From ea671956fd170715746652f8acc6bfd802914856 Mon Sep 17 00:00:00 2001
From: Bella Brahm <isbrahm@microsoft.com>
Date: Wed, 29 Jan 2020 14:47:03 -0800
Subject: [PATCH 01/21] Add WDAC vs AppLocker comparison chart

---
 .../windows-defender-application-control.md     | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index ba4929c2f6..e5740b67c8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -93,6 +93,23 @@ Although either AppLocker or WDAC can be used to control application execution o
 -   You are using application control to help users avoid running unapproved software, but you do not require a solution designed as a security feature.
 -   You do not wish to enforce application control on application files such as DLLs or drivers.
 
+### Detailed Comparison Chart
+| Capability                        | WDAC                                                                                                                                                                                                                                                                                                                                               | AppLocker                                                                                                                                                                                                                                                                                                                         |
+|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Platform support                  | Available on Windows 10 devices                                                                                                                                                                                                                                                                                                                    | Available on Windows 8+ devices                                                                                                                                                                                                                                                                                                   |
+| SKU availability                  | Cmdlets are available on all SKUs on 1909+ builds.<br>For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs.                                                                                                                                                                                        | Policies deployed through GP are only effective on Enterprise devices.<br>Policies deployed through MDM are effective on all SKUs.                                                                                                                                                                                                |
+| Management solutions              | <ul><li>[Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) (including built-in policies)</li><li>[SCCM](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (including built-in policies)</li><li>[Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy) </li><li>PowerShell</li></ul>                                                                                                                                                                                                                                         | <ul><li>Intune (no native support)</li><li>SCCM (no native support)</li><li>Group Policy</li><li>PowerShell</li><ul>                                                                                                                                                                                                                                              |
+| Per-User and Per-User group rules | Not available (policies are device-wide)                                                                                                                                                                                                                                                                                                           | Available on Windows 8+                                                                                                                                                                                                                                                                                                           |
+| Kernel mode policies              | Available on all Windows 10 builds                                                                                                                                                                                                                                                                                                                 | Not available                                                                                                                                                                                                                                                                                                                     |
+| Per-app rules                     | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules)                                                                                                                                                                                                                                                                                                                                 | Not available                                                                                                                                                                                                                                                                                                                     |
+| Managed Installer (MI)            | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer)                                                                                                                                                                                                                                                                                                                                 | Available on RS3+                                                                                                                                                                                                                                                                                                                 |
+| Reputation-Based intelligence     | [Available on 1709+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph)                                                                                                                                                                                                                                                                                                                                 | Available on RS3+                                                                                                                                                                                                                                                                                                                 |
+| Multiple policy support           | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies)                                                                                                                                                                                                                                                                                                                                 | Multiple base policies available on Windows 10 through MDM                                                                                                                                                                                                                                                                        |
+| Path-based rules                  | [Available on 1903+.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check is available.                                                                                                                                                                                                                                                    | Available on Windows 8+. Exclusions are supported.                                                                                                                                                                                                                                                                                |
+| COM object configurability        | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy)                                                                                                                                                                                                                                                                                                                                 | Not available                                                                                                                                                                                                                                                                                                                     |
+| Packaged app rules                | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control)                                                                                                                                                                                                                                                                                                                                 | Available on Windows 8+                                                                                                                                                                                                                                                                                                           |
+| Enforceable file extensions       | <ul><li>Driver files: .sys</li><li>Executable files: .exe and .com</li><li>DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, mst, and .msp</li><li>Scripts: .ps1, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>Driver files and executables cannot be separately configured.<br>Manages system driver files.<br>Does not manage .bat or .cmd files. | <ul><li>Executable files: .exe and .com</li><li>DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, mst, and .msp</li><li>Scripts: .ps1, .bat, .cmd, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>Driver files and executables can be separately configured.<br>Does not manage system drivers.<br>Manages .bat and .cmd files. |
+
 ## When to use both WDAC and AppLocker together
 
 AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps.

