diff --git a/devices/hololens/hololens-feedback.md b/devices/hololens/hololens-feedback.md
index 3199517a90..7fb8c4838e 100644
--- a/devices/hololens/hololens-feedback.md
+++ b/devices/hololens/hololens-feedback.md
@@ -4,7 +4,11 @@ description: Create actionable feedback for HoloLens and Windows Mixed Reality d
ms.assetid: b9b24c72-ff86-44a9-b30d-dd76c49479a9
author: mattzmsft
ms.author: mazeller
-ms.date: 09/13/2019
+ms.date: 05/14/2020
+ms.custom:
+- CI 116157
+- CSSTroubleshooting
+audience: ITPro
ms.prod: hololens
ms.topic: article
keywords: feedback, bug, issue, error, troubleshoot, help
@@ -15,68 +19,66 @@ appliesto:
- HoloLens 2
---
-# Give us feedback
+# Feedback for HoloLens
-Use the Feedback Hub to tell us which features you love, which features you could do without, or when something could be better.
+Use the Feedback Hub to tell us which features you love, which features you could do without, and how something could be better. The engineering team uses the same mechanism internally to track and fix bugs, so please use Feedback Hub to report any bugs that you see. We are listening!
-## Feedback for Windows Mixed Reality immersive headset on PC
+Feedback Hub is an excellent way to alert the engineering team to bugs and to make sure that future updates are healthier and more consistently free of bugs. However, Feedback Hub does not provide a response. If you need immediate help, please file feedback, take note of the summary that you provided for your feedback, and then follow up with [HoloLens support](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f).
-> [!IMPORTANT]
-> Before you report an issue, make sure that your environment meets the following requirements so that you can successfully upload logs and other information:
->
-> - Have a minimum of 3GB free disk space available on the main drive of the device.
-> - To upload cabs or other large files, connect to a non-metered network.
+> [!NOTE]
+>
+> - Make sure you that you have the current version of Feedback Hub. To do this, select **Start** > **Microsoft Store**, and then select the ellipses (**...**). Then, select **Downloads and updates** > **Get updates**.
+>
+> - To provide the best possible data for fixing issues, we highly recommended that you set your device telemetry to **Full**. You can set this value during the Out-of-Box-Experience (OOBE), or by using the Settings app. To do this by using Settings, select **Start** > **Settings** > **Privacy** > **App Diagnostics** > **On**.
-1. Make sure that you have the immersive headset connected to your PC, and then on the desktop, select **Feedback Hub**.
-1. In the left pane, select **Feedback**.
- 
-1. To enter new feedback, select **Add new feedback**.
- 
-1. To make feedback actionable, in **What kind of feedback is this?** select **Problem**.
-1. In **Summarize your issue**, enter a meaningful title for your feedback.
-1. In **Give us more detail**, provide details and repro steps.
- 
+## Use the Feedback Hub
- As the top category, select **Mixed Reality**. Then select an applicable subcategory, as explained in the following table:
-
- |Subcategory |Description |
- |----------|----------|
- | Apps | Issues about a specific application. |
- | Developer | Issues about authoring or running an app for Mixed Reality. |
- | Device | Issues about the head-mounted device (HMD) itself. |
- | Home experience | Issues about your VR environment and your interactions with the your mixed reality home. |
- | Input | Issues about input methods, such as motion controllers, speech, gamepad, or mouse and keyboard. |
- | Set up | Anything that is preventing you from setting up the device. |
- | All other issues | Anything else. |
-
-1. If possible, add traces or video to your feedback to help us identify and fix the issue more quickly. To do this, follow these steps:
- 1. To start collecting traces, select **Start capture**. The app starts collecting traces and a video capture of your mixed reality scenario.
-
- 
- 1. Do not close the Feedback Hub app, but switch to the scenario that produces the issue. Run through the scenario to produce the circumstances that you have described.
- 1. After you finish your scenario, go back to the Feedback Hub app and select **Stop capture**. The app stops collecting information, stores the information in a file, and attaches the file to your feedback.
-1. Select **Submit**.
