Merge remote-tracking branch 'refs/remotes/origin/master' into rs5

windows/application-management/msix-app-packaging-tool.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: mikeblodge
 ms.topic: article
-ms.date: 08/01/2018
+ms.date: 09/21/2018
 ---
 
 # Repackage existing win32 applications to the MSIX format
@@ -23,6 +23,13 @@ The MSIX Packaging Tool (Preview) is now available to install from the Microsoft
 - A valid MSA alias (to access the app from the Store) 
 
 ## What's new
+v1.2018.915.0
+- Updated UI to improve clarity and experience
+- Ability to generate a template file for use with a command line
+- Ability to add/remove entry points
+- Ability to sign your package from package editor
+- File extension handling
+
 v1.2018.821.0
 - Command Line Support
 - Ability to use existing local virtual machines for packaging environment.
@@ -147,7 +154,9 @@ Requirements:
         DisableWindowsUpdateService ="true"/>
     <!--Note: this section takes precedence over the Settings::ApplyAllPrepareComputerFixes attribute -->
 
-    <SaveLocation Path="C:\users\user\Desktop" />
+    <SaveLocation
+    PackagePath="C:\users\user\Desktop\MyPackage.msix" 
+    TemplatePath="C:\users\user\Desktop\MyTemplate.xml" />
 
     <Installer
         Path="C:\MyAppInstaller.msi"
@@ -201,7 +210,8 @@ Here is the complete list of parameters that you can use in the Conversion templ
 |PrepareComputer:: DisableSmsHostService     |[optional] Disables SMS Host while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes.         |
 |PrepareComputer:: DisableWindowsUpdateService     |[optional] Disables Windows Update while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes.         |
 |SaveLocation     |[optional] An element to specify the save location of the tool. If not specified, the package will be saved under the Desktop folder.         |
-|SaveLocation::Path     |The path to the folder where the resulting MSIX package is saved.         |
+|SaveLocation::PackagePath     |[optional] The path to the file or folder where the resulting MSIX package is saved.         |
+|SaveLocation::TemplatePath    |[optional] The path to the file or folder where the resulting CLI template is saved.    |
 |Installer::Path     |The path to the application installer.         |
 |Installer::Arguments     |The arguments to pass to the installer. You must pass the arguments to force your installer to run unattended/silently. If the installer is an msi or appv, pass an empty argument ie Installer=””.        |
 |Installer::InstallLocation     |[optional] The full path to your application's root folder for the installed files if it were installed (e.g. "C:\Program Files (x86)\MyAppInstalllocation").         |

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 08/27/2018
+ms.date: 09/20/2018
 ---
 
 # What's new in MDM enrollment and management
@@ -1405,7 +1405,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>Defender/EnableLowCPUPriority</li>
 <li>Defender/SignatureUpdateFallbackOrder</li>
 <li>Defender/SignatureUpdateFileSharesSources</li>
-<li>DeviceGuard/EnableSystemGuard</li>
+<li>DeviceGuard/ConfigureSystemGuardLaunch</li>
 <li>DeviceInstallation/AllowInstallationOfMatchingDeviceIDs</li>
 <li>DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses</li>
 <li>DeviceInstallation/PreventDeviceMetadataFromNetwork</li>
@@ -1762,9 +1762,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 
 ### September 2018
 
-New or updated topic | Description
---- | ---
-[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).
+|New or updated topic | Description|
+|--- | ---|
+|[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).|
+|[Policy CSP - DeviceGuard](policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.|
 
 ### August 2018
 
@@ -1912,7 +1913,7 @@ New or updated topic | Description
 <li>Defender/EnableLowCPUPriority</li>
 <li>Defender/SignatureUpdateFallbackOrder</li>
 <li>Defender/SignatureUpdateFileSharesSources</li>
-<li>DeviceGuard/EnableSystemGuard</li>
+<li>DeviceGuard/ConfigureSystemGuardLaunch</li>
 <li>DeviceInstallation/AllowInstallationOfMatchingDeviceIDs</li>
 <li>DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses</li>
 <li>DeviceInstallation/PreventDeviceMetadataFromNetwork</li>

