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer: 
+ms.date: 10/01/2018
+ms.reviewer: ksarens
 manager: dansimp
 ---
 
@@ -96,7 +96,7 @@ Root | Allow antimalware service to start up with normal priority | [Configure r
 Root | Allow antimalware service to remain running always | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
 Root | Turn off routine remediation | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
 Root | Randomize scheduled task times | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md)
+Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) (Not supported on Windows 10)
 Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
 Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
 Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)

windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md

@@ -29,7 +29,7 @@ Endpoint detection and response capabilities in Microsoft Defender ATP for Mac a
 
 ## Enable the Insider program with Jamf
 
-a. Create configuration profile com.microsoft.wdav.plist with the following content:
+1. Create configuration profile com.microsoft.wdav.plist with the following content:
 
    ```XML
        <?xml version="1.0" encoding="UTF-8"?>
@@ -45,16 +45,16 @@ a. Create configuration profile com.microsoft.wdav.plist with the following cont
        </plist>
    ```
 
-b. From the JAMF console, navigate to  **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select  **Custom Settings**.
+1. From the JAMF console, navigate to  **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select  **Custom Settings**.
 
-c. Create an entry with com.microsoft.wdav as the preference domain and upload the .plist created earlier.
+1. Create an entry with com.microsoft.wdav as the preference domain and upload the .plist created earlier.
 
    > [!WARNING]
    > You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
 
 ## Enable the Insider program with Intune
 
-a. Create configuration profile com.microsoft.wdav.plist with the following content:
+1. Create configuration profile com.microsoft.wdav.plist with the following content:
 
     ```XML
        <?xml version="1.0" encoding="utf-8"?>
@@ -111,19 +111,19 @@ a. Create configuration profile com.microsoft.wdav.plist with the following cont
        </plist>
    ```
 
-b. Open  **Manage > Device configuration**. Select  **Manage > Profiles > Create Profile**.
+1. Open  **Manage > Device configuration**. Select  **Manage > Profiles > Create Profile**.
 
-c. Choose a name for the profile. Change  **Platform=macOS**  to  **Profile type=Custom**. Select  **Configure**.
+1. Choose a name for the profile. Change  **Platform=macOS**  to  **Profile type=Custom**. Select  **Configure**.
 
-d. Save the .plist created earlier as com.microsoft.wdav.xml.
+1. Save the .plist created earlier as com.microsoft.wdav.xml.
 
-e. Enter com.microsoft.wdav as the custom configuration profile name.
+1. Enter com.microsoft.wdav as the custom configuration profile name.
 
-f. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1.
+1. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1.
 
-g. Select  **OK**.
+1. Select  **OK**.
 
-h. Select  **Manage > Assignments**. In the  **Include**  tab, select  **Assign to All Users & All devices**.
+1. Select  **Manage > Assignments**. In the  **Include**  tab, select  **Assign to All Users & All devices**.
 
    > [!WARNING]
    > You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
@@ -161,4 +161,4 @@ After a successful deployment and onboarding of the correct version, check that
 
 * Check that you enabled the early preview flag. In terminal run “mdatp –health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
 
-If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).
+If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).

windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md

@@ -28,7 +28,8 @@ ms.topic: conceptual
 
 This topic describes how to deploy Microsoft Defender ATP for macOS manually. A successful deployment requires the completion of all of the following steps:
 - [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
-- [Application installation](#application-installation)
+- [Application installation (macOS 10.15 and older versions)](#application-installation-macos-1015-and-older-versions)
+- [Application installation (macOS 11 and newer versions)](#application-installation-macos-11-and-newer-versions)
 - [Client configuration](#client-configuration)
 
 ## Prerequisites and system requirements
@@ -48,7 +49,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
 
 5. From a command prompt, verify that you have the two files.
     
-## Application installation
+## Application installation (macOS 10.15 and older versions)
 
 To complete this process, you must have admin privileges on the device.
 
@@ -77,6 +78,34 @@ To complete this process, you must have admin privileges on the device.
 > [!NOTE]
 > macOS may request to reboot the device upon the first installation of Microsoft Defender. Real-time protection will not be available until the device is rebooted.
 
+## Application installation (macOS 11 and newer versions)
+
+To complete this process, you must have admin privileges on the device.
+
+1. Navigate to the downloaded wdav.pkg in Finder and open it.
+
+    ![App install screenshot](images/big-sur-install-1.png)
+
+2. Select **Continue**, agree with the License terms, and enter the password when prompted.
+
+3. At the end of the installation process, you will be promoted to approve the system extensions used by the product. Select **Open Security Preferences**.
+
+    ![System extension approval](images/big-sur-install-2.png)
+
+4. From the **Security & Privacy** window, select **Allow**.
+
+    ![System extension security preferences](images/big-sur-install-3.png)
+
+5. Repeat steps 3 & 4 for all system extensions distributed with Microsoft Defender ATP for Mac.
+
+6. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. When prompted to grant Microsoft Defender ATP permissions to filter network traffic, select **Allow**.
+
+    ![System extension security preferences](images/big-sur-install-4.png)
+
+7. Open **System Preferences** > **Security & Privacy** and navigate to the **Privacy** tab. Grant **Full Disk Access** permission to **Microsoft Defender ATP** and **Microsoft Defender ATP Endpoint Security Extension**.
+
+    ![Full disk access](images/big-sur-install-5.png)
+
 ## Client configuration
 
