Merge branch 'master' into repo_sync_working_branch

windows/deployment/upgrade/quick-fixes.md

@@ -158,11 +158,11 @@ To check and repair system files:
 
 ### Repair unsigned drivers
 
-Drivers that are not properly signed can block the upgrade process. Drivers might not be properly signed if you:
+[Drivers](https://docs.microsoft.com/windows-hardware/drivers/gettingstarted/what-is-a-driver-) are files ending in *.dll or *.sys that are used to communicate with hardware components.  Because drivers are so important, they are cryptographically signed to ensure they are genuine. Drivers with a *.sys extension that are not properly signed frequently block the upgrade process. Drivers might not be properly signed if you:
 - Disabled driver signature verification (highly not recommended).
 - A catalog file used to sign a driver is corrupt or missing.
 
-Catalog files are used to sign drivers. If a catalog file is corrupt or missing, the driver will appear to be unsigned, even though it should be signed. This can cause the upgrade process to fail. To restore the catalog file, reinstall the driver or copy the catalog file from another device. You might need to analyze another device to determine the catalog file that is associated with the unsigned driver.  All drivers should be signed to ensure the upgrade process works.
+ Catalog files (files with a *.cat extension) are used to sign drivers. If a catalog file is corrupt or missing, the driver will appear to be unsigned, even though it should be signed. To restore the catalog file, reinstall the driver or copy the catalog file from another device. You might need to analyze another device to determine the catalog file that is associated with the unsigned driver.  All drivers should be signed to ensure the upgrade process works.
 
 To check your system for unsigned drivers:
 
@@ -178,7 +178,7 @@ To check your system for unsigned drivers:
 7. After the scanning process is complete, if you see **Your files have been scanned and verified as digitally signed** then you have no unsigned drivers. Otherwise, you will see **The following files have not been digitally signed** and a list will be provided with name, location, and version of all unsigned drivers.
 8. To view and save a log file, click **Advanced**, and then click **View Log**. Save the log file if desired.
 9. Locate drivers in the log file that are unsigned, write down the location and file names. Also write down the catalog that is associated to the driver if it is provided. If the name of a catalog file is not provided you might need to analyze another device that has the same driver with sigverif and sigcheck (described below).
-10. Download [sigcheck.zip](https://download.sysinternals.com/files/Sigcheck.zip) and extract the tool to a directory on your computer, for example: **C:\sigcheck**.
+10. The next step is to check that the driver reported as unsigned by sigverif.exe has a problem. In some cases, sigverif.exe might not be successful at locating the catalog file used to sign a driver, even though the catalog file exists. To perform a detailed driver check, download [sigcheck.zip](https://download.sysinternals.com/files/Sigcheck.zip) and extract the tool to a directory on your computer, for example: **C:\sigcheck**.
 
     [Sigcheck](https://docs.microsoft.com/sysinternals/downloads/sigcheck) is a tool that you can download and use to review digital signature details of a file. To use sigcheck:
 
@@ -208,6 +208,8 @@ To check your system for unsigned drivers:
 		    Valid to:	11:46 AM 5/9/2018
             (output truncated)
     ```
+    In the example above, the afd.sys driver is properly signed by the catalog file Package_163_for_KB4054518~31bf3856ad364e35~x86~~6.1.1.2.cat. 
+
 
 13. Optionally, you can generate a list of drivers using driverquery.exe, which is included with Windows. To save a list of signed and unsigned drivers with driverquery, type **driverquery /si > c:\drivers.txt** and press ENTER. See the following example:
 

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md

@@ -13,7 +13,7 @@ author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: m365-security-compliance 
 ms.topic: article
 ---
 

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md

@@ -21,13 +21,12 @@ ms.topic: article
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
-
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
 
-Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for advanced hunting. To understand these concepts better, run your first query.
+Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto operators and statements to construct queries that locate information in a specialized [schema](advanced-hunting-schema-reference.md). To understand these concepts better, run your first query.
 
 ## Try your first query
 
@@ -52,26 +51,21 @@ union DeviceProcessEvents, DeviceNetworkEvents
 FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
 | top 100 by Timestamp
 ```
-
+**[Run this query in advanced hunting](https://securitycenter.windows.com/hunting?query=H4sIAAAAAAAEAI2TT0vDQBDF5yz4HUJPFcTqyZsXqyCIBFvxKNGWtpo_NVlbC8XP7m8mado0K5Zls8nkzdu3b2Z70pNAbmUmqYyk4D2UTJYyllwGMmWNGQHrN_NNvsSBzUBrbMFMiWieAx3xDEBl4GL4AuNd8B0bNgARENcdUmIZ3yM5liPwac3bN-YZPGPU5ET1rWDc7Ox4uod8YDp4MzI-GkjlX4Ne2nly0zEkKzFWh4ZE5sSuTN8Ehq5couvEMnvmUAhez-HsRBMipVa_W_OG6vEfGtT12JRHpqV064e1Kx04NsxFzXxW1aFjp_djXmDRPbfY3XMMcLogTz2bWZ2KqmIJI6q6wKe2WYnrRsa9KVeU9kCBBo2v7BzPxF_Bx2DKiqh63SGoRoc6Njti48z_yL71XHQAcgAur6rXRpcqH3l-4knZF23Utsbq2MircEqmw-G__xR1TdZ1r7zb7XLezmx3etkvGr-ze6NdGdW92azUfpcdluWvr-aqbh_nofnqcWI3aYyOsBV7giduRUO7187LMKTT5rxvHHX80_t8IeeMgLquvL7-Ak3q-kz8BAAA&runQuery=true&timeRangeId=week)**
-This is how it will look like in advanced hunting.
-
-![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example-2.png)
-
 
 ### Describe the query and specify the tables to search
-A short comment has been added to the beginning of the query to describe what it is for. This helps if you later decide to save the query and share it with others in your organization. 
+A short comment has been added to the beginning of the query to describe what it is for. This comment helps if you later decide to save the query and share it with others in your organization.
 
 ```kusto
 // Finds PowerShell execution events that could involve a download
 ```
-
+The query itself will typically start with a table name followed by several elements that start with a pipe (`|`). In this example, we start by creating a union of two tables,  `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed.
-The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by creating a union of two tables,  `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed.
 
 ```kusto
 union DeviceProcessEvents, DeviceNetworkEvents
 ```
 ### Set the time range
-The first piped element is a time filter scoped to the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
+The first piped element is a time filter scoped to the previous seven days. Limiting the time range helps ensure that queries perform well, return manageable results, and don't time out.
 
 ```kusto
 | where Timestamp > ago(7d)
@@ -80,7 +74,7 @@ The first piped element is a time filter scoped to the previous seven days. Keep
 ### Check specific processes
 The time range is immediately followed by a search for process file names representing the PowerShell application.
 
-```
+```kusto
 // Pivoting on PowerShell processes
 | where FileName in~ ("powershell.exe", "powershell_ise.exe")
 ```
@@ -101,7 +95,7 @@ Afterwards, the query looks for strings in command lines that are typically used
 ```
 
 ### Customize result columns and length 
-Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process.
+Now that your query clearly identifies the data you want to locate, you can define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process.
 
 ```kusto
 | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, 
@@ -109,7 +103,7 @@ FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
 | top 100 by Timestamp
 ```
 
-Click **Run query** to see the results. Select the expand icon at the top right of the query editor to focus on your hunting query and the results. 
+Select **Run query** to see the results. Use the expand icon at the top right of the query editor to focus on your hunting query and the results. 
 
 ![Image of the Expand control in the advanced hunting query editor](images/advanced-hunting-expand.png)
 
@@ -118,7 +112,7 @@ Click **Run query** to see the results. Select the expand icon at the top right
 
 ## Learn common query operators for advanced hunting
 
-Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones.
+You've just run your first query and have a general idea of its components. It's time to backtrack slightly and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones.
 
 | Operator | Description and usage |
 |--|--|
@@ -137,15 +131,17 @@ To see a live example of these operators, run them from the **Get started** sect
 
 ## Understand data types
 
-Data in advanced hunting tables are generally classified into the following data types.
+Advanced hunting supports Kusto data types, including the following common types:
 
 | Data type | Description and query implications |
 |--|--|
-| `datetime` | Data and time information typically representing event timestamps |
+| `datetime` | Data and time information typically representing event timestamps. [See supported datetime formats](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/datetime) |
-| `string` | Character string |
+| `string` | Character string in UTF-8 enclosed in single quotes (`'`) or double quotes (`"`). [Read more about strings](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/string) |
-| `bool` | True or false |
+| `bool` | This data type supports `true` or `false` states. [See supported literals and operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/bool) |
-| `int` | 32-bit numeric value  |
+| `int` | 32-bit integer  |
-| `long` | 64-bit numeric value |
+| `long` | 64-bit integer |
+
+To learn more about these data types, [read about Kusto scalar data types](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/).
 