From 1296c885f1ecdacf1429eca256ac05864179c640 Mon Sep 17 00:00:00 2001
From: isbrahm <43386070+isbrahm@users.noreply.github.com>
Date: Wed, 29 Jan 2020 14:51:13 -0800
Subject: [PATCH 02/21] Change section order for clarity

---
 .../windows-defender-application-control.md          | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index e5740b67c8..d6d6663a12 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -93,7 +93,12 @@ Although either AppLocker or WDAC can be used to control application execution o
 -   You are using application control to help users avoid running unapproved software, but you do not require a solution designed as a security feature.
 -   You do not wish to enforce application control on application files such as DLLs or drivers.
 
-### Detailed Comparison Chart
+## When to use both WDAC and AppLocker together
+
+AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps.
+As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
+
+## WDAC and AppLocker Feature Availability
 | Capability                        | WDAC                                                                                                                                                                                                                                                                                                                                               | AppLocker                                                                                                                                                                                                                                                                                                                         |
 |-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Platform support                  | Available on Windows 10 devices                                                                                                                                                                                                                                                                                                                    | Available on Windows 8+ devices                                                                                                                                                                                                                                                                                                   |
@@ -110,11 +115,6 @@ Although either AppLocker or WDAC can be used to control application execution o
 | Packaged app rules                | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control)                                                                                                                                                                                                                                                                                                                                 | Available on Windows 8+                                                                                                                                                                                                                                                                                                           |
 | Enforceable file extensions       | <ul><li>Driver files: .sys</li><li>Executable files: .exe and .com</li><li>DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, mst, and .msp</li><li>Scripts: .ps1, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>Driver files and executables cannot be separately configured.<br>Manages system driver files.<br>Does not manage .bat or .cmd files. | <ul><li>Executable files: .exe and .com</li><li>DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, mst, and .msp</li><li>Scripts: .ps1, .bat, .cmd, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>Driver files and executables can be separately configured.<br>Does not manage system drivers.<br>Manages .bat and .cmd files. |
 
-## When to use both WDAC and AppLocker together
-
-AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps.
-As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
-
 ## See also
 
 - [WDAC design guide](windows-defender-application-control-design-guide.md)

From c05407f7f3847a8895e96d6c33c753e27eea3b1f Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 31 Jan 2020 11:09:35 -0800
Subject: [PATCH 03/21] Update windows-defender-application-control.md

---
 .../windows-defender-application-control.md                     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index d6d6663a12..dce27aa688 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -14,7 +14,7 @@ author: denisebmsft
 ms.reviewer: isbrahm
 ms.author: deniseb
 manager: dansimp
-ms.date: 01/08/2019
+ms.date: 01/31/2020
 ms.custom: asr
 ---
 

From b2c3aef0bb5cc7d40f305b51102517fb7d5d596c Mon Sep 17 00:00:00 2001
From: isbrahm <43386070+isbrahm@users.noreply.github.com>
Date: Thu, 20 Feb 2020 17:18:28 -0800
Subject: [PATCH 04/21] Resolve suggested changes from jsuther

---
 .../windows-defender-application-control.md   | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index dce27aa688..3cfa96569b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -59,7 +59,7 @@ WDAC policies apply to the managed computer as a whole and affects all users of
 ### WDAC System Requirements
 
 WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Windows Server 2016 and above.
-They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune.
+They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Endpoint Manager Intune (Intune).
 Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above.
 