- 
- The Thank You page indicates that your feedback has been successfully submitted.
- 
+1. Use the **Start** gesture to open the **Start** menu, and then select **Feedback Hub**. The app opens in your environment.
-To easily direct other people (such as co-workers, Microsoft staff, [forum](https://forums.hololens.com/) readers et al) to the issue, go to **Feedback** > **My Feedback**, select the issue, select **Share**. This action provides a shortened URL that you can give to others so that they can upvote or escalate your issue.
+ 
+ > [!NOTE]
+ > If you don't see **Feedback Hub**, select **All Apps** to see the complete list of apps on the device.
-## Feedback for HoloLens
+1. To see whether someone else has given similar feedback, enter a few keywords about the topic in the **Feedback** search box.
+1. If you find similar feedback, select it, add any additional information that you have in the **Write a comment** box, and then select **Upvote**.
+1. If you don't find any similar feedback, select **Add new feedback**.
-1. Use the **bloom** gesture to open the **Start** menu, and then select **Feedback Hub**.
+ 
- 
-1. Place the app in your environment and then select the app to launch it.
-1. To see if someone else has given similar feedback, in the Feedback search box, enter a few keywords about the topic.
+1. In **Summarize your feedback**, enter a short summary of your feedback. Then add details in the **Explain in more detail** box. The more details that you provide, such as how to reproduce this problem and the effect that it has, the more useful your feedback is. When you're finished, select **Next**.
- 
-1. If you find similar feedback, select it, add any details, then select **Upvote**.
+1. Select a topic from **Choose a category**, and then select a subcategory from **Select a subcategory**. The following table describes the categories that are available in the Windows Holographic category.
- 
-1. If you don’t find any similar feedback, select **Add new feedback**, select a topic from **Select a category**, and then select a subcategory from **Select a subcategory**.
+ > [!NOTE]
+ > **Commercial customers**: To report a bug that is related to MDM, provisioning, or any other device management aspect, select the **Enterprise Management** category, and the **Device** subcategory.
- 
-1. Enter your feedback.
-1. If you are reporting a reproducible issue, you can select **Reproduce**. Without closing Feedback Hub, reproduce the issue. After you finish, come back to Feedback Hub and select **I’m done**. The app adds a mixed reality capture of your repro and relevant diagnostic logs to your feedback.
-1. Select **Post feedback**, and you’re done.
+ |Category |Description |
+ | --- | --- |
+ |Eye tracking |Feedback about eye tracking, iris sign-in, or calibration. |
+ |Hologram accuracy, stability, and reliability |Feedback about how holograms appear in space. |
+ |Launching, placing, adjusting, and exiting apps |Feedback about starting or stopping 2D or 3D apps. |
+ |Miracast |Feedback about Miracast. |
+ |Spaces and persistence |Feedback about how HoloLens recognizes spaces and retains holograms in space. |
+ |Start menu and all apps list |Feedback about the **Start** menu and the all apps list. |
+ |Surface mapping |Feedback about surface mapping. |
+ |Taking pictures and videos |Feedback about mixed reality captures. |
+ |Video hologram playback |Feedback about video hologram playback. |
+ |All other issues |All other issues. |
+
+1. You may be prompted to search for similar feedback. If your problem resembles feedback from other users, select that feedback. Otherwise, select **New feedback** and then select **Next**.
+
+1. If you are prompted, select the best description of the problem.
+
+1. Attach any relevant data to your feedback, or reproduce the problem. You can select any of the following options:
+
+ - **Attach a screenshot**. Select this option to attach a screenshot that illustrates the situation that you're describing.
+ - **Attach a file**. Select this option to attach data files. If you have files that are relevant to your problem or that could help us to reproduce your problem, attach them.
+ - **Recreate my problem**. Select this option if you can reproduce the problem yourself. After you select **Recreate my problem**, follow these steps:
+
+ 1. Select **Include data about** and make sure that the most relevant types of data are listed. In most cases, the default selections are based on the category and subcategory that you selected for your feedback.
+ 1. Select **Start Recording**.