 ## Get help as you write queries
 Take advantage of the following functionality to write queries faster:
@@ -155,7 +151,7 @@ Take advantage of the following functionality to write queries faster:
 - **[Schema reference](advanced-hunting-schema-reference.md#get-schema-information-in-the-security-center)**—in-portal reference with table and column descriptions as well as supported event types (`ActionType` values) and sample queries
 
 ## Work with multiple queries in the editor
-The query editor can serve as your scratch pad for experimenting with multiple queries. To use multiple queries:
+You can use the query editor to experiment with multiple queries. To use multiple queries:
 
 - Separate each query with an empty line.
 - Place the cursor on any part of a query to select that query before running it. This will run only the selected query. To run another query, move the cursor accordingly and select **Run query**.
@@ -171,7 +167,7 @@ The **Get started** section provides a few simple queries using commonly used op
 ![Image of the advanced hunting get started tab](images/atp-advanced-hunting.png)
 
 > [!NOTE]
-> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository.
+> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the [GitHub query repository](https://aka.ms/hunting-queries).
 
 ## Access comprehensive query language reference
 

windows/security/threat-protection/microsoft-defender-atp/android-configure.md

@@ -14,7 +14,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/android-intune.md

@@ -14,7 +14,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md

@@ -14,7 +14,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md

@@ -12,7 +12,9 @@ author: denisebmsft
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: article
 ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
 ms.date: 09/24/2020

windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md

@@ -15,7 +15,9 @@ ms.date: 09/30/2020
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
 ms.custom: AIR

windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md

@@ -16,6 +16,8 @@ ms.custom:
 - next-gen
 - edr
 ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ---
 
 # Behavioral blocking and containment

windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md

@@ -16,6 +16,8 @@ ms.custom:
 - next-gen
 - edr
 ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ---
 
 # Client behavioral blocking

windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md

@@ -14,7 +14,9 @@ author: DulceMontemayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: article
 ---
 

windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md

@@ -13,7 +13,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: article
 ---
 

windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md

@@ -16,6 +16,9 @@ ms.custom:
 - next-gen
 - edr
 ms.date: 08/21/2020
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ---
 
 # Endpoint detection and response (EDR) in block mode

windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md

@@ -13,7 +13,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: article
 ms.date: 04/24/2018
 ---

windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md

@@ -13,7 +13,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: article
 ---
 

windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md

@@ -13,7 +13,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: article
 ms.date: 04/24/2018
 ---

windows/security/threat-protection/microsoft-defender-atp/investigate-files.md

@@ -13,7 +13,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: article
 ms.date: 04/24/2018
 ---

windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md

@@ -13,7 +13,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: article
 ---
 

windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md

@@ -13,7 +13,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: article
 ms.date: 04/24/2018
 ---

windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md

@@ -13,7 +13,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: article
 ---
 

windows/security/threat-protection/microsoft-defender-atp/investigate-user.md

@@ -13,7 +13,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: article
 ms.date: 04/24/2018
 ---

windows/security/threat-protection/microsoft-defender-atp/investigation.md

@@ -12,7 +12,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: article
 ---
 

windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md

@@ -14,7 +14,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/ios-install.md

@@ -14,7 +14,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md

@@ -14,7 +14,9 @@ author: sunasing
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 hideEdit: true
 ---

windows/security/threat-protection/microsoft-defender-atp/ios-terms.md

@@ -14,7 +14,9 @@ author: sunasing
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 hideEdit: true
 ---

windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md

@@ -14,7 +14,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md

@@ -14,7 +14,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md

@@ -14,7 +14,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md

@@ -14,7 +14,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/linux-pua.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/linux-resources.md

@@ -14,7 +14,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md

@@ -14,7 +14,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md

@@ -14,7 +14,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md

@@ -14,7 +14,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+mms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/linux-updates.md

@@ -14,7 +14,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint 
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md

@@ -13,7 +13,9 @@ author: maximvelichko
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint 
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-pua.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-resources.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint 
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ROBOTS: noindex,nofollow
 ---

windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ROBOTS: noindex,nofollow
 ---

windows/security/threat-protection/microsoft-defender-atp/mac-updates.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md

@@ -13,7 +13,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md

@@ -13,7 +13,9 @@ author: denisebmsft
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ms.date: 09/15/2020
 ---

windows/security/threat-protection/microsoft-defender-atp/manage-edr.md

@@ -14,7 +14,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md

@@ -13,9 +13,10 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: article
-ms.date: 10/08/2018
 ---
 