 ## AppLocker
@@ -101,19 +101,19 @@ As a best practice, you should enforce WDAC at the most restrictive level possib
 ## WDAC and AppLocker Feature Availability
 | Capability                        | WDAC                                                                                                                                                                                                                                                                                                                                               | AppLocker                                                                                                                                                                                                                                                                                                                         |
 |-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Platform support                  | Available on Windows 10 devices                                                                                                                                                                                                                                                                                                                    | Available on Windows 8+ devices                                                                                                                                                                                                                                                                                                   |
+| Platform support                  | Available on Windows 10                                                                                                                                                                                                                                                                                                                    | Available on Windows 8+                                                                                                                                                                                                                                                                                                   |
 | SKU availability                  | Cmdlets are available on all SKUs on 1909+ builds.<br>For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs.                                                                                                                                                                                        | Policies deployed through GP are only effective on Enterprise devices.<br>Policies deployed through MDM are effective on all SKUs.                                                                                                                                                                                                |
-| Management solutions              | <ul><li>[Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) (including built-in policies)</li><li>[SCCM](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (including built-in policies)</li><li>[Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy) </li><li>PowerShell</li></ul>                                                                                                                                                                                                                                         | <ul><li>Intune (no native support)</li><li>SCCM (no native support)</li><li>Group Policy</li><li>PowerShell</li><ul>                                                                                                                                                                                                                                              |
+| Management solutions              | <ul><li>[Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) (limited built-in policies or custom policy deployment via OMA-URI)</li><li>[Microsoft Endpoint Manager Configuration Manager (MEMCM)](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)</li><li>[Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy) </li><li>PowerShell</li></ul>                                                                                                                                                                                                                                         | <ul><li>[Intune](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>MEMCM (custom policy deployment via Software Distribution only)</li><li>[Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement)</li><li>PowerShell</li><ul>                                                                                                                                                                                                                                              |
 | Per-User and Per-User group rules | Not available (policies are device-wide)                                                                                                                                                                                                                                                                                                           | Available on Windows 8+                                                                                                                                                                                                                                                                                                           |
-| Kernel mode policies              | Available on all Windows 10 builds                                                                                                                                                                                                                                                                                                                 | Not available                                                                                                                                                                                                                                                                                                                     |
+| Kernel mode policies              | Available on all Windows 10 versions                                                                                                                                                                                                                                                                                                                 | Not available                                                                                                                                                                                                                                                                                                                     |
 | Per-app rules                     | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules)                                                                                                                                                                                                                                                                                                                                 | Not available                                                                                                                                                                                                                                                                                                                     |
-| Managed Installer (MI)            | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer)                                                                                                                                                                                                                                                                                                                                 | Available on RS3+                                                                                                                                                                                                                                                                                                                 |
-| Reputation-Based intelligence     | [Available on 1709+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph)                                                                                                                                                                                                                                                                                                                                 | Available on RS3+                                                                                                                                                                                                                                                                                                                 |
-| Multiple policy support           | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies)                                                                                                                                                                                                                                                                                                                                 | Multiple base policies available on Windows 10 through MDM                                                                                                                                                                                                                                                                        |
-| Path-based rules                  | [Available on 1903+.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check is available.                                                                                                                                                                                                                                                    | Available on Windows 8+. Exclusions are supported.                                                                                                                                                                                                                                                                                |
+| Managed Installer (MI)            | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer)                                                                                                                                                                                                                                                                                                                                 | Not available                                                                                                                                                                                                                                                                                                                |
+| Reputation-Based intelligence     | [Available on 1709+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph)                                                                                                                                                                                                                                                                                                                                 | Not available                                                                                                                                                                                                                                                                                                                |
+| Multiple policy support           | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies)                                                                                                                                                                                                                                                                                                                                 | Not available                                                                                                                                                                                                                                                                        |
+| Path-based rules                  | [Available on 1903+.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default.                                                                                                                                                                                                                                                    | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check.                                                                                                                                                                                                                                                                                |
 | COM object configurability        | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy)                                                                                                                                                                                                                                                                                                                                 | Not available                                                                                                                                                                                                                                                                                                                     |
-| Packaged app rules                | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control)                                                                                                                                                                                                                                                                                                                                 | Available on Windows 8+                                                                                                                                                                                                                                                                                                           |
-| Enforceable file extensions       | <ul><li>Driver files: .sys</li><li>Executable files: .exe and .com</li><li>DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, mst, and .msp</li><li>Scripts: .ps1, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>Driver files and executables cannot be separately configured.<br>Manages system driver files.<br>Does not manage .bat or .cmd files. | <ul><li>Executable files: .exe and .com</li><li>DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, mst, and .msp</li><li>Scripts: .ps1, .bat, .cmd, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>Driver files and executables can be separately configured.<br>Does not manage system drivers.<br>Manages .bat and .cmd files. |
+| Packaged app rules                | [Available on RS5+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control)                                                                                                                                                                                                                                                                                                                                 | Available on Windows 8+                                                                                                                                                                                                                                                                                                           |
+| Enforceable file types       | <ul><li>Driver files: .sys</li><li>Executable files: .exe and .com</li><li>DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>| <ul><li>Executable files: .exe and .com</li><li>[Optional] DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .bat, .cmd, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>|
 
 ## See also
 

From 92159eaf16146863ebbe9f348b509d12f9a3e9f6 Mon Sep 17 00:00:00 2001
From: isbrahm <43386070+isbrahm@users.noreply.github.com>
Date: Fri, 28 Feb 2020 09:55:47 -0800
Subject: [PATCH 05/21] Document Intune's default policy

Customers have requested more insight into Intune's built-in policy
---
 ...defender-application-control-policies-using-intune.md | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 128fb4d3a3..48ce449ecd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -14,12 +14,9 @@ author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 05/17/2018
+ms.date: 02/28/2020
 ---
 
-> [!NOTE]
-> For WDAC enhancements see [Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update](https://www.microsoft.com/security/blog/2019/07/01/).
-
 # Deploy Windows Defender Application Control policies by using Microsoft Intune
 
 **Applies to:**
@@ -33,6 +30,10 @@ In order to deploy a custom policy through Intune and define your own circle of
 
 ## Using Intune's Built-In Policies
 
+Intune's built-in WDAC support enables you to deploy a policy which only allows Windows components and Microsoft Store apps to run. This policy is the non-Multiple Policy Format version of the DefaultWindows policy; the Multiple Policy Format version can be found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies.
+
+Setting "Trust apps with good reputation" to enabled is equivalent to adding [Option 14 (Enabled: Intelligent Security Graph Authorization)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#windows-defender-application-control-policy-rules) to the DefaultWindows policy.
+
 1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
 
 2. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**.  

From 41d6117557e7250c31968c4bf0d5cc8964fb28d5 Mon Sep 17 00:00:00 2001
From: isbrahm <43386070+isbrahm@users.noreply.github.com>
Date: Fri, 28 Feb 2020 12:59:30 -0800
Subject: [PATCH 06/21] Add clarifications to WDAC ISG docs

Clarify relation to SmartScreen, what reputation information is set when a file has positive reputation, what data is sent about a file to the cloud
---
 ...tion-control-with-intelligent-security-graph.md | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index e34ac21abb..a394acd1c8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -25,18 +25,18 @@ manager: dansimp
 
 Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system. In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task.  
 
-Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) provides a new option, known as the Microsoft Intelligent Security Graph authorization, that allows IT administrators to automatically authorize applications that the Microsoft Intelligent Security Graph recognizes as having known good reputation. The the Microsoft Intelligent Security Graph option helps IT organizations take a significant first step towards going from having no application control at all to a simple means of preventing the execution of unknown and known bad software. To learn more about the Microsoft Intelligent Security Graph, see the Security section in [Major services and features in Microsoft Graph](https://docs.microsoft.com/graph/overview-major-services).
+Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) provides a new option, known as the Microsoft Intelligent Security Graph authorization, that allows IT administrators to automatically authorize applications that the Microsoft Intelligent Security Graph recognizes as having known good reputation. The Microsoft Intelligent Security Graph option helps IT organizations take a significant first step towards going from having no application control at all to a simple means of preventing the execution of unknown and known bad software. To learn more about the Microsoft Intelligent Security Graph, see the Security section in [Major services and features in Microsoft Graph](https://docs.microsoft.com/graph/overview-major-services).
 
 ## How does the integration between WDAC and the Intelligent Security Graph work? 
 
-The the Microsoft Intelligent Security Graph relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the the Microsoft Intelligent Security Graph authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed, the reputation data is used to help make the right policy authorization decision.   
+The Microsoft Intelligent Security Graph relies on the same vast security intelligence and machine learning analytics which power Microsoft Defender SmartScreen to help classify applications as having known good, known bad, or unknown reputation. When an unevaluated file is run on a system with WDAC enabled with the Microsoft Intelligent Security Graph authorization option specified, WDAC queries the file's reputation by sending its hash and signing information to the cloud. If the Microsoft Intelligent Security Graph determines that the file has a known good reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file. Every time the file tries to execute, if there are no explicit deny rules present for the file, it will be allowed to run based on its positive reputation. Conversely, a file that has unknown or known bad reputation will still be allowed to run in the presence of a rule that explicitly allows the file.
 