windows/client-management/mdm/policy-configuration-service-provider.md

@@ -987,7 +987,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 
 <dl>
   <dd>
-    <a href="./policy-csp-deviceguard.md#deviceguard-enablesystemguard" id="deviceguard-enablesystemguard">DeviceGuard/EnableSystemGuard</a>
+    <a href="./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch" id="deviceguard-configuresystemguardlaunch">DeviceGuard/ConfigureSystemGuardLaunch</a>
   </dd>
   <dd>
     <a href="./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity" id="deviceguard-enablevirtualizationbasedsecurity">DeviceGuard/EnableVirtualizationBasedSecurity</a>
@@ -4324,7 +4324,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
 -   [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
 -   [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
--   [DeviceGuard/EnableSystemGuard](./policy-csp-deviceguard.md#deviceguard-enablesystemguard)
+-   [DeviceGuard/ConfigureSystemGuardLaunch](./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch)
 -   [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity)
 -   [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags)
 -   [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures)

windows/client-management/mdm/policy-csp-deviceguard.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 07/30/2018
+ms.date: 09/20/2018
 ---
 
 # Policy CSP - DeviceGuard
@@ -22,7 +22,7 @@ ms.date: 07/30/2018
 
 <dl>
   <dd>
-    <a href="#deviceguard-enablesystemguard">DeviceGuard/EnableSystemGuard</a>
+    <a href="#deviceguard-configuresystemguardlaunch">DeviceGuard/ConfigureSystemGuardLaunch</a>
   </dd>
   <dd>
     <a href="#deviceguard-enablevirtualizationbasedsecurity">DeviceGuard/EnableVirtualizationBasedSecurity</a>
@@ -39,7 +39,7 @@ ms.date: 07/30/2018
 <hr/>
 
 <!--Policy-->
-<a href="" id="deviceguard-enablesystemguard"></a>**DeviceGuard/EnableSystemGuard**  
+<a href="" id="deviceguard-configuresystemguardlaunch"></a>**DeviceGuard/ConfigureSystemGuardLaunch**  
 
 <!--SupportedSKUs-->
 <table>

windows/client-management/mdm/policy-ddf-file.md

@@ -25635,7 +25635,7 @@ Related policy:
           </DFType>
         </DFProperties>
         <Node>
-          <NodeName>EnableSystemGuard</NodeName>
+          <NodeName>ConfigureSystemGuardLaunch</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -27217,7 +27217,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <Get />
               <Replace />
             </AccessType>
-            <Description>You can configure Microsoft Edge, when enabled, to prevent the &quot;browser&quot; group from using the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user.
+            <Description>You can configure Microsoft Edge, when enabled, to prevent the &quot;browser&quot; group from using the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. 
                         Related policy: PreventUsersFromTurningOnBrowserSyncing
                         0 (default) = allow syncing, 2 = disable syncing</Description>
             <DFFormat>
@@ -33474,7 +33474,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <Replace />
             </AccessType>
             <Description>Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal.
-
+                
                 This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal.</Description>
             <DFFormat>
               <chr/>
@@ -33862,7 +33862,7 @@ If you disable or do not configure this policy (recommended), users will be able
 Notes
 
 If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
-Disabling the Administrator account can become a maintenance issue under certain circumstances.
+Disabling the Administrator account can become a maintenance issue under certain circumstances. 
 
 Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts.  If the computer is domain joined the disabled administrator will not be enabled.
 
@@ -34352,7 +34352,7 @@ The options are:
  No Action
  Lock Workstation
  Force Logoff
- Disconnect if a Remote Desktop Services session
+ Disconnect if a Remote Desktop Services session 
 
 If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
 
@@ -35374,7 +35374,7 @@ This policy setting controls the behavior of all User Account Control (UAC) poli
 
 The options are:
 
-• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
+• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. 
 
 • Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.</Description>
             <DFFormat>
@@ -44745,7 +44745,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
               <Get />
               <Replace />
             </AccessType>
-            <Description>Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user&apos;s permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
+            <Description>Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user&apos;s permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 
 1) The access token that is being impersonated is for this user.
 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
 3) The requested level is less than Impersonate, such as Anonymous or Identify.
@@ -47064,11 +47064,11 @@ Because of these factors, users do not usually need this user right. Warning: If
 
   <xs:element name="ForceRestart">
     <xs:complexType>
-      <xs:attribute name="StartDateTime" type="xs:dateTime" use="required"/>
-      <xs:attribute name="Recurrence" type="recurrence" use="required"/>
-      <xs:attribute name="RunIfTaskIsMissed" type="xs:boolean" use="required"/>
-      <xs:attribute name="DaysOfWeek" type="daysOfWeek"/>
-      <xs:attribute name="DaysOfMonth" type="daysOfMonth"/>
+      <xs:attribute name="StartDateTime" type="xs:dateTime" use="required"/> 
+      <xs:attribute name="Recurrence" type="recurrence" use="required"/> 
+      <xs:attribute name="RunIfTaskIsMissed" type="xs:boolean" use="required"/> 
+      <xs:attribute name="DaysOfWeek" type="daysOfWeek"/> 
+      <xs:attribute name="DaysOfMonth" type="daysOfMonth"/> 
     </xs:complexType>
   </xs:element>
 </xs:schema>]]></MSFT:XMLSchema>
@@ -55084,7 +55084,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <Get />
             </AccessType>
             <DefaultValue>0</DefaultValue>
-            <Description>You can configure Microsoft Edge, when enabled, to prevent the &quot;browser&quot; group from using the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user.
+            <Description>You can configure Microsoft Edge, when enabled, to prevent the &quot;browser&quot; group from using the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. 
                         Related policy: PreventUsersFromTurningOnBrowserSyncing
                         0 (default) = allow syncing, 2 = disable syncing</Description>
             <DFFormat>
@@ -62093,7 +62093,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </AccessType>
             <DefaultValue></DefaultValue>
             <Description>Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal.
-
+                
                 This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal.</Description>
             <DFFormat>
               <chr/>
@@ -62491,7 +62491,7 @@ If you disable or do not configure this policy (recommended), users will be able
 Notes
 
 If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
-Disabling the Administrator account can become a maintenance issue under certain circumstances.
+Disabling the Administrator account can become a maintenance issue under certain circumstances. 
 
 Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts.  If the computer is domain joined the disabled administrator will not be enabled.
 
@@ -63024,7 +63024,7 @@ The options are:
  No Action
  Lock Workstation
  Force Logoff
- Disconnect if a Remote Desktop Services session
+ Disconnect if a Remote Desktop Services session 
 
 If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
 
@@ -64127,7 +64127,7 @@ This policy setting controls the behavior of all User Account Control (UAC) poli
 
 The options are:
 
-• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
+• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. 
 
 • Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.</Description>
             <DFFormat>
@@ -74444,7 +74444,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
               <Get />
             </AccessType>
             <DefaultValue></DefaultValue>
-            <Description>Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user&apos;s permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
+            <Description>Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user&apos;s permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 
 1) The access token that is being impersonated is for this user.
 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
 3) The requested level is less than Impersonate, such as Anonymous or Identify.

windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md

@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: aadake
-ms.date: 09/06/2018
+ms.date: 09/19/2018
 ---
 
 # Kernel DMA Protection for Thunderbolt™ 3 
@@ -19,6 +19,8 @@ Drive-by DMA attacks can lead to disclosure of sensitive information residing on
 
 This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on.
 
+For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to Intel documentation.
+
 ## Background
 
 PCI devices are DMA-capable, which allows them to read and write to system memory at will, without having to engage the system processor in these operations. 

windows/security/threat-protection/TOC.md

@@ -138,7 +138,7 @@
 ####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
 
  
-##### [Managed service provider provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md)
+##### [Managed security service provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md)
 
 #### [Microsoft threat protection](windows-defender-atp/threat-protection-integration.md)
 #####  [Protect users, data, and devices with conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md)
@@ -372,6 +372,7 @@
 #### [Malware names](intelligence/malware-naming.md)
 #### [Coin miners](intelligence/coinminer-malware.md)
 #### [Exploits and exploit kits](intelligence/exploits-malware.md)
+#### [Fileless threats](intelligence/fileless-threats.md)
 #### [Macro malware](intelligence/macro-malware.md)
 #### [Phishing](intelligence/phishing.md)
 #### [Ransomware](intelligence/ransomware-malware.md)

windows/security/threat-protection/index.md

@@ -38,7 +38,7 @@ Windows Defender Advanced Threat Protection (Windows Defender ATP) is a unified
 
 <a name="asr"></a>
 
-**Attack surface reduction**<br>
+**[Attack surface reduction](windows-defender-atp/overview-attack-surface-reduction.md)**<br>
 The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. 
 
