Merge branch 'master' into macky-fwbestpractices

windows/client-management/mdm/healthattestation-csp.md

@@ -74,7 +74,7 @@ The following is a list of functions performed by the Device HealthAttestation C
 
 <strong>DHA-Enabled MDM (Device HealthAttestation enabled device management solution)</strong>
 <p style="margin-left: 20px">Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.</p>
-<p style="margin-left: 20px">DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromized by advanced security threats or running a malicious (jailbroken) operating system.</p>
+<p style="margin-left: 20px">DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.</p>
 <p style="margin-left: 20px">The following list of operations are performed by DHA-Enabled-MDM:</p>
 <ul>
 <li>Enables the DHA feature on a DHA-Enabled device</li>
@@ -195,10 +195,10 @@ The following diagram shows the Device HealthAttestation configuration service p
 
 <p style="margin-left: 20px">The following list shows some examples of supported values. For the complete list of status see <a href="#device-healthattestation-csp-status-and-error-codes" data-raw-source="[Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes)">Device HealthAttestation CSP status and error codes</a>.</p>
 
--   0 - (HEALTHATTESTATION\_CERT\_RETRI_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
+-   0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
--   1 - (HEALTHATTESTATION\_CERT\_RETRI_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
+-   1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
 -   2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob could not be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes
--   3 - (HEALTHATTESTATION\_CERT\_RETRI_COMPLETE): DHA-Data is ready for pick up
+-   3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pick up
 
 <a href="" id="forceretrieve"></a>**ForceRetrieve** (Optional)  
 <p style="margin-left: 20px">Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.</p>
@@ -220,7 +220,7 @@ The following diagram shows the Device HealthAttestation configuration service p
 <a href="" id="correlationid"></a>**CorrelationId** (Required)  
 <p style="margin-left: 20px">Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.</p>
 
-<p style="margin-left: 20px">Value type is integer, the minimum value is - 2,147,483,648 and the maximun value is 2,147,483,647. The supported operation is Get.</p>
+<p style="margin-left: 20px">Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.</p>
 
 <a href="" id="hasendpoint"></a>**HASEndpoint** (Optional)
 <p style="margin-left: 20px">Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.</p>
@@ -359,8 +359,8 @@ The following example shows a sample call that triggers collection and verificat
 
 After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take.
 
-- If the response is HEALTHATTESTATION\_CERT_RETRI_COMPLETE (3) then proceed to the next section.
+- If the response is HEALTHATTESTATION\_CERT_RETRIEVAL_COMPLETE (3) then proceed to the next section.
-- If the response is HEALTHATTESTATION_CERT_RETRI_REQUESTED (1) or HEALTHATTESTATION_CERT_RETRI_UNINITIALIZED (0) wait for an alert, then proceed to the next section.
+- If the response is HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED (1) or HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED (0) wait for an alert, then proceed to the next section.
 
 Here is a sample alert that is issued by DHA_CSP:
 
@@ -830,7 +830,7 @@ Each of these are described in further detail in the following sections, along w
     <tr>
         <td style="vertical-align:top">3</td>
         <td style="vertical-align:top">HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE</td>
-        <td style="vertical-align:top">This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.</td>
+        <td style="vertical-align:top">This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server.</td>
     </tr>
     <tr>
         <td style="vertical-align:top">4</td>

windows/deployment/TOC.yml

@@ -199,6 +199,7 @@
                   - name: Data handling and privacy in Update Compliance
                     href: update/update-compliance-privacy.md
                   - name: Update Compliance schema reference
+                    href: update/update-compliance-schema.md
                     items:
                       - name: WaaSUpdateStatus
                         href: update/update-compliance-schema-waasupdatestatus.md

windows/deployment/update/update-compliance-configuration-script.md

@@ -19,7 +19,11 @@ ms.topic: article
 
 The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more.
 
-You can [**download the script here**](https://www.microsoft.com/en-us/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
+> [!NOTE]
+> The Update Compliance configuration script does not offer options to configure Delivery Optimization. You have to do that separately.
+
+
+You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
 
 ## How the script is organized
 

windows/deployment/update/update-compliance-schema.md

@@ -20,6 +20,9 @@ When the visualizations provided in the default experience don't fulfill your re
 
 The table below summarizes the different tables that are part of the Update Compliance solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/log-query/get-started-queries).
 
+> [!NOTE]
+> Data is collected daily. The TimeGenerated field shows the time data was collected. It's added by Log Analytics when data is collected. Device data from the past 28 days is collected, even if no new data has been generated since the last time. LastScan is a clearer indicator of data freshness (that is, the last time the values were updated), while TimeGenerated indicates the freshness of data within Log Analytics.
+
 |Table |Category |Description |
 |--|--|--|
 |[**WaaSUpdateStatus**](update-compliance-schema-waasupdatestatus.md) |Device record |This table houses device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. |

windows/deployment/volume-activation/activate-using-key-management-service-vamt.md

@@ -20,22 +20,25 @@ ms.topic: article
 # Activate using Key Management Service
 
 **Applies to**
--   Windows 10
+
--   Windows 8.1
+- Windows 10
--   Windows 8
+- Windows 8.1
--   Windows 7
+- Windows 8
--   Windows Server 2012 R2
+- Windows 7
--   Windows Server 2012
+- Windows Server 2012 R2
--   Windows Server 2008 R2
+- Windows Server 2012
+- Windows Server 2008 R2
 
 **Looking for retail activation?**
 
--   [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+- [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/)
+- [Get Help Activating Microsoft Windows 7 or Windows 8.1 ](https://go.microsoft.com/fwlink/p/?LinkId=618644)
 
 There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host:
--   Host KMS on a computer running Windows 10
+
--   Host KMS on a computer running Windows Server 2012 R2
+- Host KMS on a computer running Windows 10
--   Host KMS on a computer running an earlier version of Windows
+- Host KMS on a computer running Windows Server 2012 R2
+- Host KMS on a computer running an earlier version of Windows
 
 Check out [Windows 10 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2015/09/15/windows-10-volume-activation-tips/).
 
@@ -43,14 +46,15 @@ Check out [Windows 10 Volume Activation Tips](https://blogs.technet.microsoft.co
 
 Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7.
 Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
-To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft’s activation services.
+To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft activation services.
 
-**Configure KMS in Windows 10**
+### Configure KMS in Windows 10
+
+To activate, use the slmgr.vbs command. Open an elevated command prompt and run one of the following commands:
 
-To activate , use the slmgr.vbs command. Open an elevated command prompt and run one of the following commands:
 - To install the KMS key, type `slmgr.vbs /ipk <KmsKey>`.
 - To activate online, type `slmgr.vbs /ato`.
-- To activate by telephone , follow these steps:
+- To activate by telephone, follow these steps:
   1. Run `slmgr.vbs /dti` and confirm the installation ID.
   2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone.
   3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
@@ -59,18 +63,18 @@ To activate , use the slmgr.vbs command. Open an elevated command prompt and run
 For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032).
 
 ## Key Management Service in Windows Server 2012 R2
+
 Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista.
 
-**Note**  
+> [!NOTE]
-You cannot install a client KMS key into the KMS in Windows Server.
+> You cannot install a client KMS key into the KMS in Windows Server.
 
 This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden.
 
-**Note**  
+> [!NOTE]
+> If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](https://go.microsoft.com/fwlink/p/?LinkId=620687).
 
-If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](https://go.microsoft.com/fwlink/p/?LinkId=620687).
+### Configure KMS in Windows Server 2012 R2
-
-**Configure KMS in Windows Server 2012 R2**
 
 1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials.
 2. Launch Server Manager.
@@ -78,7 +82,7 @@ If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise,
 
    ![Adding the Volume Activation Services role in Server Manager](../images/volumeactivationforwindows81-04.jpg)
 
-   **Figure 4**. Adding the Volume Activation Services role in Server Manager\
+   **Figure 4**. Adding the Volume Activation Services role in Server Manager
 
 4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5).
 
@@ -86,21 +90,21 @@ If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise,
 
    **Figure 5**. Launching the Volume Activation Tools
 
-   5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
+5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
       This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
 
    ![Configuring the computer as a KMS host](../images/volumeactivationforwindows81-06.jpg)
 
    **Figure 6**. Configuring the computer as a KMS host
 
-5. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
+6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
 
    ![Installing your KMS host key](../images/volumeactivationforwindows81-07.jpg)
 
    **Figure 7**. Installing your KMS host key
 
-6. If asked to confirm replacement of an existing key, click **Yes**.
+7. If asked to confirm replacement of an existing key, click **Yes**.
-7. After the product key is installed, you must activate it. Click **Next** (Figure 8).
+8. After the product key is installed, you must activate it. Click **Next** (Figure 8).
 
    ![Activating the software](../images/volumeactivationforwindows81-08.jpg)
 
@@ -123,25 +127,27 @@ You can verify KMS volume activation from the KMS host server or from the client
 
 To verify that KMS volume activation works, complete the following steps:
 
-1.  On the KMS host, open the event log and confirm that DNS publishing is successful.
+1. On the KMS host, open the event log and confirm that DNS publishing is successful.
-2.  On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.<p>
+2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.
-The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
-3.  On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr /dlv**, and then press ENTER.<p>
 
-The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
+   The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
+3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr.vbs /dlv**, and then press ENTER.
 
-For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://go.microsoft.com/fwlink/p/?LinkId=733639).
+   The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
+
+For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://docs.microsoft.com/windows-server/get-started/activation-slmgr-vbs-options).
 
 ## Key Management Service in earlier versions of Windows
 
 If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps:
 
-1.  Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
+1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
-2.  Request a new KMS host key from the Volume Licensing Service Center.
+2. Request a new KMS host key from the Volume Licensing Service Center.
-3.  Install the new KMS host key on your KMS host.
+3. Install the new KMS host key on your KMS host.
-4.  Activate the new KMS host key by running the slmgr.vbs script.
+4. Activate the new KMS host key by running the slmgr.vbs script.
 
 For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590).
 
 ## See also
--   [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)

windows/deployment/volume-activation/introduction-vamt.md

@@ -19,24 +19,26 @@ ms.topic: article
 
 The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012.
 
-**Note**  
+> [!NOTE]
-VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
+> VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
 
 ## In this Topic
--   [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
+
--   [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
+- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
--   [Enterprise Environment](#bkmk-enterpriseenvironment)
+- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
--   [VAMT User Interface](#bkmk-userinterface)
+- [Enterprise Environment](#bkmk-enterpriseenvironment)
+- [VAMT User Interface](#bkmk-userinterface)
 
 ## <a href="" id="bkmk-managingmak"></a>Managing Multiple Activation Key (MAK) and Retail Activation
 
 You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
--   **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
+
--   **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
+- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
+- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
 
 ## <a href="" id="bkmk-managingkms"></a>Managing Key Management Service (KMS) Activation
 
-In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
+In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.\
 VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
 
 ## <a href="" id="bkmk-enterpriseenvironment"></a>Enterprise Environment
@@ -55,13 +57,13 @@ The following screenshot shows the VAMT graphical user interface.
 ![VAMT user interface](images/vamtuserinterfaceupdated.jpg)
 
 VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
--   **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
+
--   **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
+- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
--   **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
+- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
--   **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
+- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
--   **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
+- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
+- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
 
 ## Related topics
+
 - [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
- 
- 

windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md

@@ -1,7 +1,7 @@
 ---
 title: Collect diagnostic data of Microsoft Defender Antivirus
 description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus
-keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av
+keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av, group policy object, setting, diagnostic data
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -25,7 +25,7 @@ manager: dansimp
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV.
+This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you might encounter when using the Microsoft Defender AV.
 
 > [!NOTE]
 > As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices).
@@ -54,7 +54,7 @@ On at least two devices that are experiencing the same issue, obtain the .cab di
 4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`.
 
 > [!NOTE]
-> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation <path>`  <br/>For more information see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
+> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation <path>`  <br/>For more information, see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
 
 5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
 
@@ -78,7 +78,7 @@ mpcmdrun.exe -GetFiles -SupportLogLocation <path>
 
 Copies the diagnostic data to the specified path. If the path is not specified, the diagnostic data will be copied to the location specified in the Support Log Location Configuration.
 
-When the SupportLogLocation parameter is used, a folder structure as below will be created in the destination path:
+When the SupportLogLocation parameter is used, a folder structure like as follows will be created in the destination path:
 
 ```Dos
 <path>\<MMDD>\MpSupport-<hostname>-<HHMM>.cab
@@ -86,13 +86,30 @@ When the SupportLogLocation parameter is used, a folder structure as below will
 
 | field  | Description   |
 |:----|:----|
-| path | The path as specified on the commandline or retrieved from configuration
+| path | The path as specified on the command line or retrieved from configuration
-| MMDD | Month Day when the diagnostic data was collected (eg 0530)
+| MMDD | Month and day when the diagnostic data was collected (for example, 0530)
-| hostname | the hostname of the device on which the diagnostic data was collected.
+| hostname | The hostname of the device on which the diagnostic data was collected
-| HHMM | Hours Minutes when the diagnostic data was collected (eg 1422)
+| HHMM | Hours and minutes when the diagnostic data was collected (for example, 1422)
 
 > [!NOTE]
-> When using a File share please make sure that account used to collect the diagnostic package has write access to the share.  
+> When using a file share please make sure that account used to collect the diagnostic package has write access to the share.  
+
+## Specify location where diagnostic data is created
+
+You can also specify where the diagnostic .cab file will be created using a Group Policy Object (GPO). 
+
+1. Open the Local Group Policy Editor and find the SupportLogLocation GPO at: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SupportLogLocation`
+   
+1. Select **Define the directory path to copy support log files**.
+
+    ![Screenshot of local group policy editor](images/GPO1-SupportLogLocationDefender.png)  
+        
+     ![Screenshot of define path for log files setting](images/GPO2-SupportLogLocationGPPage.png)  
+3. Inside the policy editor, select **Enabled**.
+       
+4. Specify the directory path where you want to copy the support log files in the **Options** field.
+     ![Screenshot of Enabled directory path custom setting](images/GPO3-SupportLogLocationGPPageEnabledExample.png) 
+5. Select **OK** or **Apply**.
 
 ## See also
 

windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md

@@ -10,8 +10,8 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 10/01/2018
-ms.reviewer: 
+ms.reviewer: ksarens
 manager: dansimp
 ---
 
@@ -96,7 +96,7 @@ Root | Allow antimalware service to start up with normal priority | [Configure r
 Root | Allow antimalware service to remain running always | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
 Root | Turn off routine remediation | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
 Root | Randomize scheduled task times | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md)
+Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) (Not supported on Windows 10)
 Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
 Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
 Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)

windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md

@@ -29,104 +29,104 @@ Endpoint detection and response capabilities in Microsoft Defender ATP for Mac a
 
 ## Enable the Insider program with Jamf
 
-a. Create configuration profile com.microsoft.wdav.plist with the following content:
+1. Create configuration profile com.microsoft.wdav.plist with the following content:
 
-```XML
+   ```XML
-    <?xml version="1.0" encoding="UTF-8"?>
+       <?xml version="1.0" encoding="UTF-8"?>
-    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+       <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-    <plist version="1.0">
+       <plist version="1.0">
-    <dict>
+       <dict>
-        <key>edr</key>
+           <key>edr</key>
-        <dict>
+           <dict>
-            <key>earlyPreview</key>
+               <key>earlyPreview</key>
-            <true/>
+               <true/>
-        </dict>
+           </dict>
-    </dict>
+       </dict>
-    </plist>
+       </plist>
-```
+   ```
 
-b. From the JAMF console, navigate to  **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select  **Custom Settings**.
+1. From the JAMF console, navigate to  **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select  **Custom Settings**.
 
-c. Create an entry with com.microsoft.wdav as the preference domain and upload the .plist created earlier.
+1. Create an entry with com.microsoft.wdav as the preference domain and upload the .plist created earlier.
 
->[!WARNING]
+   > [!WARNING]
->You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
+   > You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
 
 ## Enable the Insider program with Intune
 
-a. Create configuration profile com.microsoft.wdav.plist with the following content:
+1. Create configuration profile com.microsoft.wdav.plist with the following content:
 
- ```XML
+    ```XML
-    <?xml version="1.0" encoding="utf-8"?>
+       <?xml version="1.0" encoding="utf-8"?>
-    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+       <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-    <plist version="1">
+       <plist version="1">
-        <dict>
+           <dict>
-            <key>PayloadUUID</key>
+               <key>PayloadUUID</key>
-            <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
+               <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
-            <key>PayloadType</key>
+               <key>PayloadType</key>
-            <string>Configuration</string>
+               <string>Configuration</string>
-            <key>PayloadOrganization</key>
+               <key>PayloadOrganization</key>
-            <string>Microsoft</string>
+               <string>Microsoft</string>
-            <key>PayloadIdentifier</key>
+               <key>PayloadIdentifier</key>
-            <string>com.microsoft.wdav</string>
+               <string>com.microsoft.wdav</string>
-            <key>PayloadDisplayName</key>
+               <key>PayloadDisplayName</key>
-            <string>Microsoft Defender ATP settings</string>
+               <string>Microsoft Defender ATP settings</string>
-            <key>PayloadDescription</key>
+               <key>PayloadDescription</key>
-            <string>Microsoft Defender ATP configuration settings</string>
+               <string>Microsoft Defender ATP configuration settings</string>
-            <key>PayloadVersion</key>
+               <key>PayloadVersion</key>
-            <integer>1</integer>
+               <integer>1</integer>
-            <key>PayloadEnabled</key>
+               <key>PayloadEnabled</key>
-            <true/>
+               <true/>
-            <key>PayloadRemovalDisallowed</key>
+               <key>PayloadRemovalDisallowed</key>
-            <true/>
+               <true/>
-            <key>PayloadScope</key>
+               <key>PayloadScope</key>
-            <string>System</string>
+               <string>System</string>
-            <key>PayloadContent</key>
+               <key>PayloadContent</key>
-            <array>
+               <array>
-                <dict>
+                   <dict>
-                    <key>PayloadUUID</key>
+                       <key>PayloadUUID</key>
-                    <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
+                       <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
-                    <key>PayloadType</key>
+                       <key>PayloadType</key>
-                    <string>com.microsoft.wdav</string>
+                       <string>com.microsoft.wdav</string>
-                    <key>PayloadOrganization</key>
+                       <key>PayloadOrganization</key>
-                    <string>Microsoft</string>
+                       <string>Microsoft</string>
-                    <key>PayloadIdentifier</key>
+                       <key>PayloadIdentifier</key>
-                    <string>com.microsoft.wdav</string>
+                       <string>com.microsoft.wdav</string>
-                    <key>PayloadDisplayName</key>
+                       <key>PayloadDisplayName</key>
-                    <string>Microsoft Defender ATP configuration settings</string>
+                       <string>Microsoft Defender ATP configuration settings</string>
-                    <key>PayloadDescription</key>
+                       <key>PayloadDescription</key>
-                    <string/>
+                       <string/>
-                    <key>PayloadVersion</key>
+                       <key>PayloadVersion</key>
-                    <integer>1</integer>
+                       <integer>1</integer>
-                    <key>PayloadEnabled</key>
+                       <key>PayloadEnabled</key>
-                    <true/>
+                       <true/>
-                    <key>edr</key>
+                       <key>edr</key>
-                    <dict>
+                       <dict>
-                        <key>earlyPreview</key>
+                           <key>earlyPreview</key>
-                        <true/>
+                           <true/>
-                    </dict>
+                       </dict>
-                </dict>
+                   </dict>
-            </array>
+               </array>
-        </dict>
+           </dict>
-    </plist>
+       </plist>
-```
+   ```
 
-b. Open  **Manage > Device configuration**. Select  **Manage > Profiles > Create Profile**.
+1. Open  **Manage > Device configuration**. Select  **Manage > Profiles > Create Profile**.
 
-c. Choose a name for the profile. Change  **Platform=macOS**  to  **Profile type=Custom**. Select  **Configure**.
+1. Choose a name for the profile. Change  **Platform=macOS**  to  **Profile type=Custom**. Select  **Configure**.
 
-d. Save the .plist created earlier as com.microsoft.wdav.xml.
+1. Save the .plist created earlier as com.microsoft.wdav.xml.
 
-e. Enter com.microsoft.wdav as the custom configuration profile name.
+1. Enter com.microsoft.wdav as the custom configuration profile name.
 
-f. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1.
+1. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1.
 
-g. Select  **OK**.
+1. Select  **OK**.
 
-h. Select  **Manage > Assignments**. In the  **Include**  tab, select  **Assign to All Users & All devices**.
+1. Select  **Manage > Assignments**. In the  **Include**  tab, select  **Assign to All Users & All devices**.
 
->[!WARNING]
+   > [!WARNING]
->You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
+   > You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
 
 ## Enable the Insider program manually on a single device
 
@@ -134,7 +134,7 @@ In terminal, run:
 
 ```bash
     mdatp --edr --early-preview true
- ```
+```
 
 For versions earlier than 100.78.0, run:
 
@@ -161,4 +161,4 @@ After a successful deployment and onboarding of the correct version, check that
 
 * Check that you enabled the early preview flag. In terminal run “mdatp –health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
 
-If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).
+If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).

windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md

@@ -28,7 +28,8 @@ ms.topic: conceptual
 
 This topic describes how to deploy Microsoft Defender ATP for macOS manually. A successful deployment requires the completion of all of the following steps:
 - [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
-- [Application installation](#application-installation)
+- [Application installation (macOS 10.15 and older versions)](#application-installation-macos-1015-and-older-versions)
+- [Application installation (macOS 11 and newer versions)](#application-installation-macos-11-and-newer-versions)
 - [Client configuration](#client-configuration)
 
 ## Prerequisites and system requirements
@@ -48,7 +49,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
 
 5. From a command prompt, verify that you have the two files.
     
-## Application installation
+## Application installation (macOS 10.15 and older versions)
 
 To complete this process, you must have admin privileges on the device.
 
@@ -65,7 +66,7 @@ To complete this process, you must have admin privileges on the device.
 
    ![App install screenshot](../microsoft-defender-antivirus/images/MDATP-30-SystemExtension.png)
 
-3. Select **Open Security Preferences**  or **Open System Preferences > Security & Privacy**. Select **Allow**:
+3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**:
 
     ![Security and privacy window screenshot](../microsoft-defender-antivirus/images/MDATP-31-SecurityPrivacySettings.png)
 
@@ -77,6 +78,34 @@ To complete this process, you must have admin privileges on the device.
 > [!NOTE]
 > macOS may request to reboot the device upon the first installation of Microsoft Defender. Real-time protection will not be available until the device is rebooted.
 
+## Application installation (macOS 11 and newer versions)
+
+To complete this process, you must have admin privileges on the device.
+
+1. Navigate to the downloaded wdav.pkg in Finder and open it.
+
+    ![App install screenshot](images/big-sur-install-1.png)
+
+2. Select **Continue**, agree with the License terms, and enter the password when prompted.
+
+3. At the end of the installation process, you will be promoted to approve the system extensions used by the product. Select **Open Security Preferences**.
+
+    ![System extension approval](images/big-sur-install-2.png)
+
+4. From the **Security & Privacy** window, select **Allow**.
+
+    ![System extension security preferences](images/big-sur-install-3.png)
+
+5. Repeat steps 3 & 4 for all system extensions distributed with Microsoft Defender ATP for Mac.
+
+6. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. When prompted to grant Microsoft Defender ATP permissions to filter network traffic, select **Allow**.
+
+    ![System extension security preferences](images/big-sur-install-4.png)
+
+7. Open **System Preferences** > **Security & Privacy** and navigate to the **Privacy** tab. Grant **Full Disk Access** permission to **Microsoft Defender ATP** and **Microsoft Defender ATP Endpoint Security Extension**.
+
+    ![Full disk access](images/big-sur-install-5.png)
+
 ## Client configuration
 
 1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the device where you deploy Microsoft Defender ATP for macOS.

windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md

@@ -34,6 +34,7 @@ This topic describes how to deploy Microsoft Defender ATP for Mac through Intune
 
 1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
 1. [Client device setup](#client-device-setup)
+1. [Approve system extensions](#approve-system-extensions)
 1. [Create System Configuration profiles](#create-system-configuration-profiles)
 1. [Publish application](#publish-application)
 
@@ -48,24 +49,30 @@ The following table summarizes the steps you would need to take to deploy and ma
 | Step | Sample file names | BundleIdentifier |
 |-|-|-|
 | [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
+| [Approve System Extension for Microsoft Defender ATP](#approve-system-extensions) | MDATP_SysExt.xml | N/A |
 | [Approve Kernel Extension for Microsoft Defender ATP](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A |
 | [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc |
+| [Network Extension policy](#create-system-configuration-profiles-step-9) | MDATP_NetExt.xml | N/A |
 | [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 |
 | [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)<br/><br/> **Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
-| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
+| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-10) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
 
 ## Download installation and onboarding packages
 
 Download the installation and onboarding packages from Microsoft Defender Security Center:
 
 1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**.
+
 2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**.
 
     ![Onboarding settings screenshot](images/atp-mac-install.png)
 
 3. Select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
+
 4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
+
 5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
+
 6. From a command prompt, verify that you have the three files.
   
 
@@ -130,203 +137,85 @@ You do not need any special provisioning for a Mac device beyond a standard [Com
 
 2. Select **Continue** and complete the enrollment.
 
-You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
+   You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
 
 3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed:
 
-![Add Devices screenshot](../microsoft-defender-antivirus/images/MDATP-5-allDevices.png)
+   > [!div class="mx-imgBorder"]
+   > ![Add Devices screenshot](../microsoft-defender-antivirus/images/MDATP-5-allDevices.png)
+
+## Approve System Extensions
+
+To approve the system extensions:
+
+1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+
+2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Extensions**. Select **Create**.
+
+3. In the `Basics` tab, give a name to this new profile.
+
+4. In the `Configuration settings` tab, add the following entries in the `Allowed system extensions` section:
+
+    Bundle identifier         | Team identifier
+    --------------------------|----------------
+    com.microsoft.wdav.epsext | UBF8T346G9
+    com.microsoft.wdav.netext | UBF8T346G9
+
+    > [!div class="mx-imgBorder"]
+    > ![System configuration profiles screenshot](images/mac-system-extension-intune2.png)
+
+5. In the `Assignments` tab, assign this profile to **All Users & All devices**.
+
+6. Review and create this configuration profile.
 
 ## Create System Configuration profiles
 
 1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+
 2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
+
 3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections.
+
 4. Select **OK**.
 
     ![System configuration profiles screenshot](../microsoft-defender-antivirus/images/MDATP-6-SystemConfigurationProfiles.png)
 
 5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
+
 6. Repeat steps 1 through 5 for more profiles.
+
 7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
-8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it.<a name="create-system-configuration-profiles-step-8" id = "create-system-configuration-profiles-step-8"></a>
+
+8. Download `fulldisk.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) and save it as `tcc.xml`. Create another profile, give it any name and upload this file to it.<a name="create-system-configuration-profiles-step-8" id = "create-system-configuration-profiles-step-8"></a>
 
    > [!CAUTION]
    > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
    >
-   > The following configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile.
+   > This configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile.
 
-   ```xml
+9. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig), save it as netext.xml and deploy it using the same steps as in the previous sections. <a name = "create-system-configuration-profiles-step-9" id = "create-system-configuration-profiles-step-9"></a>
-   <?xml version="1.0" encoding="UTF-8"?>
-   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-   <plist version="1.0">
-   <dict>
-       <key>PayloadDescription</key>
-       <string>Allows Microsoft Defender to access all files on Catalina+</string>
-       <key>PayloadDisplayName</key>
-       <string>TCC - Microsoft Defender</string>
-       <key>PayloadIdentifier</key>
-       <string>com.microsoft.wdav.tcc</string>
-       <key>PayloadOrganization</key>
-       <string>Microsoft Corp.</string>
-       <key>PayloadRemovalDisallowed</key>
-       <false/>
-       <key>PayloadScope</key>
-       <string>system</string>
-       <key>PayloadType</key>
-       <string>Configuration</string>
-       <key>PayloadUUID</key>
-       <string>C234DF2E-DFF6-11E9-B279-001C4299FB44</string>
-       <key>PayloadVersion</key>
-       <integer>1</integer>
-       <key>PayloadContent</key>
-       <array>
-       <dict>
-           <key>PayloadDescription</key>
-           <string>Allows Microsoft Defender to access all files on Catalina+</string>
-           <key>PayloadDisplayName</key>
-           <string>TCC - Microsoft Defender</string>
-           <key>PayloadIdentifier</key>
-           <string>com.microsoft.wdav.tcc.C233A5E6-DFF6-11E9-BDAD-001C4299FB44</string>
-           <key>PayloadOrganization</key>
-           <string>Microsoft Corp.</string>
-           <key>PayloadType</key>
-           <string>com.apple.TCC.configuration-profile-policy</string>
-           <key>PayloadUUID</key>
-           <string>C233A5E6-DFF6-11E9-BDAD-001C4299FB44</string>
-           <key>PayloadVersion</key>
-           <integer>1</integer>
-           <key>Services</key>
-           <dict>
-               <key>SystemPolicyAllFiles</key>
-               <array>
-               <dict>
-                   <key>Allowed</key>
-                   <true/>
-                   <key>CodeRequirement</key>
-                   <string>identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
-                   <key>Comment</key>
-                   <string>Allow SystemPolicyAllFiles control for Microsoft Defender ATP</string>
-                   <key>Identifier</key>
-                   <string>com.microsoft.wdav</string>
-                   <key>IdentifierType</key>
-                   <string>bundleID</string>
-               </dict>
-               </array>
-           </dict>
-       </dict>
-       </array>
-   </dict>
-   </plist>
-   ```
 
-9. To allow Defender and Auto Update to display notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload: <a name = "create-system-configuration-profiles-step-9" id = "create-system-configuration-profiles-step-9"></a>
+10. To allow Defender and Auto Update to display notifications in UI on macOS 10.15 (Catalina), download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) and import it as a custom payload. <a name = "create-system-configuration-profiles-step-10" id = "create-system-configuration-profiles-step-10"></a>
 
-   ```xml
+11. Select **Manage > Assignments**.  In the **Include** tab, select **Assign to All Users & All devices**.
-   <?xml version="1.0" encoding="UTF-8"?>
-   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-   <plist version="1.0">
-     <dict>
-       <key>PayloadContent</key>
-       <array>
-         <dict>
-           <key>NotificationSettings</key>
-           <array>
-             <dict>
-               <key>AlertType</key>
-               <integer>2</integer>
-               <key>BadgesEnabled</key>
-               <true/>
-               <key>BundleIdentifier</key>
-               <string>com.microsoft.autoupdate2</string>
-               <key>CriticalAlertEnabled</key>
-               <false/>
-               <key>GroupingType</key>
-               <integer>0</integer>
-               <key>NotificationsEnabled</key>
-               <true/>
-               <key>ShowInLockScreen</key>
-               <false/>
-               <key>ShowInNotificationCenter</key>
-               <true/>
-               <key>SoundsEnabled</key>
-               <true/>
-             </dict>
-             <dict>
-               <key>AlertType</key>
-               <integer>2</integer>
-               <key>BadgesEnabled</key>
-               <true/>
-               <key>BundleIdentifier</key>
-               <string>com.microsoft.wdav.tray</string>
-               <key>CriticalAlertEnabled</key>
-               <false/>
-               <key>GroupingType</key>
-               <integer>0</integer>
-               <key>NotificationsEnabled</key>
-               <true/>
-               <key>ShowInLockScreen</key>
-               <false/>
-               <key>ShowInNotificationCenter</key>
-               <true/>
-               <key>SoundsEnabled</key>
-               <true/>
-             </dict>
-           </array>
-           <key>PayloadDescription</key>
-           <string/>
-           <key>PayloadDisplayName</key>
-           <string>notifications</string>
-           <key>PayloadEnabled</key>
-           <true/>
-           <key>PayloadIdentifier</key>
-           <string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
-           <key>PayloadOrganization</key>
-           <string>Microsoft</string>
-           <key>PayloadType</key>
-           <string>com.apple.notificationsettings</string>
-           <key>PayloadUUID</key>
-           <string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
-           <key>PayloadVersion</key>
-           <integer>1</integer>
-         </dict>
-       </array>
-       <key>PayloadDescription</key>
-       <string/>
-       <key>PayloadDisplayName</key>
-       <string>mdatp - allow notifications</string>
-       <key>PayloadEnabled</key>
-       <true/>
-       <key>PayloadIdentifier</key>
-       <string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
-       <key>PayloadOrganization</key>
-       <string>Microsoft</string>
-       <key>PayloadRemovalDisallowed</key>
-       <false/>
-       <key>PayloadScope</key>
-       <string>System</string>
-       <key>PayloadType</key>
-       <string>Configuration</string>
-       <key>PayloadUUID</key>
-       <string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
-       <key>PayloadVersion</key>
-       <integer>1</integer>
-     </dict>
-   </plist>
-   ```
-
-10. Select **Manage > Assignments**.  In the **Include** tab, select **Assign to All Users & All devices**.
 
 Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
 
-![System configuration profiles screenshot](../microsoft-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png)
+> [!div class="mx-imgBorder"]
+> ![System configuration profiles screenshot](../microsoft-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png)
 
 ## Publish application
 
 1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**.
+
 2. Select **App type=Other/Line-of-business app**.
+
 3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
+
 4. Select **Configure** and add the required information.
+
 5. Use **macOS High Sierra 10.13** as the minimum OS.
+
 6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value.
 
     > [!CAUTION]
@@ -334,24 +223,30 @@ Once the Intune changes are propagated to the enrolled devices, you can see them
     >
     > If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client device, then uninstall Defender and push the updated policy.
     
-    ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-8-IntuneAppInfo.png)
+    > [!div class="mx-imgBorder"]
+    > ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-8-IntuneAppInfo.png)
 
 7. Select **OK** and **Add**.
 
-    ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-9-IntunePkgInfo.png)
+    > [!div class="mx-imgBorder"]
+    > ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-9-IntunePkgInfo.png)
 
 8. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**.
 
-    ![Client apps screenshot](../microsoft-defender-antivirus/images/MDATP-10-ClientApps.png)
+    > [!div class="mx-imgBorder"]
+    > ![Client apps screenshot](../microsoft-defender-antivirus/images/MDATP-10-ClientApps.png)
 
 9. Change **Assignment type** to **Required**.
+
 10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
 
-    ![Intune assignments info screenshot](../microsoft-defender-antivirus/images/MDATP-11-Assignments.png)
+    > [!div class="mx-imgBorder"]
+    > ![Intune assignments info screenshot](../microsoft-defender-antivirus/images/MDATP-11-Assignments.png)
 
 11. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**:
 
-    ![Intune device status screenshot](../microsoft-defender-antivirus/images/MDATP-12-DeviceInstall.png)
+    > [!div class="mx-imgBorder"]
+    > ![Intune device status screenshot](../microsoft-defender-antivirus/images/MDATP-12-DeviceInstall.png)
 
 ## Verify client device state
 
@@ -365,7 +260,8 @@ Once the Intune changes are propagated to the enrolled devices, you can see them
 
 3. You should also see the Microsoft Defender icon in the top-right corner:
 
-    ![Microsoft Defender icon in status bar screenshot](../microsoft-defender-antivirus/images/MDATP-Icon-Bar.png)
+    > [!div class="mx-imgBorder"]
+    > ![Microsoft Defender icon in status bar screenshot](../microsoft-defender-antivirus/images/MDATP-Icon-Bar.png)
 
 ## Troubleshooting
 

windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md

@@ -48,7 +48,7 @@ Most modern MDM solutions include these features, however, they may call them di
 You can deploy Defender without the last requirement from the preceding list, however:
 
 - You will not be able to collect status in a centralized way
-- If you decide to uninstall Defender, you will need to logon to the client device locally as an administrator
+- If you decide to uninstall Defender, you will need to log on to the client device locally as an administrator
 
 ## Deployment
 
@@ -70,13 +70,44 @@ Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be ext
 Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case.
 Alternatively, it may require you to convert the property list to a different format first.
 
-Typically, your custom profile has an id, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value.
+Typically, your custom profile has an ID, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value.
 MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client device, and Defender uses this file for loading the onboarding information.
 
 ### Kernel extension policy
 
 Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to allow kernel extensions provided by Microsoft.
 
+### System extension policy
+
+Set up a system extension policy. Use team identifier **UBF8T346G9** and approve the following bundle identifiers:
+
+- com.microsoft.wdav.epsext
+- com.microsoft.wdav.netext
+
+### Full disk access policy
+
+Grant Full Disk Access to the following components:
+
+- Microsoft Defender ATP
+    - Identifier: `com.microsoft.wdav`
+    - Identifier Type: Bundle ID
+    - Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate leaf[subject.OU] = UBF8T346G9
+
+- Microsoft Defender ATP Endpoint Security Extension
+    - Identifier: `com.microsoft.wdav.epsext`
+    - Identifier Type: Bundle ID
+    - Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+
+### Network extension policy
+
+As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
+
+- Filter type: Plugin
+- Plugin bundle identifier: `com.microsoft.wdav`
+- Filter data provider bundle identifier: `com.microsoft.wdav.netext`
+- Filter data provider designated requirement: identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+- Filter sockets: `true`
+
 ## Check installation status
 
 Run [mdatp](mac-install-with-jamf.md) on a client device to check the onboarding status.

windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md

@@ -44,9 +44,13 @@ You'll need to take the following steps:
 
 7. [Approve Kernel extension for Microsoft Defender ATP](#step-7-approve-kernel-extension-for-microsoft-defender-atp)
 
-8. [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)
+8. [Approve System extensions for Microsoft Defender ATP](#step-8-approve-system-extensions-for-microsoft-defender-atp)
 
-9. [Deploy Microsoft Defender ATP for macOS](#step-9-deploy-microsoft-defender-atp-for-macos)
+9. [Configure Network Extension](#step-9-configure-network-extension)
+
+10. [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)
+
+11. [Deploy Microsoft Defender ATP for macOS](#step-11-deploy-microsoft-defender-atp-for-macos)
 
 
 ## Step 1: Get the Microsoft Defender ATP onboarding package
@@ -155,106 +159,106 @@ You'll need to take the following steps:
     
      For information, see [Property list for Jamf configuration profile](mac-preferences.md#property-list-for-jamf-configuration-profile).
 
-```XML
+     ```XML
-<?xml version="1.0" encoding="UTF-8"?>
+     <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+     <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
+     <plist version="1.0">
-<dict>
+     <dict>
-    <key>antivirusEngine</key>
+         <key>antivirusEngine</key>
-    <dict>
+         <dict>
-        <key>enableRealTimeProtection</key>
+             <key>enableRealTimeProtection</key>
-        <true/>
+             <true/>
-        <key>passiveMode</key>
+             <key>passiveMode</key>
-        <false/>
+             <false/>
-        <key>exclusions</key>
+             <key>exclusions</key>
-        <array>
+             <array>
-            <dict>
+                 <dict>
-                <key>$type</key>
+                     <key>$type</key>
-                <string>excludedPath</string>
+                     <string>excludedPath</string>
-                <key>isDirectory</key>
+                     <key>isDirectory</key>
-                <false/>
+                     <false/>
-                <key>path</key>
+                     <key>path</key>
-                <string>/var/log/system.log</string>
+                     <string>/var/log/system.log</string>
-            </dict>
+                 </dict>
-            <dict>
+                 <dict>
-                <key>$type</key>
+                     <key>$type</key>
-                <string>excludedPath</string>
+                     <string>excludedPath</string>
-                <key>isDirectory</key>
+                     <key>isDirectory</key>
-                <true/>
+                     <true/>
-                <key>path</key>
+                     <key>path</key>
-                <string>/home</string>
+                     <string>/home</string>
-            </dict>
+                 </dict>
-            <dict>
+                 <dict>
-                <key>$type</key>
+                     <key>$type</key>
-                <string>excludedFileExtension</string>
+                     <string>excludedFileExtension</string>
-                <key>extension</key>
+                     <key>extension</key>
-                <string>pdf</string>
+                     <string>pdf</string>
-            </dict>
+                 </dict>
-            <dict>
+                 <dict>
-                <key>$type</key>
+                     <key>$type</key>
-                <string>excludedFileName</string>
+                     <string>excludedFileName</string>
-                <key>name</key>
+                     <key>name</key>
-                <string>cat</string>
+                     <string>cat</string>
-            </dict>
+                 </dict>
-        </array>
+             </array>
-        <key>exclusionsMergePolicy</key>
+             <key>exclusionsMergePolicy</key>
-        <string>merge</string>
+             <string>merge</string>
-        <key>allowedThreats</key>
+             <key>allowedThreats</key>
-        <array>
+             <array>
-            <string>EICAR-Test-File (not a virus)</string>
+                 <string>EICAR-Test-File (not a virus)</string>
-        </array>
+             </array>
-        <key>disallowedThreatActions</key>
+             <key>disallowedThreatActions</key>
-        <array>
+             <array>
-            <string>allow</string>
+                 <string>allow</string>
-            <string>restore</string>
+                 <string>restore</string>
-        </array>
+             </array>
-        <key>threatTypeSettings</key>
+             <key>threatTypeSettings</key>
-        <array>
+             <array>
-            <dict>
+                 <dict>
-                <key>key</key>
+                     <key>key</key>
-                <string>potentially_unwanted_application</string>
+                     <string>potentially_unwanted_application</string>
-                <key>value</key>
+                     <key>value</key>
-                <string>block</string>
+                     <string>block</string>
-            </dict>
+                 </dict>
-            <dict>
+                 <dict>
-                <key>key</key>
+                     <key>key</key>
-                <string>archive_bomb</string>
+                     <string>archive_bomb</string>
-                <key>value</key>
+                     <key>value</key>
-                <string>audit</string>
+                     <string>audit</string>
-            </dict>
+                 </dict>
-        </array>
+             </array>
-        <key>threatTypeSettingsMergePolicy</key>
+             <key>threatTypeSettingsMergePolicy</key>
-        <string>merge</string>
+             <string>merge</string>
-    </dict>
+         </dict>
-    <key>cloudService</key>
+         <key>cloudService</key>
-    <dict>
+         <dict>
-        <key>enabled</key>
+             <key>enabled</key>
-        <true/>
+             <true/>
-        <key>diagnosticLevel</key>
+             <key>diagnosticLevel</key>
-        <string>optional</string>
+             <string>optional</string>
-        <key>automaticSampleSubmission</key>
+             <key>automaticSampleSubmission</key>
-        <true/>
+             <true/>
-    </dict>
+         </dict>
-    <key>edr</key>
+         <key>edr</key>
-    <dict>
+         <dict>
-        <key>tags</key>
+             <key>tags</key>
-        <array>
+             <array>
-            <dict>
+                 <dict>
-                <key>key</key>
+                     <key>key</key>
-                <string>GROUP</string>
+                     <string>GROUP</string>
-                <key>value</key>
+                     <key>value</key>
-                <string>ExampleTag</string>
+                     <string>ExampleTag</string>
-            </dict>
+                 </dict>
-        </array>
+             </array>
-    </dict>
+         </dict>
-    <key>userInterface</key>
+         <key>userInterface</key>
-    <dict>
+         <dict>
-        <key>hideStatusMenuIcon</key>
+             <key>hideStatusMenuIcon</key>
-        <false/>
+             <false/>
-    </dict>
+         </dict>
-</dict>
+     </dict>
-</plist>
+     </plist>
-```
+     ```
 
 2. Save the file as `MDATP_MDAV_configuration_settings.plist`.
 
@@ -266,11 +270,12 @@ You'll need to take the following steps:
 4. Enter the following details:
 
     **General**
-  - Name: MDATP MDAV configuration settings
+    
-  - Description:\<blank\>
+    - Name: MDATP MDAV configuration settings
-  - Category: None (default)
+    - Description:\<blank\>
-  - Distribution Method: Install Automatically(default)
+    - Category: None (default)
-  - Level: Computer Level(default)
+    - Distribution Method: Install Automatically(default)
+    - Level: Computer Level(default)
 
     ![Image of configuration settings](images/3160906404bc5a2edf84d1d015894e3b.png)
 
@@ -336,100 +341,21 @@ You'll need to take the following steps:
 
 These steps are applicable of macOS 10.15 (Catalina) or newer.
 
-1. Use the following Microsoft Defender ATP notification configuration settings:
+1. Download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig)
 
-```xml
+2. Save it as `MDATP_MDAV_notification_settings.plist`.
-<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-    <dict>
-        <key>PayloadContent</key>
-            <array>
-                <dict>
-                    <key>NotificationSettings</key>
-                    <array>
-                        <dict>
-                            <key>AlertType</key>
-                            <integer>2</integer>
-                            <key>BadgesEnabled</key>
-                            <true/>
-                            <key>BundleIdentifier</key>
-                            <string>com.microsoft.autoupdate2</string>
-                            <key>CriticalAlertEnabled</key>
-                            <false/><key>GroupingType</key>
-                            <integer>0</integer>
-                            <key>NotificationsEnabled</key>
-                            <true/>
-                            <key>ShowInLockScreen</key>
-                            <false/>
-                            <key>ShowInNotificationCenter</key>
-                            <true/>
-                            <key>SoundsEnabled</key>
-                            <true/>
-                        </dict>
-                        <dict>
-                            <key>AlertType</key>
-                            <integer>2</integer><key>BadgesEnabled</key>
-                            <true/><key>BundleIdentifier</key>
-                            <string>com.microsoft.wdav.tray</string>
-                            <key>CriticalAlertEnabled</key>
-                            <false/><key>GroupingType</key>
-                            <integer>0</integer>
-                            <key>NotificationsEnabled</key>
-                            <true/><key>ShowInLockScreen</key>
-                            <false/><key>ShowInNotificationCenter</key>
-                            <true/><key>SoundsEnabled</key>
-                            <true/>
-                        </dict>
-                    </array>
-                    <key>PayloadDescription</key>
-                    <string/><key>PayloadDisplayName</key>
-                    <string>notifications</string>
-                    <key>PayloadEnabled</key>
-                    <true/><key>PayloadIdentifier</key>
-                    <string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
-                    <key>PayloadOrganization</key>
-                    <string>Microsoft</string>
-                    <key>PayloadType</key>
-                    <string>com.apple.notificationsettings</string>
-                    <key>PayloadUUID</key>
-                    <string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
-                    <key>PayloadVersion</key>
-                    <integer>1</integer>
-                </dict>
-            </array>
-            <key>PayloadDescription</key>
-            <string/><key>PayloadDisplayName</key>
-            <string>mdatp - allow notifications</string>
-            <key>PayloadEnabled</key><true/>
-            <key>PayloadIdentifier</key>
-            <string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
-            <key>PayloadOrganization</key>
-            <string>Microsoft</string>
-            <key>PayloadRemovalDisallowed</key>
-            <false/><key>PayloadScope</key>
-            <string>System</string>
-            <key>PayloadType</key>
-            <string>Configuration</string>
-            <key>PayloadUUID</key>
-            <string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
-            <key>PayloadVersion</key>
-            <integer>1</integer>
-    </dict>
- </plist>   
-   ```
-
-2.  Save it as `MDATP_MDAV_notification_settings.plist`.
 
 3. In the Jamf Pro dashboard, select **General**. 
        
 4. Enter the following details:
 
     **General** 
-  - Name: MDATP MDAV Notification settings
+    
-  - Description: macOS 10.15 (Catalina) or newer
+    - Name: MDATP MDAV Notification settings
-  - Category: None (default)
+    - Description: macOS 10.15 (Catalina) or newer
-  - Distribution Method: Install Automatically(default)
+    - Category: None (default)
-  - Level: Computer Level(default)
+    - Distribution Method: Install Automatically(default)
+    - Level: Computer Level(default)
 
     ![Image of configuration settings](images/c9820a5ff84aaf21635c04a23a97ca93.png)
 
@@ -475,11 +401,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
 
 1. Use the following Microsoft Defender ATP configuration settings:
 
-```XML
+      ```XML
-<?xml version="1.0" encoding="UTF-8"?>
+   <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
+   <plist version="1.0">
-<dict>
+   <dict>
 	<key>ChannelName</key>
 	<string>Production</string>
 	<key>HowToCheck</key>
@@ -490,9 +416,9 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
     <false/>
 	<key>SendAllTelemetryEnabled</key>
 	<true/>
-</dict>
+   </dict>
-</plist>
+   </plist>
-```
+   ```
 
 2. Save it as `MDATP_MDAV_MAU_settings.plist`.
 
@@ -503,11 +429,12 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
 4. Enter the following details:
 
     **General** 
-  - Name: MDATP MDAV MAU settings
+    
-  - Description: Microsoft AutoUpdate settings for MDATP for macOS
+    - Name: MDATP MDAV MAU settings
-  - Category: None (default)
+    - Description: Microsoft AutoUpdate settings for MDATP for macOS
-  - Distribution Method: Install Automatically(default)
+    - Category: None (default)
-  - Level: Computer Level(default)
+    - Distribution Method: Install Automatically(default)
+    - Level: Computer Level(default)
 
 5. In **Application & Custom Settings** select **Configure**.
 
@@ -582,10 +509,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
 
     - Identifier: `com.microsoft.wdav`
     - Identifier Type: Bundle ID
-    - Code Requirement: identifier `com.microsoft.wdav` and anchor apple generic and
+    - Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate leaf[subject.OU] = UBF8T346G9
-certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate
-leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate
-leaf[subject.OU] = UBF8T346G9
 
 
     ![Image of configuration setting](images/22cb439de958101c0a12f3038f905b27.png)
@@ -594,32 +518,53 @@ leaf[subject.OU] = UBF8T346G9
 
     ![Image of configuration setting](images/bd93e78b74c2660a0541af4690dd9485.png)
 
+    - Under App or service: Set to **SystemPolicyAllFiles**
 
-  - Under App or service: Set to **SystemPolicyAllFiles**
+    - Under "access": Set to **Allow**
-
-  - Under "access": Set to **Allow**
 
 7. Select **Save** (not the one at the bottom right).
 
     ![Image of configuration setting](images/6de50b4a897408ddc6ded56a09c09fe2.png)
 
-8. Select the **Scope** tab.
+8. Click the `+` sign next to **App Access** to add a new entry.
+
+    ![Image of configuration setting](images/tcc-add-entry.png)
+
+9. Enter the following details:
+
+    - Identifier: `com.microsoft.wdav.epsext`
+    - Identifier Type: Bundle ID
+    - Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
+
+10. Select **+ Add**.
+
+    ![Image of configuration setting](images/tcc-epsext-entry.png)
+
+    - Under App or service: Set to **SystemPolicyAllFiles**
+
+    - Under "access": Set to **Allow**
+
+11. Select **Save** (not the one at the bottom right).
+
+    ![Image of configuration setting](images/tcc-epsext-entry2.png)
+
+12. Select the **Scope** tab.
 
     ![Image of configuration setting](images/2c49b16cd112729b3719724f581e6882.png)
 
- 9. Select **+ Add**.
+13. Select **+ Add**.
 
     ![Image of configuration setting](images/57cef926d1b9260fb74a5f460cee887a.png)
 
-10. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**. 
+14. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**. 
 
     ![Image of configuration setting](images/368d35b3d6179af92ffdbfd93b226b69.png)
 
-11. Select **Add**. 