+
+ 1. Reproduce your problem. Don’t worry if this means that you have to enter an immersive app. You will return to the feedback page when you're done.
+ 1. Select **Stop recording**. After recording stops, you can see the data that is attached to your feedback for the engineering team.
+
+1. Make sure that you have an active internet connection so that we can receive your feedback. Select **Submit**, and you’re done.
diff --git a/devices/hololens/images/hololens-feedback-1.png b/devices/hololens/images/hololens-feedback-1.png
new file mode 100644
index 0000000000..6433befe3c
Binary files /dev/null and b/devices/hololens/images/hololens-feedback-1.png differ
diff --git a/devices/hololens/images/hololens-start-feedback.png b/devices/hololens/images/hololens-start-feedback.png
new file mode 100644
index 0000000000..0b4639843d
Binary files /dev/null and b/devices/hololens/images/hololens-start-feedback.png differ
diff --git a/devices/hololens/images/hololens2-feedbackhub-tile.png b/devices/hololens/images/hololens2-feedbackhub-tile.png
new file mode 100644
index 0000000000..692baddd55
Binary files /dev/null and b/devices/hololens/images/hololens2-feedbackhub-tile.png differ
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index de339fd9cd..345af22d10 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -238,6 +238,7 @@
##### [Configure and validate exclusions](microsoft-defender-atp/linux-exclusions.md)
##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
##### [Set preferences](microsoft-defender-atp/linux-preferences.md)
+##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/linux-pua.md)
#### [Troubleshoot]()
##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md)
@@ -245,6 +246,7 @@
##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md)
+#### [Privacy](microsoft-defender-atp/linux-privacy.md)
#### [Resources](microsoft-defender-atp/linux-resources.md)
### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
index 10c69301a9..c27fdb45cc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
@@ -54,8 +54,10 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP detec
3. Select **Windows Defender ATP alerts** under **Local inputs**.
- NOTE:
- This input will only appear after you install the [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/).
+ >[!NOTE]
+ > - This input will only appear after you install the [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/).
+ > - For Splunk Cloud, use [Microsoft Defender ATP Add-on for Splunk](https://splunkbase.splunk.com/app/4959/).
+
4. Click **New**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
index 250093e512..412d0351fa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
@@ -276,6 +276,10 @@ Download the onboarding package from Microsoft Defender Security Center:
See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
+## Operating system upgrades
+
+When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device.
+
## Uninstallation
-See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices.
+See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices.
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
index d097245cf8..34b6be737e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
@@ -255,6 +255,10 @@ Now run the tasks files under `/etc/ansible/playbooks/`.
See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
+## Operating system upgrades
+
+When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device.
+
## References
- [Add or remove YUM repositories](https://docs.ansible.com/ansible/2.3/yum_repository_module.html)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
index 92c721fedf..3914bf58e0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
@@ -207,6 +207,10 @@ If the product is not healthy, the exit code (which can be checked through `echo
See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
+## Operating system upgrades
+
+When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device.
+
## Uninstallation
Create a module *remove_mdatp* similar to *install_mdatp* with the following contents in *init.pp* file:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md
new file mode 100644
index 0000000000..7a7de6e01f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md
@@ -0,0 +1,300 @@
+---
+title: Privacy for Microsoft Defender ATP for Linux
+description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Linux.
+keywords: microsoft, defender, atp, linux, privacy, diagnostic
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Privacy for Microsoft Defender ATP for Linux
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Microsoft Defender ATP for Linux.
+
+This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected.
+
+## Overview of privacy controls in Microsoft Defender ATP for Linux
+
+This section describes the privacy controls for the different types of data collected by Microsoft Defender ATP for Linux.
+
+### Diagnostic data
+
+Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements.
+
+Some diagnostic data is required, while some diagnostic data is optional. We give you the ability to choose whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings for organizations.
+
+There are two levels of diagnostic data for Microsoft Defender ATP client software that you can choose from:
+
+* **Required**: The minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and performing as expected on the device it’s installed on.
+
+* **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues.
+
+By default, only required diagnostic data is sent to Microsoft.