 1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the device where you deploy Microsoft Defender ATP for macOS.

windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md

@@ -34,6 +34,7 @@ This topic describes how to deploy Microsoft Defender ATP for Mac through Intune
 
 1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
 1. [Client device setup](#client-device-setup)
+1. [Approve system extensions](#approve-system-extensions)
 1. [Create System Configuration profiles](#create-system-configuration-profiles)
 1. [Publish application](#publish-application)
 
@@ -48,24 +49,30 @@ The following table summarizes the steps you would need to take to deploy and ma
 | Step | Sample file names | BundleIdentifier |
 |-|-|-|
 | [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
+| [Approve System Extension for Microsoft Defender ATP](#approve-system-extensions) | MDATP_SysExt.xml | N/A |
 | [Approve Kernel Extension for Microsoft Defender ATP](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A |
 | [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc |
+| [Network Extension policy](#create-system-configuration-profiles-step-9) | MDATP_NetExt.xml | N/A |
 | [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 |
 | [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)<br/><br/> **Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
-| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
+| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-10) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
 
 ## Download installation and onboarding packages
 
 Download the installation and onboarding packages from Microsoft Defender Security Center:
 
 1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**.
+
 2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**.
 
     ![Onboarding settings screenshot](images/atp-mac-install.png)
 
 3. Select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
+
 4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
+
 5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
+
 6. From a command prompt, verify that you have the three files.
   
 
@@ -134,199 +141,81 @@ You may now enroll more devices. You can also enroll them later, after you have
 
 3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed:
 
-![Add Devices screenshot](../microsoft-defender-antivirus/images/MDATP-5-allDevices.png)
+   > [!div class="mx-imgBorder"]
+   > ![Add Devices screenshot](../microsoft-defender-antivirus/images/MDATP-5-allDevices.png)
+
+## Approve System Extensions
+
+To approve the system extensions:
+
+1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+
+2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Extensions**. Select **Create**.
+
+3. In the `Basics` tab, give a name to this new profile.
+
+4. In the `Configuration settings` tab, add the following entries in the `Allowed system extensions` section:
+
+    Bundle identifier         | Team identifier
+    --------------------------|----------------
+    com.microsoft.wdav.epsext | UBF8T346G9
+    com.microsoft.wdav.netext | UBF8T346G9
+
+    > [!div class="mx-imgBorder"]
+    > ![System configuration profiles screenshot](images/mac-system-extension-intune2.png)
+
+5. In the `Assignments` tab, assign this profile to **All Users & All devices**.
+
+6. Review and create this configuration profile.
 
 ## Create System Configuration profiles
 
 1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+
 2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
+
 3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections.
+
 4. Select **OK**.
 
     ![System configuration profiles screenshot](../microsoft-defender-antivirus/images/MDATP-6-SystemConfigurationProfiles.png)
 
 5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
+
 6. Repeat steps 1 through 5 for more profiles.
+
 7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
-8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it.<a name="create-system-configuration-profiles-step-8" id = "create-system-configuration-profiles-step-8"></a>
+
+8. Download `fulldisk.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) and save it as `tcc.xml`. Create another profile, give it any name and upload this file to it.<a name="create-system-configuration-profiles-step-8" id = "create-system-configuration-profiles-step-8"></a>
 
    > [!CAUTION]
    > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
    >
-   > The following configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile.
+   > This configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile.
 
-   ```xml
-   <?xml version="1.0" encoding="UTF-8"?>
-   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-   <plist version="1.0">
-   <dict>
-       <key>PayloadDescription</key>
-       <string>Allows Microsoft Defender to access all files on Catalina+</string>
-       <key>PayloadDisplayName</key>
-       <string>TCC - Microsoft Defender</string>
-       <key>PayloadIdentifier</key>
-       <string>com.microsoft.wdav.tcc</string>
-       <key>PayloadOrganization</key>
-       <string>Microsoft Corp.</string>
-       <key>PayloadRemovalDisallowed</key>
-       <false/>
-       <key>PayloadScope</key>
-       <string>system</string>
-       <key>PayloadType</key>
-       <string>Configuration</string>
-       <key>PayloadUUID</key>
-       <string>C234DF2E-DFF6-11E9-B279-001C4299FB44</string>
-       <key>PayloadVersion</key>
-       <integer>1</integer>
-       <key>PayloadContent</key>
-       <array>
-       <dict>
-           <key>PayloadDescription</key>
-           <string>Allows Microsoft Defender to access all files on Catalina+</string>
-           <key>PayloadDisplayName</key>
-           <string>TCC - Microsoft Defender</string>
-           <key>PayloadIdentifier</key>
-           <string>com.microsoft.wdav.tcc.C233A5E6-DFF6-11E9-BDAD-001C4299FB44</string>
-           <key>PayloadOrganization</key>
-           <string>Microsoft Corp.</string>
-           <key>PayloadType</key>
-           <string>com.apple.TCC.configuration-profile-policy</string>
-           <key>PayloadUUID</key>
-           <string>C233A5E6-DFF6-11E9-BDAD-001C4299FB44</string>
-           <key>PayloadVersion</key>
-           <integer>1</integer>
-           <key>Services</key>
-           <dict>
-               <key>SystemPolicyAllFiles</key>
-               <array>
-               <dict>
-                   <key>Allowed</key>
-                   <true/>
-                   <key>CodeRequirement</key>
-                   <string>identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
-                   <key>Comment</key>
-                   <string>Allow SystemPolicyAllFiles control for Microsoft Defender ATP</string>
-                   <key>Identifier</key>
-                   <string>com.microsoft.wdav</string>
-                   <key>IdentifierType</key>
-                   <string>bundleID</string>
-               </dict>
-               </array>
-           </dict>
-       </dict>
-       </array>
-   </dict>
-   </plist>
-   ```
+9. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig), save it as netext.xml and deploy it using the same steps as in the previous sections. <a name = "create-system-configuration-profiles-step-9" id = "create-system-configuration-profiles-step-9"></a>
 
-9. To allow Defender and Auto Update to display notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload: <a name = "create-system-configuration-profiles-step-9" id = "create-system-configuration-profiles-step-9"></a>
+10. To allow Defender and Auto Update to display notifications in UI on macOS 10.15 (Catalina), download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) and import it as a custom payload. <a name = "create-system-configuration-profiles-step-10" id = "create-system-configuration-profiles-step-10"></a>
 
-   ```xml
-   <?xml version="1.0" encoding="UTF-8"?>
-   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-   <plist version="1.0">
-     <dict>
-       <key>PayloadContent</key>
-       <array>
-         <dict>
-           <key>NotificationSettings</key>
-           <array>
-             <dict>
-               <key>AlertType</key>
-               <integer>2</integer>
-               <key>BadgesEnabled</key>
-               <true/>
-               <key>BundleIdentifier</key>
-               <string>com.microsoft.autoupdate2</string>
-               <key>CriticalAlertEnabled</key>
-               <false/>
-               <key>GroupingType</key>
-               <integer>0</integer>
-               <key>NotificationsEnabled</key>
-               <true/>
-               <key>ShowInLockScreen</key>
-               <false/>
-               <key>ShowInNotificationCenter</key>
-               <true/>
-               <key>SoundsEnabled</key>
-               <true/>
-             </dict>
-             <dict>
-               <key>AlertType</key>
-               <integer>2</integer>
-               <key>BadgesEnabled</key>
-               <true/>
-               <key>BundleIdentifier</key>
-               <string>com.microsoft.wdav.tray</string>
-               <key>CriticalAlertEnabled</key>
-               <false/>
-               <key>GroupingType</key>
-               <integer>0</integer>
-               <key>NotificationsEnabled</key>
-               <true/>
-               <key>ShowInLockScreen</key>
-               <false/>
-               <key>ShowInNotificationCenter</key>
-               <true/>
-               <key>SoundsEnabled</key>
-               <true/>
-             </dict>
-           </array>
-           <key>PayloadDescription</key>
-           <string/>
-           <key>PayloadDisplayName</key>
-           <string>notifications</string>
-           <key>PayloadEnabled</key>
-           <true/>
-           <key>PayloadIdentifier</key>
-           <string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
-           <key>PayloadOrganization</key>
-           <string>Microsoft</string>
-           <key>PayloadType</key>
-           <string>com.apple.notificationsettings</string>
-           <key>PayloadUUID</key>
-           <string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
-           <key>PayloadVersion</key>
-           <integer>1</integer>
-         </dict>
-       </array>
-       <key>PayloadDescription</key>
-       <string/>
-       <key>PayloadDisplayName</key>
-       <string>mdatp - allow notifications</string>
-       <key>PayloadEnabled</key>
-       <true/>
-       <key>PayloadIdentifier</key>
-       <string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
-       <key>PayloadOrganization</key>
-       <string>Microsoft</string>
-       <key>PayloadRemovalDisallowed</key>
-       <false/>
-       <key>PayloadScope</key>
-       <string>System</string>
-       <key>PayloadType</key>
-       <string>Configuration</string>
-       <key>PayloadUUID</key>
-       <string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
-       <key>PayloadVersion</key>
-       <integer>1</integer>
-     </dict>
-   </plist>
-   ```
-
-10. Select **Manage > Assignments**.  In the **Include** tab, select **Assign to All Users & All devices**.
+11. Select **Manage > Assignments**.  In the **Include** tab, select **Assign to All Users & All devices**.
 
 Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
 
-![System configuration profiles screenshot](../microsoft-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png)
+> [!div class="mx-imgBorder"]
+> ![System configuration profiles screenshot](../microsoft-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png)
 
 ## Publish application
 
 1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**.
+
 2. Select **App type=Other/Line-of-business app**.
+
 3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
+
 4. Select **Configure** and add the required information.
+
 5. Use **macOS High Sierra 10.13** as the minimum OS.
+
 6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value.
 
     > [!CAUTION]
@@ -334,24 +223,30 @@ Once the Intune changes are propagated to the enrolled devices, you can see them
     >
     > If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client device, then uninstall Defender and push the updated policy.
     
-    ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-8-IntuneAppInfo.png)
+    > [!div class="mx-imgBorder"]
+    > ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-8-IntuneAppInfo.png)
 
 7. Select **OK** and **Add**.
 
-    ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-9-IntunePkgInfo.png)
+    > [!div class="mx-imgBorder"]
+    > ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-9-IntunePkgInfo.png)
 
 8. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**.
 
-    ![Client apps screenshot](../microsoft-defender-antivirus/images/MDATP-10-ClientApps.png)
+    > [!div class="mx-imgBorder"]
+    > ![Client apps screenshot](../microsoft-defender-antivirus/images/MDATP-10-ClientApps.png)
 
 9. Change **Assignment type** to **Required**.
+
 10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
 
-    ![Intune assignments info screenshot](../microsoft-defender-antivirus/images/MDATP-11-Assignments.png)
+    > [!div class="mx-imgBorder"]
+    > ![Intune assignments info screenshot](../microsoft-defender-antivirus/images/MDATP-11-Assignments.png)
 
 11. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**:
 
-    ![Intune device status screenshot](../microsoft-defender-antivirus/images/MDATP-12-DeviceInstall.png)
+    > [!div class="mx-imgBorder"]
+    > ![Intune device status screenshot](../microsoft-defender-antivirus/images/MDATP-12-DeviceInstall.png)
 
 ## Verify client device state
 
@@ -365,7 +260,8 @@ Once the Intune changes are propagated to the enrolled devices, you can see them
 
 3. You should also see the Microsoft Defender icon in the top-right corner:
 
-    ![Microsoft Defender icon in status bar screenshot](../microsoft-defender-antivirus/images/MDATP-Icon-Bar.png)
+    > [!div class="mx-imgBorder"]
+    > ![Microsoft Defender icon in status bar screenshot](../microsoft-defender-antivirus/images/MDATP-Icon-Bar.png)
 
 ## Troubleshooting
 

windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md

@@ -70,13 +70,44 @@ Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be ext
 Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case.
 Alternatively, it may require you to convert the property list to a different format first.
 
-Typically, your custom profile has an id, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value.
+Typically, your custom profile has an ID, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value.
 MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client device, and Defender uses this file for loading the onboarding information.
 
 ### Kernel extension policy
 
 Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to allow kernel extensions provided by Microsoft.
 
+### System extension policy
+
+Set up a system extension policy. Use team identifier **UBF8T346G9** and approve the following bundle identifiers:
+
+- com.microsoft.wdav.epsext
+- com.microsoft.wdav.netext
+
+### Full disk access policy
+
+Grant Full Disk Access to the following components:
+
+- Microsoft Defender ATP
+    - Identifier: `com.microsoft.wdav`
+    - Identifier Type: Bundle ID
+    - Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate leaf[subject.OU] = UBF8T346G9
+
+- Microsoft Defender ATP Endpoint Security Extension
+    - Identifier: `com.microsoft.wdav.epsext`
+    - Identifier Type: Bundle ID
+    - Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+
+### Network extension policy
+
+As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
+
+- Filter type: Plugin
+- Plugin bundle identifier: `com.microsoft.wdav`
+- Filter data provider bundle identifier: `com.microsoft.wdav.netext`
+- Filter data provider designated requirement: identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+- Filter sockets: `true`
+
 ## Check installation status
 
 Run [mdatp](mac-install-with-jamf.md) on a client device to check the onboarding status.

windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md

@@ -44,9 +44,13 @@ You'll need to take the following steps:
 
 7. [Approve Kernel extension for Microsoft Defender ATP](#step-7-approve-kernel-extension-for-microsoft-defender-atp)
 
-8. [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)
+8. [Approve System extensions for Microsoft Defender ATP](#step-8-approve-system-extensions-for-microsoft-defender-atp)
 
-9. [Deploy Microsoft Defender ATP for macOS](#step-9-deploy-microsoft-defender-atp-for-macos)
+9. [Configure Network Extension](#step-9-configure-network-extension)
+
+10. [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)
+
+11. [Deploy Microsoft Defender ATP for macOS](#step-11-deploy-microsoft-defender-atp-for-macos)
 
 
 ## Step 1: Get the Microsoft Defender ATP onboarding package
@@ -266,6 +270,7 @@ You'll need to take the following steps:
 4. Enter the following details:
 
     **General**
+    
     - Name: MDATP MDAV configuration settings
     - Description:\<blank\>
     - Category: None (default)
@@ -336,87 +341,7 @@ You'll need to take the following steps:
 
 These steps are applicable of macOS 10.15 (Catalina) or newer.
 
-1. Use the following Microsoft Defender ATP notification configuration settings:
-
-```xml
-<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-    <dict>
-        <key>PayloadContent</key>
-            <array>
-                <dict>
-                    <key>NotificationSettings</key>
-                    <array>
-                        <dict>
-                            <key>AlertType</key>
-                            <integer>2</integer>
-                            <key>BadgesEnabled</key>
-                            <true/>
-                            <key>BundleIdentifier</key>
-                            <string>com.microsoft.autoupdate2</string>
-                            <key>CriticalAlertEnabled</key>
-                            <false/><key>GroupingType</key>
-                            <integer>0</integer>
-                            <key>NotificationsEnabled</key>
-                            <true/>
-                            <key>ShowInLockScreen</key>
-                            <false/>
-                            <key>ShowInNotificationCenter</key>
-                            <true/>
-                            <key>SoundsEnabled</key>
-                            <true/>
-                        </dict>
-                        <dict>
-                            <key>AlertType</key>
-                            <integer>2</integer><key>BadgesEnabled</key>
-                            <true/><key>BundleIdentifier</key>
-                            <string>com.microsoft.wdav.tray</string>
-                            <key>CriticalAlertEnabled</key>
-                            <false/><key>GroupingType</key>
-                            <integer>0</integer>
-                            <key>NotificationsEnabled</key>
-                            <true/><key>ShowInLockScreen</key>
-                            <false/><key>ShowInNotificationCenter</key>
-                            <true/><key>SoundsEnabled</key>
-                            <true/>
-                        </dict>
-                    </array>
-                    <key>PayloadDescription</key>
-                    <string/><key>PayloadDisplayName</key>
-                    <string>notifications</string>
-                    <key>PayloadEnabled</key>
-                    <true/><key>PayloadIdentifier</key>
-                    <string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
-                    <key>PayloadOrganization</key>
-                    <string>Microsoft</string>
-                    <key>PayloadType</key>
-                    <string>com.apple.notificationsettings</string>
-                    <key>PayloadUUID</key>
-                    <string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
-                    <key>PayloadVersion</key>
-                    <integer>1</integer>
-                </dict>
-            </array>
-            <key>PayloadDescription</key>
-            <string/><key>PayloadDisplayName</key>
-            <string>mdatp - allow notifications</string>
-            <key>PayloadEnabled</key><true/>
-            <key>PayloadIdentifier</key>
-            <string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
-            <key>PayloadOrganization</key>
-            <string>Microsoft</string>
-            <key>PayloadRemovalDisallowed</key>
-            <false/><key>PayloadScope</key>
-            <string>System</string>
-            <key>PayloadType</key>
-            <string>Configuration</string>
-            <key>PayloadUUID</key>
-            <string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
-            <key>PayloadVersion</key>
-            <integer>1</integer>
-    </dict>
- </plist>   
-   ```
+1. Download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig)
 
 2. Save it as `MDATP_MDAV_notification_settings.plist`.
 
@@ -425,6 +350,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
 4. Enter the following details:
 
     **General** 
+    
     - Name: MDATP MDAV Notification settings
     - Description: macOS 10.15 (Catalina) or newer
     - Category: None (default)
@@ -503,6 +429,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
 4. Enter the following details:
 
     **General** 
+    
     - Name: MDATP MDAV MAU settings
     - Description: Microsoft AutoUpdate settings for MDATP for macOS
     - Category: None (default)
@@ -582,10 +509,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
 
     - Identifier: `com.microsoft.wdav`
     - Identifier Type: Bundle ID
-    - Code Requirement: identifier `com.microsoft.wdav` and anchor apple generic and
-certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate
-leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate
-leaf[subject.OU] = UBF8T346G9
+    - Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate leaf[subject.OU] = UBF8T346G9
 
 
     ![Image of configuration setting](images/22cb439de958101c0a12f3038f905b27.png)
@@ -594,7 +518,6 @@ leaf[subject.OU] = UBF8T346G9
 
     ![Image of configuration setting](images/bd93e78b74c2660a0541af4690dd9485.png)
 
-
     - Under App or service: Set to **SystemPolicyAllFiles**
 
     - Under "access": Set to **Allow**
@@ -603,23 +526,45 @@ leaf[subject.OU] = UBF8T346G9
 
     ![Image of configuration setting](images/6de50b4a897408ddc6ded56a09c09fe2.png)
 
-8. Select the **Scope** tab.
+8. Click the `+` sign next to **App Access** to add a new entry.
+
+    ![Image of configuration setting](images/tcc-add-entry.png)
+
+9. Enter the following details:
+
+    - Identifier: `com.microsoft.wdav.epsext`
+    - Identifier Type: Bundle ID
+    - Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+
+10. Select **+ Add**.
+
+    ![Image of configuration setting](images/tcc-epsext-entry.png)
+
+    - Under App or service: Set to **SystemPolicyAllFiles**
+
+    - Under "access": Set to **Allow**
+
+11. Select **Save** (not the one at the bottom right).
+
+    ![Image of configuration setting](images/tcc-epsext-entry2.png)
+
+12. Select the **Scope** tab.
 
     ![Image of configuration setting](images/2c49b16cd112729b3719724f581e6882.png)
 
- 9. Select **+ Add**.
+13. Select **+ Add**.
 
     ![Image of configuration setting](images/57cef926d1b9260fb74a5f460cee887a.png)
 
-10. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**. 
+14. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**. 
 
     ![Image of configuration setting](images/368d35b3d6179af92ffdbfd93b226b69.png)
 
-11. Select **Add**. 
+15. Select **Add**. 
 
-12. Select **Save**. 
+16. Select **Save**. 
     
-13. Select **Done**.
+17. Select **Done**.
     
     ![Image of configuration setting](images/809cef630281b64b8f07f20913b0039b.png)
     
@@ -635,6 +580,7 @@ leaf[subject.OU] = UBF8T346G9
 2. Enter the following details:
 
     **General** 
+    
     - Name: MDATP MDAV Kernel Extension
     - Description: MDATP kernel extension (kext)
     - Category: None
@@ -648,7 +594,6 @@ leaf[subject.OU] = UBF8T346G9
     ![Image of configuration settings](images/30be88b63abc5e8dde11b73f1b1ade6a.png)
 
    
-
 4. In **Approved Kernel Extensions** Enter the following details:
 
     - Display Name: Microsoft Corp.
@@ -677,10 +622,119 @@ leaf[subject.OU] = UBF8T346G9
     ![Image of configuration settings](images/1c9bd3f68db20b80193dac18f33c22d0.png)
 
 
-## Step 8: Schedule scans with Microsoft Defender ATP for Mac
+## Step 8: Approve System extensions for Microsoft Defender ATP
+
+1. In the **Configuration Profiles**, select **+ New**.
+
+    ![A screenshot of a social media post Description automatically generated](images/6c8b406ee224335a8c65d06953dc756e.png)
+
+2. Enter the following details:
+
+    **General**
+    
+    - Name: MDATP MDAV System Extensions
+    - Description: MDATP system extensions
+    - Category: None
+    - Distribution Method: Install Automatically
+    - Level: Computer Level
+
+    ![Image of configuration settings](images/sysext-new-profile.png)
+
+3. In **System Extensions** select **Configure**.
+
+   ![Image of configuration settings](images/sysext-configure.png)
+
+4. In **System Extensions** enter the following details:
+
+   - Display Name: Microsoft Corp. System Extensions
+   - System Extension Types: Allowed System Extensions
+   - Team Identifier: UBF8T346G9
+   - Allowed System Extensions:
+     - **com.microsoft.wdav.epsext**
+     - **com.microsoft.wdav.netext**
+
+    ![Image of configuration settings](images/sysext-configure2.png)
+
+5. Select the **Scope** tab.
+
+    ![Image of configuration settings](images/0df36fc308ba569db204ee32db3fb40a.png)
+
+6. Select **+ Add**.
+
+7. Select **Computer Groups** > under **Group Name** > select **Contoso's Machine Group**.
+
+8. Select **+ Add**.
+
+   ![Image of configuration settings](images/0dde8a4c41110dbc398c485433a81359.png)
+
+9. Select **Save**.
+
+   ![Image of configuration settings](images/sysext-scope.png)
+
+10. Select **Done**.
+
+    ![Image of configuration settings](images/sysext-final.png)
+
+## Step 9: Configure Network Extension
+
+As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
+
+>[!NOTE]
+>JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.
+>As such, the following steps provide a workaround that involve signing the configuration profile.
+
+1. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig) to your device and save it as `com.microsoft.network-extension.mobileconfig`
+
+2. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMF’s built-in certificate authority
+
+3. After the certificate is created and installed to your device, run the following command from the Terminal from a macOS device:
+
+   ```bash
+   $ security cms -S -N "<certificate name>" -i com.microsoft.network-extension.mobileconfig -o com.microsoft.network-extension.signed.mobileconfig
+   ```
+
+   ![Terminal window with command to create signed configuration](images/netext-create-profile.png)
+
+4. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button. 
+
+   ![Image of upload window](images/netext-upload-file.png)
+
+5. Select **Choose File** and select `microsoft.network-extension.signed.mobileconfig`.
+
+   ![Image of upload window](images/netext-choose-file.png)
+
+6. Select **Upload**.
+
+   ![Image of upload window](images/netext-upload-file2.png)
+
+7. After uploading the file, you are redirected to a new page to finalize the creation of this profile.
+
+   ![Image of new configuration profile](images/netext-profile-page.png)
+
+8. Select the **Scope** tab.
+
+   ![Image of configuration settings](images/0df36fc308ba569db204ee32db3fb40a.png)
+
+9. Select **+ Add**.
+
+10. Select **Computer Groups** > under **Group Name** > select **Contoso's Machine Group**.
+
+11. Select **+ Add**.
+
+    ![Image of configuration settings](images/0dde8a4c41110dbc398c485433a81359.png)
+
+12. Select **Save**.
+
+    ![Image of configuration settings](images/netext-scope.png)
+
+13. Select **Done**.
+
+    ![Image of configuration settings](images/netext-final.png)
+
+## Step 10: Schedule scans with Microsoft Defender ATP for Mac
 Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp).
 
-## Step 9: Deploy Microsoft Defender ATP for macOS
+## Step 11: Deploy Microsoft Defender ATP for macOS
 
 1. Navigate to where you saved `wdav.pkg`.
 
@@ -729,9 +783,11 @@ Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](
      ![Image of configuration settings](images/56dac54634d13b2d3948ab50e8d3ef21.png)
    
 9. Select **Save**. The package is uploaded to Jamf Pro. 
+
    ![Image of configuration settings](images/33f1ecdc7d4872555418bbc3efe4b7a3.png)
 
    It can take a few minutes for the package to be available for deployment.
+   
    ![Image of configuration settings](images/1626d138e6309c6e87bfaab64f5ccf7b.png)
 
 10. Navigate to the **Policies** page.
@@ -765,25 +821,31 @@ Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](
     ![Image of configuration settings](images/526b83fbdbb31265b3d0c1e5fbbdc33a.png)
 
 17. Select **Save**.
+
     ![Image of configuration settings](images/9d6e5386e652e00715ff348af72671c6.png)
 
 18. Select the **Scope** tab.  
+
     ![Image of configuration settings](images/8d80fe378a31143db9be0bacf7ddc5a3.png)
 
 19. Select the target computers.
 
     ![Image of configuration settings](images/6eda18a64a660fa149575454e54e7156.png)
 
-    **Scope**<br>
+    **Scope**
+    
     Select **Add**.
+    
     ![Image of configuration settings](images/1c08d097829863778d562c10c5f92b67.png)
 
     ![Image of configuration settings](images/216253cbfb6ae738b9f13496b9c799fd.png)
 
-    **Self-Service** <br>
+    **Self-Service**
+    
     ![Image of configuration settings](images/c9f85bba3e96d627fe00fc5a8363b83a.png)
 
 20. Select **Done**. 
+
     ![Image of configuration settings](images/99679a7835b0d27d0a222bc3fdaf7f3b.png)
 
     ![Image of configuration settings](images/632aaab79ae18d0d2b8e0c16b6ba39e2.png)

windows/security/threat-protection/microsoft-defender-atp/machine.md

@@ -41,6 +41,7 @@ Method|Return Type |Description
 [Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine.
 [Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP.
 [Get missing KBs](get-missing-kbs-machine.md) | KB collection | Get a list of missing KBs associated with the machine ID
+[Set device value](set-device-value.md)| [machine](machine.md) collection | Set the value of a device, See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md).
 
 ## Properties
 
@@ -63,3 +64,5 @@ exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evalu
 aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is Aad Joined).
 machineTags | String collection | Set of [machine](machine.md) tags.
 exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
+deviceValue | Nullable Enum | The value of the device, See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md). Possible values are: 'Normal', 'Low' and 'High'.
+

windows/security/threat-protection/microsoft-defender-atp/preview.md

@@ -54,11 +54,9 @@ The following features are included in the preview release:
 
 - [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md) <br> Microsoft Defender ATP now adds support for Android. Learn how to install, configure, and use Microsoft Defender ATP for Android.
 
- - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR> Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019. <BR> <BR> Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019.
+- [Web Content Filtering](web-content-filtering.md) <br> Web content filtering is part of web protection capabilities in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
 
-- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) <BR> You can now see a comprehensive set of details on the vulnerabilities found in your device to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
- 
- - [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR> You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).  
+ - [Threat and vulnerability management supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR> Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019. <BR> <BR> Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019.
 
 - [Device health and compliance report](machine-reports.md) <br/> The device health and compliance report provides high-level information about the devices in your organization.
 

windows/security/threat-protection/microsoft-defender-atp/set-device-value.md

@@ -0,0 +1,78 @@
+---
+title: Set device value API
+description: Learn how to specify the value of a device using a Microsoft Defender Advanced Threat Protection API.
+keywords: apis, graph api, supported apis, tags, machine tags
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
+---
+
+# Set device value API
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+## API description
+
+Set the device value of a specific [Machine](machine.md).<br>
+See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md) for more information.
+
+## Limitations
+
+1. You can post on devices last seen according to your configured retention period.
+
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type |    Permission    |    Permission display name
+:---|:---|:---
+Application |    Machine.ReadWrite.All |    'Read and write all machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>
+>- The user needs to have at least the following role permission: 'Manage security setting'. For more  (See [Create and manage roles](user-roles.md) for more information)
+>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
+
+## HTTP request
+
+```http
+POST https://api.securitycenter.microsoft.com/api/machines/{machineId}/setDeviceValue
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+
+```json
+{
+  "DeviceValue": "{device value}"
+}
+```
+
+## Response
+
+If successful, this method returns 200 - Ok response code and the updated Machine in the response body.

windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md

@@ -57,6 +57,8 @@ DeviceName=any(DeviceName) by DeviceId, AlertId
 
 Defining a device’s value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the threat and vulnerability management exposure score calculation. Devices marked as “high value” will receive more weight.
 
+You can also use the [set device value API](set-device-value.md).
+
 Device value options:
 
 - Low
@@ -82,6 +84,7 @@ Examples of devices that should be marked as high value:
 3. A flyout will appear with the current device value and what it means. Review the value of the device and choose the one that best fits your device.
 ![Example of the device value flyout.](images/tvm-device-value-flyout.png)
 
+
 ## Related topics
 
 - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)

windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md

@@ -21,22 +21,23 @@ ms.topic: article
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
-
 > [!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+> **Web content filtering is currently in public preview**<br>
+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
+> For more information, see [Microsoft Defender ATP preview features](preview.md).
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
 
 Web content filtering is part of [Web protection](web-protection-overview.md) capabilities in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
 
-You can configure policies across your device groups to block certain categories, effectively preventing users within specified device groups from accessing URLs that are associated with the category. For any category that's not blocked, they are automatically audited. That means your users will be able to access the URLs without disruption, and you will continue to gather access statistics to help create a more custom policy decision. If an element on the page you’re viewing is making calls to a resource that is blocked, your users will see a block notification.