-After that initial download and installation, the WDAC component will check for the presence of the positive reputation information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the known good reputation classification.  
+A file's positive reputation information will also be passed along to any files that it writes. For example, when a user downloads an application installer that is determined to have known good reputation, the files that it generates are also marked as having positive reputation. This way, all the files needed to install and run an app are granted positive reputation data.
 
-The reputation data on the client is rechecked periodically and enterprises can also specify that any cached reputation results are flushed on reboot.    
+WDAC periodically re-queries the reputation data on a file. Additonally, enterprises can specify that any cached reputation results are flushed on reboot by using the **Enabled:Invalidate EAs on Reboot** option.
 
 >[!NOTE]
->Admins should make sure there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, such as custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Configuration Manager and Microsoft Intune can be used to create and push a WDAC policy to your client machines.  
+>Admins should make sure there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, such as custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Manager Configuration Manager (MEMCM) and Microsoft Endpoint Manager Intune (MEM Intune) can be used to create and push a WDAC policy to your client machines.  
 
 Other examples of WDAC policies are available in `C:\Windows\schemas\CodeIntegrity\ExamplePolicies` and can help authorize Windows OS components, WHQL signed drivers and all Store apps. Admins can reference and customize them as needed for their Windows Defender Application Control deployment or [create a custom WDAC policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy). 
 