+
+### Cloud delivered protection data
+
+Cloud delivered protection is used to provide increased and faster protection with access to the latest protection data in the cloud.
+
+Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network.
+
+### Sample data
+
+Sample data is used to improve the protection capabilities of the product, by sending Microsoft suspicious samples so they can be analyzed. Enabling automatic sample submission is optional.
+
+There are three levels for controlling sample submission:
+
+- **None**: no suspicious samples are submitted to Microsoft.
+- **Safe**: only suspicious samples that do not contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting.
+- **All**: all suspicious samples are submitted to Microsoft.
+
+## Manage privacy controls with policy settings
+
+If you're an IT administrator, you might want to configure these controls at the enterprise level.
+
+The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
+
+As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization.
+
+## Diagnostic data events
+
+This section describes what is considered required diagnostic data and what is considered optional diagnostic data, along with a description of the events and fields that are collected.
+
+### Data fields that are common for all events
+There is some information about events that is common to all events, regardless of category or data subtype.
+
+The following fields are considered common for all events:
+
+| Field | Description |
+| ----------------------- | ----------- |
+| platform | The broad classification of the platform on which the app is running. Allows Microsoft to identify on which platforms an issue may be occurring so that it can correctly be prioritized. |
+| machine_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
+| sense_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
+| org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. |
+| hostname | Local machine name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
+| product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. |
+| app_version | Version of the Microsoft Defender ATP for Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.|
+| sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. |
+| supported_compressions | List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application. |
+| release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. |
+
+### Required diagnostic data
+
+**Required diagnostic data** is the minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and perform as expected on the device it’s installed on.
+
+Required diagnostic data helps to identify problems with Microsoft Defender ATP that may be related to a device or software configuration. For example, it can help determine if a Microsoft Defender ATP feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Microsoft Defender ATP features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced.
+
+#### Software setup and inventory data events
+
+**Microsoft Defender ATP installation / uninstallation**
+
+The following fields are collected:
+
+| Field | Description |
+| ---------------- | ----------- |
+| correlation_id | Unique identifier associated with the installation. |
+| version | Version of the package. |
+| severity | Severity of the message (for example Informational). |
+| code | Code that describes the operation. |
+| text | Additional information associated with the product installation. |
+
+**Microsoft Defender ATP configuration**
+
+The following fields are collected:
+
+| Field | Description |
+| --------------------------------------------------- | ----------- |
+| antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. |
+| antivirus_engine.passive_mode | Whether passive mode is enabled on the device or not. |
+| cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. |
+| cloud_service.timeout | Time out when the application communicates with the Microsoft Defender ATP cloud. |
+| cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. |
+| cloud_service.service_uri | URI used to communicate with the cloud. |
+| cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). |
+| cloud_service.automatic_sample_submission | Automatic sample submission level of the device (none, safe, all). |
+| edr.early_preview | Whether the machine should run EDR early preview features. |
+| edr.group_id | Group identifier used by the detection and response component. |
+| edr.tags | User-defined tags. |
+| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. |
+
+#### Product and service usage data events
+
+**Security intelligence update report**
+
+The following fields are collected:
+
+| Field | Description |
+| ---------------- | ----------- |
+| from_version | Original security intelligence version. |
+| to_version | New security intelligence version. |
+| status | Status of the update indicating success or failure. |
+| using_proxy | Whether the update was done over a proxy. |
+| error | Error code if the update failed. |
+| reason | Error message if the update failed. |
+
+#### Product and service performance data events
+
+**Kernel extension statistics**
+
+The following fields are collected:
+
+| Field | Description |
+| ---------------- | ----------- |
+| version | Version of Microsoft Defender ATP for Linux. |
+| instance_id | Unique identifier generated on kernel extension startup. |
+| trace_level | Trace level of the kernel extension. |
+| subsystem | The underlying subsystem used for real-time protection. |
+| ipc.connects | Number of connection requests received by the kernel extension. |
+| ipc.rejects | Number of connection requests rejected by the kernel extension. |
+| ipc.connected | Whether there is any active connection to the kernel extension. |
+
+#### Support data
+
+**Diagnostic logs**
+
+Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs:
+
+- All files under */var/log/microsoft/mdatp*
+- Subset of files under */etc/opt/microsoft/mdatp* that are created and used by Microsoft Defender ATP for Linux
+- Product installation and uninstallation logs under */var/log/microsoft_mdatp_\*.log*
+
+### Optional diagnostic data
+
+**Optional diagnostic data** is additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and fix issues.