 - [Hardware based isolation](windows-defender-atp/overview-hardware-based-isolation.md) 
@@ -51,7 +51,7 @@ The attack surface reduction set of capabilities provide the first line of defen
 
 <a name="ngp"></a>
 
-**Next generation protection**<br>
+**[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**<br>
 To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats.
 
 - [Windows Defender Antivirus](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) 
@@ -61,8 +61,7 @@ To further reinforce the security perimeter of your network, Windows Defender AT
 
 <a name="edr"></a>
 
-**Endpoint protection and response**<br>
-
+**[Endpoint protection and response](windows-defender-atp/overview-endpoint-detection-response.md)**<br>
 Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. 
 
 - [Alerts](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
@@ -74,7 +73,7 @@ Endpoint protection and response capabilities are put in place to detect, invest
 
 <a name="ai"></a>
 
-**Automated investigation and remediation**<br>
+**[Automated investigation and remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md)**<br>
 In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. 
 
 - [Automated investigation and remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md)
@@ -84,8 +83,7 @@ In conjunction with being able to quickly respond to advanced attacks, Windows D
 
 <a name="ss"></a>
 
-**Secure score**<br>
-
+**[Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md)**<br>
 Windows Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
 - [Asset inventory](windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md)
 - [Recommended improvement actions](windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md)
@@ -94,7 +92,7 @@ Windows Defender ATP includes a secure score to help you dynamically assess the
 
 <a name="ah"></a>
 
-**Advanced hunting**<br>
+**[Advanced hunting](windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md)**<br>
 Create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in your organization.
 
 - [Custom detection](windows-defender-atp/overview-custom-detections.md)
@@ -102,7 +100,7 @@ Create custom threat intelligence and use a powerful search and query tool to hu
 
 <a name="apis"></a>
 
-**Management and APIs**<br>
+**[Management and APIs](windows-defender-atp/management-apis.md)**<br>
 Integrate Windows Defender Advanced Threat Protection into your existing workflows.
 - [Onboarding](windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md)
 - [API and SIEM integration](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md)
@@ -112,7 +110,7 @@ Integrate Windows Defender Advanced Threat Protection into your existing workflo
 
 <a name="mtp"></a>
 
-**Microsoft threat protection** <br>
+**[Microsoft threat protection](windows-defender-atp/threat-protection-integration.md)** <br>
 Bring the power of Microsoft threat protection to your organization.
 - [Conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md)
 - [O365 ATP](windows-defender-atp/threat-protection-integration.md)

windows/security/threat-protection/windows-defender-atp/TOC.md

@@ -137,7 +137,7 @@
 ###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md)
 
  
-#### [Managed service provider provider support](mssp-support-windows-defender-advanced-threat-protection.md)
+#### [Managed security service provider support](mssp-support-windows-defender-advanced-threat-protection.md)
 
 
 ### [Microsoft threat protection](threat-protection-integration.md)

windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md

@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/06/2018
+ms.date: 09/20/2018
 ---
 
 # Configure advanced features in Windows Defender ATP

windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md

@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/03/2018
+ms.date: 09/18/2018
 ---
 
 # Investigate machines in the Windows Defender ATP Machines list
@@ -60,7 +60,7 @@ You'll also see details such as logon types for each user account, the user grou
  For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md).
 
 **Machine risk**</br>
-The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level is determined using the number of active alerts and their severity levels. You can influence a machine's risk level by resolving associated alerts manually or automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be exposed to.
+The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level can be determined using the number of active alerts or by a combination of multiple risks that may increase the risk assessment and their severity levels. You can influence a machine's risk level by resolving associated alerts manually or automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be exposed to.
 
 **Azure Advanced Threat Protection**</br> 
 If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided.