Merge pull request #43 from MicrosoftDocs/master

Public contributions to live
2025-05-14 22:37:22 +00:00 · 2019-04-22 11:12:16 -07:00 · 2019-04-22 11:12:16 -07:00 · a4fd1d0fde
commit a4fd1d0fde
parent 72a5714385 4e03db2f71
10 changed files with 210 additions and 73 deletions
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@ -429,7 +429,7 @@ The following diagram shows the BitLocker configuration service provider in tree
 <p style="margin-left: 20px">The possible values for 'xx' are:</p>
 -  0 = Empty
-  1 = Use default recovery message and URL.
+-  1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input").
 -  2 = Custom recovery message is set.
 -  3 = Custom recovery URL is set.
 -  'yy' = string of max length 900.
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@ -401,7 +401,7 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.
 <a href="" id="vpnv2-profilename-pluginprofile-serverurllist"></a>**VPNv2/***ProfileName***/PluginProfile/ServerUrlList**  
-Required for plug-in profiles. Comma separated list of servers in URL, hostname, or IP format.
+Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format.
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
--- a/windows/deployment/update/windows-update-resources.md
+++ b/windows/deployment/update/windows-update-resources.md
@ -106,7 +106,7 @@ The following resources provide additional information about using Windows Updat
   - regsvr32.exe wuwebv.dll 
 7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER:  
   ```
-   netsh reset winsock 
+   netsh winsock reset 
   ```
 8. If you are running Windows XP or Windows Server 2003, you have to set the proxy settings. To do this, type the following command at a command prompt, and then press ENTER:  
   ```
--- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
@ -40,52 +40,52 @@ We used the following methodology to derive these network endpoints:
 | **Destination** | **Protocol** | **Description** |
 | --- | --- | --- |
-|*.aria.microsoft.com*	| HTTPS |	Office Telemetry
+|\*.aria.microsoft.com\*	| HTTPS |	Office Telemetry
-|*.dl.delivery.mp.microsoft.com*	| HTTP |	Enables connections to Windows Update.
+|\*.dl.delivery.mp.microsoft.com\*	| HTTP |	Enables connections to Windows Update.
-|*.download.windowsupdate.com*	| HTTP |	Used to download operating system patches and updates.
+|\*.download.windowsupdate.com\*	| HTTP |	Used to download operating system patches and updates.
-|*.g.akamai.net	| HTTPS |	Used to check for updates to maps that have been downloaded for offline use.
+|\*.g.akamai.net	| HTTPS |	Used to check for updates to maps that have been downloaded for offline use.
-|*.msn.com*	|TLSv1.2/HTTPS |	Windows Spotlight related traffic
+|\*.msn.com\*	|TLSv1.2/HTTPS |	Windows Spotlight related traffic
-|*.Skype.com	| HTTP/HTTPS |	Skype related traffic
+|\*.Skype.com	| HTTP/HTTPS |	Skype related traffic
-|*.smartscreen.microsoft.com*	| HTTPS |	Windows Defender Smartscreen related traffic
+|\*.smartscreen.microsoft.com\*	| HTTPS |	Windows Defender Smartscreen related traffic
-|*.telecommand.telemetry.microsoft.com*	| HTTPS |	Used by Windows Error Reporting.
+|\*.telecommand.telemetry.microsoft.com\*	| HTTPS |	Used by Windows Error Reporting.
-|*cdn.onenote.net*	| HTTP |	OneNote related traffic
+|\*cdn.onenote.net*	| HTTP |	OneNote related traffic
-|*displaycatalog.mp.microsoft.com*	| HTTPS |	Used to communicate with Microsoft Store.
+|\*displaycatalog.mp.microsoft.com\*	| HTTPS |	Used to communicate with Microsoft Store.
-|*emdl.ws.microsoft.com*	| HTTP |	Windows Update related traffic
+|\*emdl.ws.microsoft.com\*	| HTTP |	Windows Update related traffic
-|*geo-prod.do.dsp.mp.microsoft.com*	|TLSv1.2/HTTPS |	Enables connections to Windows Update.
+|\*geo-prod.do.dsp.mp.microsoft.com\*	|TLSv1.2/HTTPS |	Enables connections to Windows Update.
-|*hwcdn.net*	| HTTP |	Used by the Highwinds Content Delivery Network to perform Windows updates.
+|\*hwcdn.net*	| HTTP |	Used by the Highwinds Content Delivery Network to perform Windows updates.
-|*img-prod-cms-rt-microsoft-com.akamaized.net*	| HTTPS |	Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
+|\*img-prod-cms-rt-microsoft-com.akamaized.net*	| HTTPS |	Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
-|*maps.windows.com*	| HTTPS |	Related to Maps application.
+|\*maps.windows.com\*	| HTTPS |	Related to Maps application.
-|*msedge.net*	| HTTPS |	Used by OfficeHub to get the metadata of Office apps.
+|\*msedge.net*	| HTTPS |	Used by OfficeHub to get the metadata of Office apps.
-|*nexusrules.officeapps.live.com*	| HTTPS |	Office Telemetry
+|\*nexusrules.officeapps.live.com\*	| HTTPS |	Office Telemetry
-|*photos.microsoft.com*	| HTTPS |	Photos App related traffic
+|\*photos.microsoft.com\*	| HTTPS |	Photos App related traffic
-|*prod.do.dsp.mp.microsoft.com*	|TLSv1.2/HTTPS |	Used for Windows Update downloads of apps and OS updates.
+|\*prod.do.dsp.mp.microsoft.com\*	|TLSv1.2/HTTPS |	Used for Windows Update downloads of apps and OS updates.
-|*wac.phicdn.net*	| HTTP |	Windows Update related traffic
+|\*wac.phicdn.net*	| HTTP |	Windows Update related traffic
-|*windowsupdate.com*	| HTTP |	Windows Update related traffic
+|\*windowsupdate.com\*	| HTTP |	Windows Update related traffic
-|*wns.windows.com*	| HTTPS, TLSv1.2 |	Used for the Windows Push Notification Services (WNS).
+|\*wns.windows.com\*	| HTTPS, TLSv1.2 |	Used for the Windows Push Notification Services (WNS).
-|*wpc.v0cdn.net*	| |	Windows Telemetry related traffic
+|\*wpc.v0cdn.net*	| |	Windows Telemetry related traffic
 |auth.gfx.ms/16.000.27934.1/OldConvergedLogin_PCore.js	| |	MSA related
 |evoke-windowsservices-tas.msedge*	| HTTPS |	The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
-|fe2.update.microsoft.com*	|TLSv1.2/HTTPS |	Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store.
+|fe2.update.microsoft.com\*	|TLSv1.2/HTTPS |	Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store.
-|fe3.*.mp.microsoft.com.* 	|TLSv1.2/HTTPS |	Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store.
+|fe3.\*.mp.microsoft.com.\* 	|TLSv1.2/HTTPS |	Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store.
 |fs.microsoft.com	| |	Font Streaming (in ENT traffic)
-|g.live.com*	| HTTPS |	Used by OneDrive
+|g.live.com\*	| HTTPS |	Used by OneDrive
 |iriscoremetadataprod.blob.core.windows.net	| HTTPS |	Windows Telemetry
-|mscrl.micorosoft.com	| |	Certificate Revocation List related traffic.
+|mscrl.microsoft.com	| |	Certificate Revocation List related traffic.
-|ocsp.digicert.com*	| HTTP |	CRL and OCSP checks to the issuing certificate authorities.
+|ocsp.digicert.com\*	| HTTP |	CRL and OCSP checks to the issuing certificate authorities.
 |officeclient.microsoft.com	| HTTPS |	Office related traffic.
 |oneclient.sfx.ms*	| HTTPS |	Used by OneDrive for Business to download and verify app updates.
-|purchase.mp.microsoft.com*	| HTTPS |	Used to communicate with Microsoft Store.
+|purchase.mp.microsoft.com\*	| HTTPS |	Used to communicate with Microsoft Store.
-|query.prod.cms.rt.microsoft.com*	| HTTPS |	Used to retrieve Windows Spotlight metadata.
+|query.prod.cms.rt.microsoft.com\*	| HTTPS |	Used to retrieve Windows Spotlight metadata.
-|ris.api.iris.microsoft.com*	|TLSv1.2/HTTPS |	Used to retrieve Windows Spotlight metadata.
+|ris.api.iris.microsoft.com\*	|TLSv1.2/HTTPS |	Used to retrieve Windows Spotlight metadata.
 |ris-prod-atm.trafficmanager.net	| HTTPS |	Azure traffic manager
-|settings.data.microsoft.com*	| HTTPS |	Used for Windows apps to dynamically update their configuration.
+|settings.data.microsoft.com\*	| HTTPS |	Used for Windows apps to dynamically update their configuration.
-|settings-win.data.microsoft.com*	| HTTPS |	Used for Windows apps to dynamically update their configuration.
+|settings-win.data.microsoft.com\*	| HTTPS |	Used for Windows apps to dynamically update their configuration.
-|sls.update.microsoft.com*	|TLSv1.2/HTTPS |	Enables connections to Windows Update.
+|sls.update.microsoft.com\*	|TLSv1.2/HTTPS |	Enables connections to Windows Update.
-|store*.dsx.mp.microsoft.com*	| HTTPS |	Used to communicate with Microsoft Store.
+|store*.dsx.mp.microsoft.com\*	| HTTPS |	Used to communicate with Microsoft Store.
-|storecatalogrevocation.storequality.microsoft.com*	| HTTPS |	Used to revoke licenses for malicious apps on the Microsoft Store.
+|storecatalogrevocation.storequality.microsoft.com\*	| HTTPS |	Used to revoke licenses for malicious apps on the Microsoft Store.
-|store-images.s-microsoft.com*	| HTTP |	Used to get images that are used for Microsoft Store suggestions.
+|store-images.s-microsoft.com\*	| HTTP |	Used to get images that are used for Microsoft Store suggestions.
-|tile-service.weather.microsoft.com*	| HTTP |	Used to download updates to the Weather app Live Tile.
+|tile-service.weather.microsoft.com\*	| HTTP |	Used to download updates to the Weather app Live Tile.
-|tsfe.trafficshaping.dsp.mp.microsoft.com*	|TLSv1.2 |	Used for content regulation.
+|tsfe.trafficshaping.dsp.mp.microsoft.com\*	|TLSv1.2 |	Used for content regulation.
 |v10.events.data.microsoft.com	| HTTPS |	Diagnostic Data
 |wdcp.microsoft.*	|TLSv1.2 |	Used for Windows Defender when Cloud-based Protection is enabled.
 |wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com	| HTTPS |	Windows Defender related traffic.
@ -111,7 +111,7 @@ We used the following methodology to derive these network endpoints:
 | ipv4.login.msa.akadns6.net	| HTTPS |	Used for Microsoft accounts to sign in. |
 | location-inference-westus.cloudapp.net	| HTTPS |	Used for location data. |
 | modern.watson.data.microsoft.com.akadns.net	| HTTPS |	Used by Windows Error Reporting. |
-| ocsp.digicert.com* |	HTTP | CRL and OCSP checks to the issuing certificate authorities. |
+| ocsp.digicert.com\* |	HTTP | CRL and OCSP checks to the issuing certificate authorities. |
 | ris.api.iris.microsoft.com.akadns.net	| HTTPS |	Used to retrieve Windows Spotlight metadata. |
 | tile-service.weather.microsoft.com/* | HTTP |	Used to download updates to the Weather app Live Tile. |
 | tsfe.trafficshaping.dsp.mp.microsoft.com	| HTTPS |	Used for content regulation. |
@ -127,10 +127,10 @@ We used the following methodology to derive these network endpoints:
 | *.g.akamaiedge.net	| HTTPS |	Used to check for updates to maps that have been downloaded for offline use. |
 | *.s-msedge.net	| HTTPS |	Used by OfficeHub to get the metadata of Office apps. |
 | *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
-| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. |
+| *.tlu.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. |
-| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
+| *.windowsupdate.com\* | HTTP | Enables connections to Windows Update. |
 | *geo-prod.do.dsp.mp.microsoft.com	| HTTPS |	Enables connections to Windows Update. |
-| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
+| au.download.windowsupdate.com\* | HTTP | Enables connections to Windows Update. |
 | cdn.onenote.net/livetile/*	| HTTPS |	Used for OneNote Live Tile. |
 | client-office365-tas.msedge.net/*	| HTTPS |	Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
 | config.edge.skype.com/*	| HTTPS |	Used to retrieve Skype configuration values.  |
@ -151,7 +151,7 @@ We used the following methodology to derive these network endpoints:
 | maps.windows.com/windows-app-web-link	| HTTPS |	Link to Maps application |
 | modern.watson.data.microsoft.com.akadns.net	| HTTPS |	Used by Windows Error Reporting. |
 | ocos-office365-s2s.msedge.net/*	| HTTPS |	Used to connect to the Office 365 portal's shared infrastructure. |
-| ocsp.digicert.com* |	HTTP | CRL and OCSP checks to the issuing certificate authorities. |
+| ocsp.digicert.com\* |	HTTP | CRL and OCSP checks to the issuing certificate authorities. |
 | oneclient.sfx.ms/*	| HTTPS |	Used by OneDrive for Business to download and verify app updates. |
 | settings-win.data.microsoft.com/settings/*	| HTTPS |	Used as a way for apps to dynamically update their configuration. |
 | sls.update.microsoft.com/*	| HTTPS |	Enables connections to Windows Update. |
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -228,6 +228,7 @@
 ####### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
 ###### [Onboard servers](windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md)
 ###### [Onboard non-Windows machines](windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
 ###### [Onboard machines without Internet access](windows-defender-atp/onboard-offline-machines.md)
 ###### [Run a detection test on a newly onboarded machine](windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md)
 ###### [Run simulated attacks on machines](windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md)
 ###### [Configure proxy and Internet connectivity settings](windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md)
--- a/windows/security/threat-protection/auditing/event-5159.md
+++ b/windows/security/threat-protection/auditing/event-5159.md
@ -17,37 +17,48 @@ ms.date: 04/19/2017
 -   Windows Server 2016
-This event is logged if the Windows Filtering Platform has blocked a bind to a local port.
+<img src="images/event-5159.png" alt="Event 5159 illustration" width="491" height="466" hspace="10" align="left" />
 There is no example of this event in this document.
 ***Subcategory:***&nbsp;[Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
-***Event Schema:***
+***Event Description:***
-*The Windows Filtering Platform has blocked a bind to a local port.*
+This event is logged if the Windows Filtering Platform has blocked a bind to a local port.
-*Application Information:*
+<br clear="all">
-> *Process ID:%1*
+***Event XML:***
->
+```
-> *Application Name:%2*
+- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 - <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
 <EventID>5159</EventID>
 <Version>0</Version>
 <Level>0</Level>
 <Task>12810</Task>
 <Opcode>0</Opcode>
 <Keywords>0x8010000000000000</Keywords>
 <TimeCreated SystemTime="2019-04-19T07:36:55.955388300Z" />
 <EventRecordID>44097</EventRecordID>
 <Correlation />
 <Execution ProcessID="4" ThreadID="6480" />
 <Channel>Security</Channel>
 <Computer>DC01.contoso.local</Computer>
 <Security />
 </System>
 - <EventData>
 <Data Name="ProcessId">7924</Data>
 <Data Name="Application">\device\harddiskvolume2\users\test\desktop\netcat\nc.exe</Data>
 <Data Name="SourceAddress">0.0.0.0</Data>
 <Data Name="SourcePort">5555</Data>
 <Data Name="Protocol">6</Data>
 <Data Name="FilterRTID">84614</Data>
 <Data Name="LayerName">%%14608</Data>
 <Data Name="LayerRTID">36</Data>
 </EventData>
 </Event>
-*Network Information:*
+```
 > *Source Address:%3*
 >
 > *Source Port:%4*
 >
 > *Protocol:%5*
 *Filter Information:*
 > *Filter Run-Time ID:%6*
 >
 > *Layer Name:%7*
 >
 > *Layer Run-Time ID:%8*
 ***Required Server Roles:*** None.
@ -55,6 +66,76 @@ There is no example of this event in this document.
 ***Event Versions:*** 0.
 ***Field Descriptions:***
 **Application Information**:
 -   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
 <!-- -->
 -   **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
    Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
 <img src="images/diskpart.png" alt="DiskPart illustration" width="786" height="246" />
 **Network Information:**
 -   **Source Address** \[Type = UnicodeString\]**:** the local IP address of the computer running the application.
    -   IPv4 Address
    -   IPv6 Address
    -   :: - all IP addresses in IPv6 format
    -   0.0.0.0 - all IP addresses in IPv4 format
    -   127.0.0.1 , ::1 - localhost
 -   **Source Port** \[Type = UnicodeString\]**:** the port number used by the application.
 -   **Protocol** \[Type = UInt32\]: the protocol number being used.
 | Service                                            | Protocol Number |
 |----------------------------------------------------|-----------------|
 | Internet Control Message Protocol (ICMP)           | 1               |
 | Transmission Control Protocol (TCP)                | 6               |
 | User Datagram Protocol (UDP)                       | 17              |
 | General Routing Encapsulation (PPTP data over GRE) | 47              |
 | Authentication Header (AH) IPSec                   | 51              |
 | Encapsulation Security Payload (ESP) IPSec         | 50              |
 | Exterior Gateway Protocol (EGP)                    | 8               |
 | Gateway-Gateway Protocol (GGP)                     | 3               |
 | Host Monitoring Protocol (HMP)                     | 20              |
 | Internet Group Management Protocol (IGMP)          | 88              |
 | MIT Remote Virtual Disk (RVD)                      | 66              |
 | OSPF Open Shortest Path First                      | 89              |
 | PARC Universal Packet Protocol (PUP)               | 12              |
 | Reliable Datagram Protocol (RDP)                   | 27              |
 | Reservation Protocol (RSVP) QoS                    | 46              |
 **Filter Information:**
 -   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you will get value 0 in this field.
    To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As a result of this command, **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**&lt;filterId&gt;**)**,** for example:
    <img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" />
 -   **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
 -   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**&lt;layerId&gt;**)**,** for example:
 <img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" />
 ## Security Monitoring Recommendations
 -   There is no recommendation for this event in this document.
--- a/windows/security/threat-protection/auditing/images/event-5159.png
+++ b/windows/security/threat-protection/auditing/images/event-5159.png
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@ -227,6 +227,7 @@
 ###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
 ##### [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
 ##### [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
 ##### [Onboard machines without Internet access](onboard-offline-machines.md)
 ##### [Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md)
 ##### [Run simulated attacks on machines](attack-simulations-windows-defender-advanced-threat-protection.md)
 ##### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
--- a/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md
@ -0,0 +1,54 @@
 ---
 title: Onboard machines without Internet access to Windows Defender ATP
 description: Onboard machines without Internet access so that they can send sensor data to the Windows Defender ATP sensor
 keywords: onboard, servers, vm, on-premise, oms gateway, log analytics, azure log analytics, mma
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ---
 # Onboard machines without Internet access to Windows Defender ATP 
 **Applies to:**
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 To onboard machines without Internet access, you'll need to take the following general steps:
 ## On-premise machines
 - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
  - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
  - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints-windows-defender-advanced-threat-protection.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp) point to Microsoft Defender ATP Workspace key & ID
 - Offline machines in the same network of Azure Log Analytics
  -  Configure MMA to point to:
     - Azure Log Analytics IP as a proxy
     - Microsoft Defender ATP workspace key & ID
 ## Azure virtual machines
 - Configure and enable [Azure Log Analytics workspace](https://docs.microsoft.com/azure/azure-monitor/platform/gateway)
    - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
      - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
      - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints-windows-defender-advanced-threat-protection.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp) point to Microsoft Defender ATP Workspace key & ID
    - Offline Azure VMs in the same network of OMS Gateway
      - Configure Azure Log Analytics IP as a proxy
      - Azure Log Analytics Workspace Key & ID
    - Azure Security Center (ASC)
      - [Security Policy \> Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration)
      - [Threat Detection \> Allow Windows Defender ATP to access my data](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration)
        For more information, see [Working with security policies](https://docs.microsoft.com/azure/security-center/tutorial-security-policy).
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
@ -53,8 +53,8 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev
 | Event ID | Description |
 |----------|-------------|
 |5007      | Event when settings are changed |
-| 1121     | Event when an attack surface reduction rule fires in audit mode |
+| 1121     | Event when an attack surface reduction rule fires in block mode |
-| 1122     | Event when an attack surface reduction rule fires in block mode |
+| 1122     | Event when an attack surface reduction rule fires in audit mode |
 ## Customize attack surface reduction rules