+
+If you choose to send us optional diagnostic data, required diagnostic data is also included.
+
+Examples of optional diagnostic data include data Microsoft collects about product configuration (for example number of exclusions set on the device) and product performance (aggregate measures about the performance of components of the product).
+
+#### Software setup and inventory data events
+
+**Microsoft Defender ATP configuration**
+
+The following fields are collected:
+
+| Field | Description |
+| -------------------------------------------------- | ----------- |
+| connection_retry_timeout | Connection retry time-out when communication with the cloud. |
+| file_hash_cache_maximum | Size of the product cache. |
+| crash_upload_daily_limit | Limit of crash logs uploaded daily. |
+| antivirus_engine.exclusions[].is_directory | Whether the exclusion from scanning is a directory or not. |
+| antivirus_engine.exclusions[].path | Path that was excluded from scanning. |
+| antivirus_engine.exclusions[].extension | Extension excluded from scanning. |
+| antivirus_engine.exclusions[].name | Name of the file excluded from scanning. |
+| antivirus_engine.scan_cache_maximum | Size of the product cache. |
+| antivirus_engine.maximum_scan_threads | Maximum number of threads used for scanning. |
+| antivirus_engine.threat_restoration_exclusion_time | Time out before a file restored from the quarantine can be detected again. |
+| filesystem_scanner.full_scan_directory | Full scan directory. |
+| filesystem_scanner.quick_scan_directories | List of directories used in quick scan. |
+| edr.latency_mode | Latency mode used by the detection and response component. |
+| edr.proxy_address | Proxy address used by the detection and response component. |
+
+**Microsoft Auto-Update configuration**
+
+The following fields are collected:
+
+| Field | Description |
+| --------------------------- | ----------- |
+| how_to_check | Determines how product updates are checked (for example automatic or manual). |
+| channel_name | Update channel associated with the device. |
+| manifest_server | Server used for downloading updates. |
+| update_cache | Location of the cache used to store updates. |
+
+### Product and service usage
+
+#### Diagnostic log upload started report
+
+The following fields are collected:
+
+| Field | Description |
+| ---------------- | ----------- |
+| sha256 | SHA256 identifier of the support log. |
+| size | Size of the support log. |
+| original_path | Path to the support log (always under */var/opt/microsoft/mdatp/wdavdiag/*). |
+| format | Format of the support log. |
+
+#### Diagnostic log upload completed report
+
+The following fields are collected:
+
+| Field | Description |
+| ---------------- | ----------- |
+| request_id | Correlation ID for the support log upload request. |
+| sha256 | SHA256 identifier of the support log. |
+| blob_sas_uri | URI used by the application to upload the support log. |
+
+#### Product and service performance data events
+
+**Unexpected application exit (crash)**
+
+Unexpected application exits and the state of the application when that happens.
+
+**Kernel extension statistics**
+
+The following fields are collected:
+
+| Field | Description |
+| ------------------------------ | ----------- |
+| pkt_ack_timeout | The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup. |
+| pkt_ack_conn_timeout | |
+| ipc.ack_pkts | |
+| ipc.nack_pkts | |
+| ipc.send.ack_no_conn | |
+| ipc.send.nack_no_conn | |
+| ipc.send.ack_no_qsq | |
+| ipc.send.nack_no_qsq | |
+| ipc.ack.no_space | |
+| ipc.ack.timeout | |
+| ipc.ack.ackd_fast | |
+| ipc.ack.ackd | |
+| ipc.recv.bad_pkt_len | |
+| ipc.recv.bad_reply_len | |
+| ipc.recv.no_waiter | |
+| ipc.recv.copy_failed | |
+| ipc.kauth.vnode.mask | |
+| ipc.kauth.vnode.read | |
+| ipc.kauth.vnode.write | |
+| ipc.kauth.vnode.exec | |
+| ipc.kauth.vnode.del | |
+| ipc.kauth.vnode.read_attr | |
+| ipc.kauth.vnode.write_attr | |
+| ipc.kauth.vnode.read_ex_attr | |
+| ipc.kauth.vnode.write_ex_attr | |
+| ipc.kauth.vnode.read_sec | |
+| ipc.kauth.vnode.write_sec | |
+| ipc.kauth.vnode.take_own | |
+| ipc.kauth.vnode.link | |
+| ipc.kauth.vnode.create | |
+| ipc.kauth.vnode.move | |
+| ipc.kauth.vnode.mount | |
+| ipc.kauth.vnode.denied | |
+| ipc.kauth.vnode.ackd_before_deadline | |
+| ipc.kauth.vnode.missed_deadline | |
+| ipc.kauth.file_op.mask | |
+| ipc.kauth_file_op.open | |
+| ipc.kauth.file_op.close | |
+| ipc.kauth.file_op.close_modified | |
+| ipc.kauth.file_op.move | |
+| ipc.kauth.file_op.link | |
+| ipc.kauth.file_op.exec | |
+| ipc.kauth.file_op.remove | |
+| ipc.kauth.file_op.unmount | |
+| ipc.kauth.file_op.fork | |
+| ipc.kauth.file_op.create | |
+
+## Resources
+
+- [Privacy at Microsoft](https://privacy.microsoft.com/)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
new file mode 100644
index 0000000000..b0cd02009a
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
@@ -0,0 +1,65 @@
+---
+title: Detect and block potentially unwanted applications with Microsoft Defender ATP for Linux
+description: Detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender ATP for Linux.
+keywords: microsoft, defender, atp, linux, pua, pus
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Detect and block potentially unwanted applications with Microsoft Defender ATP for Linux
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+The potentially unwanted application (PUA) protection feature in Microsoft Defender ATP for Linux can detect and block PUA files on endpoints in your network.
+
+These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation.
+
+These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications.
+
+## How it works
+
+Microsoft Defender ATP for Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine.
+
+When a PUA is detected on an endpoint, Microsoft Defender ATP for Linux keeps a record of the infection in the threat history. The history can be visualized from the Microsoft Defender Security Center portal or through the `mdatp` command-line tool. The threat name will contain the word "Application".
+
+## Configure PUA protection
+
+PUA protection in Microsoft Defender ATP for Linux can be configured in one of the following ways:
+
+- **Off**: PUA protection is disabled.
+- **Audit**: PUA files are reported in the product logs, but not in Microsoft Defender Security Center. No record of the infection is stored in the threat history and no action is taken by the product.
+- **Block**: PUA files are reported in the product logs and in Microsoft Defender Security Center. A record of the infection is stored in the threat history and action is taken by the product.
+
+>[!WARNING]
+>By default, PUA protection is configured in **Audit** mode.
+
+You can configure how PUA files are handled from the command line or from the management console.
+
+### Use the command-line tool to configure PUA protection:
+
+In Terminal, execute the following command to configure PUA protection:
+
+```bash
+$ mdatp --threat --type-handling potentially_unwanted_application [off|audit|block]
+```
+
+### Use the management console to configure PUA protection:
+
+In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) topic.
+
+## Related topics
+
+- [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md
index ab118ea2ca..9add09b4df 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md
@@ -43,7 +43,7 @@ There are two levels of diagnostic data for Microsoft Defender ATP client softwa
* **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues.
-By default, both optional and required diagnostic data are sent to Microsoft.
+By default, only required diagnostic data is sent to Microsoft.