 # Manage Microsoft Defender ATP incidents

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md

@@ -14,7 +14,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md

@@ -14,7 +14,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md

@@ -14,7 +14,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md

@@ -14,7 +14,9 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md

@@ -13,7 +13,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md

@@ -14,7 +14,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/microsoft-defender-atp/preview.md

@@ -13,7 +13,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 
@@ -21,6 +23,8 @@ ms.topic: conceptual
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
+>[!IMPORTANT]
+>The preview versions are provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
 
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

windows/security/threat-protection/microsoft-defender-atp/review-alerts.md

@@ -11,7 +11,9 @@ author: danihalfin
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ms.date: 5/1/2020
 ---

windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md

@@ -13,7 +13,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: article
 ---
 

windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md

@@ -14,7 +14,9 @@ author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: article
 ---
 

windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md

@@ -13,7 +13,9 @@ author: levinec
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 # Event timeline - threat and vulnerability management

windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md

@@ -13,7 +13,9 @@ author: levinec
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: article
 ---
 

windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md

@@ -13,7 +13,9 @@ author: levinec
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 # Threat and vulnerability management dashboard insights

windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md

@@ -13,7 +13,9 @@ author: levinec
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint 
 ms.topic: conceptual
 ---
 # Exposure score - threat and vulnerability management

windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md

@@ -13,7 +13,9 @@ author: levinec
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 # Microsoft Secure Score for Devices

windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md

@@ -13,7 +13,9 @@ author: levinec
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 # Remediation activities and exceptions - threat and vulnerability management

windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md

@@ -13,7 +13,9 @@ author: levinec
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 # Security recommendations - threat and vulnerability management

windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md

@@ -13,7 +13,9 @@ author: levinec
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 # Software inventory - threat and vulnerability management

windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md

@@ -13,7 +13,9 @@ author: levinec
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: article
 ---
 # Supported operating systems and platforms - threat and vulnerability management

windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md

@@ -13,7 +13,9 @@ author: levinec
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 # Weaknesses found by threat and vulnerability management

windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md

@@ -13,7 +13,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- m365-security-compliance 
+- m365-initiative-defender-endpoint
 ms.topic: conceptual
 ---
 

windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md

@@ -1,254 +0,0 @@
----
-title: WannaCrypt ransomware worm targets out-of-date systems
-description: This is an early analysis of the WannaCrypt ransomware attack. Microsoft antimalware diagnostic data immediately picked up signs of this campaign in May 2017.
-keywords: wannacry, wannacrypt, wanna, ransomware
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-author: dulcemontemayor
-ms.date: 07/27/2017
-ms.reviewer: 
-manager: dansimp
-ms.author: dansimp
----
-
-# WannaCrypt ransomware worm targets out-of-date systems
-
-
-On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](https://technet.microsoft.com/library/security/ms17-010.aspx) if they have not already done so.
-
-Microsoft antimalware diagnostic data immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Microsoft Defender Antivirus](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.
-
-In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response.
-
-## Attack vector
-
-Ransomware threats do not typically spread rapidly. Threats like WannaCrypt (also known as WannaCry, WanaCrypt0r, WCrypt, or WCRY) usually leverage social engineering or email as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators used publicly available exploit code for the patched SMB 'EternalBlue' vulnerability, [CVE-2017-0145](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145), which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin [MS17-010](https://technet.microsoft.com/library/security/ms17-010.aspx), which was released on March 14, 2017.
-
-WannaCrypt's spreading mechanism is borrowed from [well-known](https://packetstormsecurity.com/files/142464/MS17-010-SMBv1-SrvOs2FeaToNt-OOB-Remote-Code-Execution.html) [public SMB exploits](https://github.com/RiskSense-Ops/MS17-010), which armed this regular ransomware with worm-like functionalities, creating an entry vector for machines still unpatched even after the fix had become available.
-
-The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.
-
-We haven't found evidence of the exact initial entry vector used by this threat, but there are two scenarios that we believe are highly possible explanations for the spread of this ransomware:
-
-- Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit
-- Infection through SMB exploit when an unpatched computer is addressable from other infected machines
-
-## Dropper
-
-The threat arrives as a dropper Trojan that has the following two components:
-
-1. A component that attempts to exploit the SMB CVE-2017-0145 vulnerability in other computers
-2. The ransomware known as WannaCrypt
-
-The dropper tries to connect the following domains using the API `InternetOpenUrlA()`:
-
-- www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
-- www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
-
-If connection to the domains is successful, the dropper does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system.
-
-In other words, unlike in most malware infections, **IT Administrators should NOT block these domains**. Note that the malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.
-
-![Connection information from WannaCrypt code](images/wanna1.png)
-
-The threat creates a service named *mssecsvc2.0*, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:
-```
-Service Name: mssecsvc2.0
-Service Description: (Microsoft Security Center (2.0) Service)
-Service Parameters: '-m security'
-```
-
- ![Mssecsvc2.0 process details](images/wanna2.png)
-
-## WannaCrypt ransomware
-
-The ransomware component is a dropper that contains a password-protected .zip archive in its resource section. The document encryption routine and the files in the .zip archive contain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is 'WNcry@2ol7'.
-
-When run, WannaCrypt creates the following registry keys:
-
-- *HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\\<random string> = '\<malware working directory>\tasksche.exe'*
-- *HKLM\SOFTWARE\WanaCrypt0r\\wd = '\<malware working directory>'*
-
-It changes the wallpaper to a ransom message by modifying the following registry key:
-
-- *HKCU\Control Panel\Desktop\Wallpaper: '\<malware working directory>\\@WanaDecryptor@.bmp'*
-
-It creates the following files in the malware's working directory:
-
-- *00000000.eky*
-- *00000000.pky*
-- *00000000.res*
-- *274901494632976.bat*
-- <em>@Please_Read_Me@.txt</em>
-- <em>@WanaDecryptor@.bmp</em>
-- <em>@WanaDecryptor@.exe</em>
-- *b.wnry*
-- *c.wnry*
-- *f.wnry*
-- *m.vbs*
-- *msg\m_bulgarian.wnry*
-- *msg\m_chinese (simplified).wnry*
-- *msg\m_chinese (traditional).wnry*
-- *msg\m_croatian.wnry*
-- *msg\m_czech.wnry*
-- *msg\m_danish.wnry*
-- *msg\m_dutch.wnry*
-- *msg\m_english.wnry*
-- *msg\m_filipino.wnry*
-- *msg\m_finnish.wnry*
-- *msg\m_french.wnry*
-- *msg\m_german.wnry*
-- *msg\m_greek.wnry*
-- *msg\m_indonesian.wnry*
-- *msg\m_italian.wnry*
-- *msg\m_japanese.wnry*
-- *msg\m_korean.wnry*
-- *msg\m_latvian.wnry*
-- *msg\m_norwegian.wnry*
-- *msg\m_polish.wnry*
-- *msg\m_portuguese.wnry*
-- *msg\m_romanian.wnry*
-- *msg\m_russian.wnry*
-- *msg\m_slovak.wnry*
-- *msg\m_spanish.wnry*
-- *msg\m_swedish.wnry*
-- *msg\m_turkish.wnry*
-- *msg\m_vietnamese.wnry*
-- *r.wnry*
-- *s.wnry*
-- *t.wnry*
-- *TaskData\Tor\libeay32.dll*
-- *TaskData\Tor\libevent-2-0-5.dll*
-- *TaskData\Tor\libevent_core-2-0-5.dll*
-- *TaskData\Tor\libevent_extra-2-0-5.dll*
-- *TaskData\Tor\libgcc_s_sjlj-1.dll*
-- *TaskData\Tor\libssp-0.dll*
-- *TaskData\Tor\ssleay32.dll*
-- *TaskData\Tor\taskhsvc.exe*
-- *TaskData\Tor\tor.exe*
-- *TaskData\Tor\zlib1.dll*
-- *taskdl.exe*
-- *taskse.exe*
-- *u.wnry*
-
-WannaCrypt may also create the following files:
-
-- *%SystemRoot%\tasksche.exe*
-- *%SystemDrive%\intel\\\<random directory name>\tasksche.exe*
-- *%ProgramData%\\\<random directory name>\tasksche.exe*
-
-It may create a randomly named service that has the following associated ImagePath: `cmd.exe /c '<malware working directory>\tasksche.exe'`.
-
-It then searches the whole computer for any file with any of the following file name extensions: *.123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der' , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw.*
-
-WannaCrypt encrypts all files it finds and renames them by appending *.WNCRY* to the file name. For example, if a file is named *picture.jpg*, the ransomware encrypts and renames the file to *picture.jpg.WNCRY*.
-
-This ransomware also creates the file <em>@Please_Read_Me@.txt</em> in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below).
-
-After completing the encryption process, the malware deletes the volume shadow copies by running the following command:
-`cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet`
-
-It then replaces the desktop background image with the following message:
-
-![Example background image of WannaCrypt](images/wanna3.png)
-
-It also runs an executable showing a ransom note which indicates a $300 ransom in Bitcoins as well as a timer:
-
- ![Screenshot of WannaCrypt ransom notice](images/wanna4.png)
-
-The text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.
-
-The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.
-
- ![Screenshot of decryption window](images/wanna5.png)
-
-## Spreading capability
-
-The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel, as shown below.
-
-![Spreading scanning activity](images/wanna6.png)
-
-The Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.
-
-When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.
-
- ![Kernel-level shellcode used by WannaCrypt](images/wanna7.png)
-
- ![Kernel-level shellcode used by WannaCrypt](images/wanna8.png)
-
-## Protection against the WannaCrypt attack
-
-To get the latest protection from Microsoft, upgrade to [Windows 10](https://www.microsoft.com/windows/windows-10-upgrade). Keeping your computers [up-to-date](https://www.microsoft.com/security/portal/mmpc/help/updatefaqs.aspx) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.
-
-We recommend customers that have not yet installed the security update [MS17-010](https://technet.microsoft.com/library/security/ms17-010.aspx) do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:
-
-- Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](https://support.microsoft.com/kb/2696547) and as [recommended previously](https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/)
-- Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445
-
-[Microsoft Defender Antivirus](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) detects this threat as [Ransom:Win32/WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt) as of the *1.243.297.0* update. Microsoft Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.
-
-For enterprises, use [Device Guard](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.
-
-Use [Office 365 Advanced Threat Protection](https://blogs.office.com/2015/04/08/introducing-exchange-online-advanced-threat-protection/), which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.
-
-Monitor networks with [Windows Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection - Ransomware response playbook](https://www.microsoft.com/download/details.aspx?id=55090).
-
-## Resources
-
-Download English language security updates: [Windows Server 2003 SP2 x64](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe), [Windows Server 2003 SP2 x86,](http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe) [Windows XP SP2 x64](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe), [Windows XP SP3 x86](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe), [Windows XP Embedded SP3 x86](http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe), [Windows 8 x86,](http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu) [Windows 8 x64](http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu)
-
-Download localized language security updates: [Windows Server 2003 SP2 x64](https://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e), [Windows Server 2003 SP2 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9), [Windows XP SP2 x64](https://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa), [Windows XP SP3 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f), [Windows XP Embedded SP3 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add), [Windows 8 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340), [Windows 8 x64](https://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0)
-
-MS17-010 Security Update: [https://technet.microsoft.com/library/security/ms17-010.aspx](https://technet.microsoft.com/library/security/ms17-010.aspx)
-
-Customer guidance for WannaCrypt attacks: [https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/)
-
-General information on ransomware: [https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx](https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx)
-
-## Indicators of compromise
-
-SHA1 of samples analyzed:
-
-- 51e4307093f8ca8854359c0ac882ddca427a813c
-- e889544aff85ffaf8b0d0da705105dee7c97fe26
-
-Files created:
-
-- %SystemRoot%\mssecsvc.exe
-- %SystemRoot%\tasksche.exe
-- %SystemRoot%\qeriuwjhrf
-- b.wnry
-- c.wnry
-- f.wnry
-- r.wnry
-- s.wnry
-- t.wnry
-- u.wnry
-- taskdl.exe
-- taskse.exe
-- 00000000.eky
-- 00000000.res
-- 00000000.pky
-- @WanaDecryptor@.exe
-- @Please_Read_Me@.txt
-- m.vbs
-- @WanaDecryptor@.exe.lnk
-- @WanaDecryptor@.bmp
-- 274901494632976.bat
-- taskdl.exe
-- Taskse.exe
-- Files with '.wnry' extension
-- Files with '.WNCRY' extension
-
-Registry keys created:
-
-- HKLM\SOFTWARE\WanaCrypt0r\wd
-
-
-
-*Karthik Selvaraj, Elia Florio, Andrea Lelli, and Tanmay Ganacharya*<br />*Microsoft Malware Protection Center*
-

windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md

@@ -10,7 +10,9 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: dansimp
 manager: dansimp
-ms.collection: M365-security-compliance
+ms.collection: 
+- m365-security-compliance
+- m365-initiative-windows-security
 ms.topic: troubleshooting
 ---