+Configure policies across your device groups to block certain categories. Blocking a category prevents users within specified device groups from accessing URLs associated with the category. For any category that's not blocked, the URLs are automatically audited. Your users can access the URLs without disruption, and you'll gather access statistics to help create a more custom policy decision. Your users will see a block notification if an element on the page they're viewing is making calls to a blocked resource.
 
 Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome and Firefox). For more information about browser support, see the prerequisites section.
 
 Summarizing the benefits:
 
 - Users are prevented from accessing websites in blocked categories, whether they're browsing on-premises or away
-- Conveniently deploy varied policies to various sets of users using the device groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
+- Conveniently deploy policies to groups of users using device groups defined in [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
 - Access web reports in the same central location, with visibility over actual blocks and web usage
 
 ## User experience
@@ -47,17 +48,17 @@ For a more user-friendly in-browser experience, consider using Microsoft Edge.
 
 ## Prerequisites
 
-Before trying out this feature, make sure you have the following:
+Before trying out this feature, make sure you have the following requirements:
 
 - Windows 10 Enterprise E5 license OR Microsoft 365 E3 + Microsoft 365 E5 Security add-on.
 - Access to Microsoft Defender Security Center portal
 - Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update.
 
-If Windows Defender SmartScreen is not turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device.
+If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device.
 
 ## Data handling
 
-For this feature, we will follow whichever region you have elected to use as part of your [Microsoft Defender ATP data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds.
+We will follow whichever region you have elected to use as part of your [Microsoft Defender ATP data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds.
 
 ## Turn on web content filtering
 
@@ -89,31 +90,25 @@ Tip: You can deploy a policy without selecting any category on a device group. T
 
 ### Allow specific websites
 
-It is possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it is applied to the device group in question.
+It's possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it's applied to the device group in question.
 
 1. Create a custom indicator in the Microsoft Defender Security Center by going to **Settings** > **Indicators** > **URL/Domain** > **Add Item**
 2. Enter the domain of the site
 3. Set the policy action to **Allow**.  
 
-## Web content filtering
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
- cards and details
+## Web content filtering cards and details
 
 Select **Reports > Web protection** to view cards with information about web content filtering and web threat protection. The following cards provide summary information about web content filtering.
 
 ### Web activity by category
 
-This card lists the parent web content categories with the largest percentage change in the number of access attempts, whether they have increased or decreased. You can use this card to understand drastic changes in web activity patterns in your organization from last 30 days, 3 months, or 6 months. Select a category name to view more information about that particular category.
+This card lists the parent web content categories with the largest increase or decrease in the number of access attempts. Understand drastic changes in web activity patterns in your organization from last 30 days, 3 months, or 6 months. Select a category name to view more information.
 
-In the first 30 days of using this feature, your organization might not have sufficient data to display in this card.
+In the first 30 days of using this feature, your organization might not have enough data to display this information.
 
 ![Image of web activity by category card](images/web-activity-by-category600.png)
 
-### Web content filtering
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
- summary card
+### Web content filtering  summary card
 
 This card displays the distribution of blocked access attempts across the different parent web content categories. Select one of the colored bars to view more information about a specific parent web category.
 
@@ -143,9 +138,9 @@ Use the time range filter at the top left of the page to select a time period. Y
 
 ### Limitations and known issues in this preview
 
-- Only Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). This is because Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across Chrome/Firefox.
+- Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across Chrome/Firefox.
 
-- Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices in the interim before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts.
+- Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts.
 
 ## Related topics
 

windows/whats-new/whats-new-windows-10-version-1909.md

@@ -130,7 +130,6 @@ General battery life and power efficiency improvements for PCs with certain proc
 [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.<br>
 [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.<br>
 [What Windows 10, version 1909 Means for Developers](https://blogs.windows.com/windowsdeveloper/2019/10/16/what-windows-10-version-1909-means-for-developers/): New and updated features in Windows 10 that are of interest to developers.<br>
-[What's new in Windows 10, version 1909 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-1909): This list also includes consumer focused new features.<br>
 [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.<br>
 [Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.<br>
 [How to get the Windows 10 November 2019 Update](https://aka.ms/how-to-get-1909): John Cable blog.<br>