### Cloud delivered protection data
@@ -127,6 +127,21 @@ The following fields are collected:
| edr.tags | User-defined tags. |
| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. |
+#### Product and service usage data events
+
+**Security intelligence update report**
+
+The following fields are collected:
+
+| Field | Description |
+| ---------------- | ----------- |
+| from_version | Original security intelligence version. |
+| to_version | New security intelligence version. |
+| status | Status of the update indicating success or failure. |
+| using_proxy | Whether the update was done over a proxy. |
+| error | Error code if the update failed. |
+| reason | Error message if the updated filed. |
+
#### Product and service performance data events
**Kernel extension statistics**
@@ -138,6 +153,7 @@ The following fields are collected:
| version | Version of Microsoft Defender ATP for Mac. |
| instance_id | Unique identifier generated on kernel extension startup. |
| trace_level | Trace level of the kernel extension. |
+| subsystem | The underlying subsystem used for real-time protection. |
| ipc.connects | Number of connection requests received by the kernel extension. |
| ipc.rejects | Number of connection requests rejected by the kernel extension. |
| ipc.connected | Whether there is any active connection to the kernel extension. |
@@ -259,7 +275,13 @@ The following fields are collected:
| ipc.kauth.vnode.read_sec | |
| ipc.kauth.vnode.write_sec | |
| ipc.kauth.vnode.take_own | |
+| ipc.kauth.vnode.link | |
+| ipc.kauth.vnode.create | |
+| ipc.kauth.vnode.move | |
+| ipc.kauth.vnode.mount | |
| ipc.kauth.vnode.denied | |
+| ipc.kauth.vnode.ackd_before_deadline | |
+| ipc.kauth.vnode.missed_deadline | |
| ipc.kauth.file_op.mask | |
| ipc.kauth_file_op.open | |
| ipc.kauth.file_op.close | |
@@ -268,6 +290,7 @@ The following fields are collected:
| ipc.kauth.file_op.link | |
| ipc.kauth.file_op.exec | |
| ipc.kauth.file_op.remove | |
+| ipc.kauth.file_op.unmount | |
| ipc.kauth.file_op.fork | |
| ipc.kauth.file_op.create | |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
index 7578b1bddf..e29bf3379b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
@@ -33,9 +33,9 @@ Windows Server 2016 and earlier or Windows 8.1 and earlier.
> - An OMS gateway server cannot be used as proxy for disconnected Windows 10 or Windows Server 2019 machines when configured via 'TelemetryProxyServer' registry or GPO.
> - For Windows 10 or Windows Server 2019 - while you may use TelemetryProxyServer, it must point to a standard proxy device or appliance.
> - In addition, Windows 10 or Windows Server 2019 in disconnected environments must be able to update Certificate Trust Lists offline via an internal file or web server.
-> - For more information about updating CTLs offline, refer to the following article: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265983(v=ws.11)#configure-a-file-or-web-server-to-download-the-ctl-files
+> - For more information about updating CTLs offline, see (Configure a file or web server to download the CTL files)[https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265983(v=ws.11)#configure-a-file-or-web-server-to-download-the-ctl-files].
->For more information about onboarding methods, see the following articles:
+For more information about onboarding methods, see the following articles:
- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel)
- [Onboard servers to the Microsoft Defender ATP service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
- [Configure machine proxy and Internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index a92e6a198a..2801e3fffd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -29,6 +29,9 @@ The Microsoft Defender ATP service is constantly being updated to include new fe
Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
+>[!TIP]
+>Get notified when this page is updated by copying and pasting the following URL into your feed reader: `https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+preview+features%22&locale=en-us`
+
For more information on new capabilities that are generally available, see [What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md).
## Turn on preview features
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index a8e06922a8..caa1caf419 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -27,8 +27,13 @@ The following features are generally available (GA) in the latest release of Mic
For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection).
-RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:
-`https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us`
+
+> [!TIP]
+> RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:
+>
+> ```https
+> https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us
+> ```
## April 2020
@@ -58,7 +63,7 @@ RSS feed: Get notified when this page is updated by copying and pasting the foll
## September 2019
-- [Tamper Protection settings using Intune](../windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune).
+- [Tamper Protection settings using Intune](../windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management Portal (Intune).
- [Live response](live-response.md)
Get instantaneous access to a machine using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real-time.