+15. Select **Add**. 
 
-12. Select **Save**. 
+16. Select **Save**. 
     
-13. Select **Done**.
+17. Select **Done**.
     
     ![Image of configuration setting](images/809cef630281b64b8f07f20913b0039b.png)
     
@@ -635,11 +580,12 @@ leaf[subject.OU] = UBF8T346G9
 2. Enter the following details:
 
     **General** 
-  - Name: MDATP MDAV Kernel Extension
+    
-  - Description: MDATP kernel extension (kext)
+    - Name: MDATP MDAV Kernel Extension
-  - Category: None
+    - Description: MDATP kernel extension (kext)
-  - Distribution Method: Install Automatically
+    - Category: None
-  - Level: Computer Level
+    - Distribution Method: Install Automatically
+    - Level: Computer Level
 
     ![Image of configuration settings](images/24e290f5fc309932cf41f3a280d22c14.png)
 
@@ -648,11 +594,10 @@ leaf[subject.OU] = UBF8T346G9
     ![Image of configuration settings](images/30be88b63abc5e8dde11b73f1b1ade6a.png)
 
    
-
 4. In **Approved Kernel Extensions** Enter the following details:
 
-  - Display Name: Microsoft Corp.
+    - Display Name: Microsoft Corp.
-  - Team ID: UBF8T346G9
+    - Team ID: UBF8T346G9
 
     ![Image of configuration settings](images/39cf120d3ac3652292d8d1b6d057bd60.png)
 
@@ -677,10 +622,119 @@ leaf[subject.OU] = UBF8T346G9
     ![Image of configuration settings](images/1c9bd3f68db20b80193dac18f33c22d0.png)
 
 
-## Step 8: Schedule scans with Microsoft Defender ATP for Mac
+## Step 8: Approve System extensions for Microsoft Defender ATP
+
+1. In the **Configuration Profiles**, select **+ New**.
+
+    ![A screenshot of a social media post Description automatically generated](images/6c8b406ee224335a8c65d06953dc756e.png)
+
+2. Enter the following details:
+
+    **General**
+    
+    - Name: MDATP MDAV System Extensions
+    - Description: MDATP system extensions
+    - Category: None
+    - Distribution Method: Install Automatically
+    - Level: Computer Level
+
+    ![Image of configuration settings](images/sysext-new-profile.png)
+
+3. In **System Extensions** select **Configure**.
+
+   ![Image of configuration settings](images/sysext-configure.png)
+
+4. In **System Extensions** enter the following details:
+
+   - Display Name: Microsoft Corp. System Extensions
+   - System Extension Types: Allowed System Extensions
+   - Team Identifier: UBF8T346G9
+   - Allowed System Extensions:
+     - **com.microsoft.wdav.epsext**
+     - **com.microsoft.wdav.netext**
+
+    ![Image of configuration settings](images/sysext-configure2.png)
+
+5. Select the **Scope** tab.
+
+    ![Image of configuration settings](images/0df36fc308ba569db204ee32db3fb40a.png)
+
+6. Select **+ Add**.
+
+7. Select **Computer Groups** > under **Group Name** > select **Contoso's Machine Group**.
+
+8. Select **+ Add**.
+
+   ![Image of configuration settings](images/0dde8a4c41110dbc398c485433a81359.png)
+
+9. Select **Save**.
+
+   ![Image of configuration settings](images/sysext-scope.png)
+
+10. Select **Done**.
+
+    ![Image of configuration settings](images/sysext-final.png)
+
+## Step 9: Configure Network Extension
+
+As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
+
+>[!NOTE]
+>JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.
+>As such, the following steps provide a workaround that involve signing the configuration profile.
+
+1. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig) to your device and save it as `com.microsoft.network-extension.mobileconfig`
+
+2. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMF’s built-in certificate authority
+
+3. After the certificate is created and installed to your device, run the following command from the Terminal from a macOS device:
+
+   ```bash
+   $ security cms -S -N "<certificate name>" -i com.microsoft.network-extension.mobileconfig -o com.microsoft.network-extension.signed.mobileconfig
+   ```
+
+   ![Terminal window with command to create signed configuration](images/netext-create-profile.png)
+
+4. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button. 
+
+   ![Image of upload window](images/netext-upload-file.png)
+
+5. Select **Choose File** and select `microsoft.network-extension.signed.mobileconfig`.
+
+   ![Image of upload window](images/netext-choose-file.png)
+
+6. Select **Upload**.
+
+   ![Image of upload window](images/netext-upload-file2.png)
+
+7. After uploading the file, you are redirected to a new page to finalize the creation of this profile.
+
+   ![Image of new configuration profile](images/netext-profile-page.png)
+
+8. Select the **Scope** tab.
+
+   ![Image of configuration settings](images/0df36fc308ba569db204ee32db3fb40a.png)
+
+9. Select **+ Add**.
+
+10. Select **Computer Groups** > under **Group Name** > select **Contoso's Machine Group**.
+
+11. Select **+ Add**.
+
+    ![Image of configuration settings](images/0dde8a4c41110dbc398c485433a81359.png)
+
+12. Select **Save**.
+
+    ![Image of configuration settings](images/netext-scope.png)
+
+13. Select **Done**.
+
+    ![Image of configuration settings](images/netext-final.png)
+
+## Step 10: Schedule scans with Microsoft Defender ATP for Mac
 Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp).
 
-## Step 9: Deploy Microsoft Defender ATP for macOS
+## Step 11: Deploy Microsoft Defender ATP for macOS
 
 1. Navigate to where you saved `wdav.pkg`.
 
@@ -729,10 +783,12 @@ Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](
      ![Image of configuration settings](images/56dac54634d13b2d3948ab50e8d3ef21.png)
    
 9. Select **Save**. The package is uploaded to Jamf Pro. 
-    ![Image of configuration settings](images/33f1ecdc7d4872555418bbc3efe4b7a3.png)
 
-    It can take a few minutes for the package to be available for deployment.
+   ![Image of configuration settings](images/33f1ecdc7d4872555418bbc3efe4b7a3.png)
-    ![Image of configuration settings](images/1626d138e6309c6e87bfaab64f5ccf7b.png)
+
+   It can take a few minutes for the package to be available for deployment.
+   
+   ![Image of configuration settings](images/1626d138e6309c6e87bfaab64f5ccf7b.png)
 
 10. Navigate to the **Policies** page.
 
@@ -765,25 +821,31 @@ Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](
     ![Image of configuration settings](images/526b83fbdbb31265b3d0c1e5fbbdc33a.png)
 
 17. Select **Save**.
+
     ![Image of configuration settings](images/9d6e5386e652e00715ff348af72671c6.png)
 
 18. Select the **Scope** tab.  
+
     ![Image of configuration settings](images/8d80fe378a31143db9be0bacf7ddc5a3.png)
 
 19. Select the target computers.
 
     ![Image of configuration settings](images/6eda18a64a660fa149575454e54e7156.png)
 
-    **Scope**<br>
+    **Scope**
+    
     Select **Add**.
+    
     ![Image of configuration settings](images/1c08d097829863778d562c10c5f92b67.png)
 
     ![Image of configuration settings](images/216253cbfb6ae738b9f13496b9c799fd.png)
 
-    **Self-Service** <br>
+    **Self-Service**
+    
     ![Image of configuration settings](images/c9f85bba3e96d627fe00fc5a8363b83a.png)
 
 20. Select **Done**. 
+
     ![Image of configuration settings](images/99679a7835b0d27d0a222bc3fdaf7f3b.png)
 
     ![Image of configuration settings](images/632aaab79ae18d0d2b8e0c16b6ba39e2.png)

windows/whats-new/whats-new-windows-10-version-1909.md

@@ -130,7 +130,6 @@ General battery life and power efficiency improvements for PCs with certain proc
 [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.<br>
 [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.<br>
 [What Windows 10, version 1909 Means for Developers](https://blogs.windows.com/windowsdeveloper/2019/10/16/what-windows-10-version-1909-means-for-developers/): New and updated features in Windows 10 that are of interest to developers.<br>
-[What's new in Windows 10, version 1909 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-1909): This list also includes consumer focused new features.<br>
 [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.<br>
 [Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.<br>
 [How to get the Windows 10 November 2019 Update](https://aka.ms/how-to-get-1909): John Cable blog.<br>