@@ -85,7 +85,7 @@ In order for the heuristics used by the Microsoft Intelligent Security Graph to
 appidtel start
 ```
 
-For WDAC policies deployed over MDM using the AppLocker CSP this step is not required as the CSP will enable the necessary components. ISG enabled through the Configuration Manager WDAC UX will not need this step but if custom policies are being deployed outside of the WDAC UX through Configuration Manager then this step is required.   
+This step is not required for WDAC policies deployed over MDM using the AppLocker CSP, as the CSP will enable the necessary components. This step is also not required when enabling the Microsoft Intelligent Security Graph through the MEMCM WDAC UX. However, if custom policies are being deployed outside of the WDAC UX through MEMCM, then this step is required.   
 
 ## Security considerations with the Intelligent Security Graph 
 
@@ -104,4 +104,4 @@ The Microsoft Intelligent Security Graph heuristics do not authorize kernel mode
 In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. Review for functionality and performance for the related applications using the native images maybe necessary in some cases. 
 
 >[!NOTE]
-> A rule that explicitly allows an application will take precedence over the Microsoft Intelligent Security Graph rule that does not allow it. In this scenario, this policy is not compatible with Intune, where there is no option to add rules to the template that enables the Microsoft Intelligent Security Graph. In most circumstances you would need to build a custom WDAC policy, including the Microsoft Intelligent Security Graph, if desired.
+> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. MEM Intune's built-in WDAC support includes the option to trust apps with good reputation via the Microsoft Intelligent Security Graph, but it has no option to add explicit allow or deny rules. In most circumstances, customers enforcing application control need to deploy a custom WDAC policy (which can include the Microsoft Intelligent Security Graph option if desired) using [Intune's OMA-URI functionality](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune#using-a-custom-oma-uri-profile).

From 1354de21018541264646964f6563869d245919eb Mon Sep 17 00:00:00 2001
From: isbrahm <43386070+isbrahm@users.noreply.github.com>
Date: Mon, 2 Mar 2020 09:47:40 -0800
Subject: [PATCH 07/21] Update with minor suggested edits

ISG relies on same intelligence as Defender Smartscreen and Defender AV, not just Smartscreen.
The propagation of reputation only happens for installers. Files that aren't installers won't propagate their reputation.
---
 ...der-application-control-with-intelligent-security-graph.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index a394acd1c8..172f124bcb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -29,9 +29,9 @@ Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) pro
 
 ## How does the integration between WDAC and the Intelligent Security Graph work? 
 
-The Microsoft Intelligent Security Graph relies on the same vast security intelligence and machine learning analytics which power Microsoft Defender SmartScreen to help classify applications as having known good, known bad, or unknown reputation. When an unevaluated file is run on a system with WDAC enabled with the Microsoft Intelligent Security Graph authorization option specified, WDAC queries the file's reputation by sending its hash and signing information to the cloud. If the Microsoft Intelligent Security Graph determines that the file has a known good reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file. Every time the file tries to execute, if there are no explicit deny rules present for the file, it will be allowed to run based on its positive reputation. Conversely, a file that has unknown or known bad reputation will still be allowed to run in the presence of a rule that explicitly allows the file.
+The Microsoft Intelligent Security Graph relies on the same vast security intelligence and machine learning analytics which power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having known good, known bad, or unknown reputation. When an unevaluated file is run on a system with WDAC enabled with the Microsoft Intelligent Security Graph authorization option specified, WDAC queries the file's reputation by sending its hash and signing information to the cloud. If the Microsoft Intelligent Security Graph determines that the file has a known good reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file. Every time the file tries to execute, if there are no explicit deny rules present for the file, it will be allowed to run based on its positive reputation. Conversely, a file that has unknown or known bad reputation will still be allowed to run in the presence of a rule that explicitly allows the file.
 
-A file's positive reputation information will also be passed along to any files that it writes. For example, when a user downloads an application installer that is determined to have known good reputation, the files that it generates are also marked as having positive reputation. This way, all the files needed to install and run an app are granted positive reputation data.
+Additionally, an application installer which is determined to have known good reputation will pass along that positive reputation to any files that it writes. This way, all the files needed to install and run an app are granted positive reputation data.
 
 WDAC periodically re-queries the reputation data on a file. Additonally, enterprises can specify that any cached reputation results are flushed on reboot by using the **Enabled:Invalidate EAs on Reboot** option.
 

From 121710aad60f0dc94b213d645d259e02380d8155 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 9 Mar 2020 17:10:54 -0700
Subject: [PATCH 08/21] remove dead link

---
 windows/security/threat-protection/TOC.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 2b444785f5..0ba4329961 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -508,7 +508,7 @@
 #### [Common Vulnerabilities and Exposures (CVE) to KB map]()
 ##### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md)
 
-#### [Pull detections to your SIEM tools]()
+
 #### [Raw data streaming API]()
 ##### [Raw data streaming](microsoft-defender-atp/raw-data-export.md)
 ##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md)

From 475960c373e90e94890f5a577b995334c58d178d Mon Sep 17 00:00:00 2001
From: Beth Levin <elizabeth.levin@microsoft.com>
Date: Mon, 9 Mar 2020 17:51:57 -0700
Subject: [PATCH 09/21] doc updates

---
 .vscode/settings.json                         |  1 +
 .../next-gen-threat-and-vuln-mgt.md           | 44 ++++++++-----
 .../tvm-dashboard-insights.md                 | 65 +++++++++++--------
 .../tvm-supported-os.md                       |  9 +--
 4 files changed, 69 insertions(+), 50 deletions(-)

diff --git a/.vscode/settings.json b/.vscode/settings.json
index e7f59d08ec..9c0086e560 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,5 +1,6 @@
 {
    "cSpell.words": [
+      "intune",
       "kovter",
       "kovter's",
       "poshspy"
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index 09dea1ee83..0dcf2d9ac5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -1,7 +1,7 @@
 ---
 title: Threat & Vulnerability Management
 description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration asessment, windows defender atp, microsoft defender atp, endpoint vulnerabilities
+keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, windows defender atp, microsoft defender atp, endpoint vulnerabilities, next generation
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -18,52 +18,60 @@ ms.topic: conceptual
 ---
 
 # Threat & Vulnerability Management
+
 **Applies to:**
+
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
 
-Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. 
+Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
 
 It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
 
-Watch this video for a quick overview of Threat & Vulnerability Management.    
+Watch this video for a quick overview of Threat & Vulnerability Management.
 
 >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4mLsn]
 
-## Next-generation capabilities 
-Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase.  
+## Next-generation capabilities
+
+Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base.  
 
 It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft Microsoft Endpoint Configuration Manager.
 
-It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication. 
+It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.
+
 - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
 - Linked machine vulnerability and security configuration assessment data in the context of exposure discovery
-- Built-in remediation processes through Microsoft Intune and Configuration Manager 
+- Built-in remediation processes through Microsoft Intune and Configuration Manager
 
 ### Real-time discovery
- 
+
 To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides:
+
 - Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard.
-- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, and software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
+- Visibility into software and vulnerabilities. Optics into the organization's software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
 - Application runtime context. Visibility on application usage patterns for better prioritization and decision-making.
 - Configuration posture. Visibility into organizational security configuration or misconfigurations. Issues are reported in the dashboard with actionable security recommendations.
- 
+
 ### Intelligence-driven prioritization
- 
+
 Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context:
+
 - Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk.
 - Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization.
-- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed machines with business-critical applications, confidential data, or high-value users.
- 
+- Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed machines with business-critical applications, confidential data, or high-value users.
+
 ### Seamless remediation
- 
-Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
-- Remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms. 
+
+Microsoft Defender ATP's Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
+
+- Remediation requests to IT. Through Microsoft Defender ATP's integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms. 
 - Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
 - Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
 
 ## Related topics
+
 - [Supported operating systems and platforms](tvm-supported-os.md)
 - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
@@ -79,4 +87,4 @@ Microsoft Defender ATP’s Threat & Vulnerability Management allows security adm
 - [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
 - [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
 - [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [BLOG: Microsoft’s Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/)
+- [BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index 97a1b56853..074eac3838 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -1,6 +1,6 @@
 ---
-title: What's in the dashboard and what it means for my organization's security posture
-description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their org's security resilience.
+title: Threat & Vulnerability Management dashboard overview
+description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience.
 keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score    
 search.appverid: met150
 search.product: eADQiWindows 10XVcnh
@@ -19,18 +19,21 @@ ms.topic: conceptual
 # Threat & Vulnerability Management dashboard overview
 
 **Applies to:**
+
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
 
 Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
+
 - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
 - Invaluable machine vulnerability context during incident investigations
 - Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Configuration Manager  
   
 You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
+
 - View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines
-- Correlate EDR insights with endpoint vulnerabilities and process them 
+- Correlate EDR insights with endpoint vulnerabilities and process them
 - Select remediation options, triage and track the remediation tasks
 - Select exception options and track active exceptions
 
@@ -38,40 +41,46 @@ You can use the Threat & Vulnerability Management capability in [Microsoft Defen
 > Machines that are not active in the last 30 days are not factored in on the data that reflects your organization's Threat & Vulnerability Management exposure score and configuration score.
 
 ## Threat & Vulnerability Management in Microsoft Defender Security Center
-When you open the portal, you’ll see the main areas of the capability:
 
- ![Microsoft Defender Advanced Threat Protection portal](images/tvm_dashboard.png)
- 
- ![Threat & Vulnerability Management menu](images/tvm-menu.png)
+When you open the portal, you'll see the main areas of the capability:
 
-- (1) Menu in the navigation pane
-- (2) Threat & Vulnerability Management icon
+- (1) Menu to open the navigation pane
+- (2) Threat & Vulnerability Management navigation pane
 - (3) Threat & Vulnerability Management dashboard
 
-You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
+ ![Microsoft Defender Advanced Threat Protection portal](images/tvm_dashboard.png)
+
+ ![Threat & Vulnerability Management menu](images/tvm-menu.png)
+
+You can navigate through the portal using the menu options available in all sections. Refer to the following tables for a description of each section.
+
+## Threat & Vulnerability Management navigation pane
 
 Area | Description
 :---|:---
-(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities.
-(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, **Software inventory**, and **Weaknesses**.
-**Dashboards**	| Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data.
-**Security recommendations** | See the list of security recommendations, their related components, whether software or software versions in your network have reached their end-of-life, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information.
-**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation and exception](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information.
-**Software inventory** | See the list of software, versions, weaknesses, whether there’s an exploit found on the software, whether the software or software version has reached its end-of-life, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information.
-**Weaknesses** | See the list of common vulnerabilities and exposures, the severity, its common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines are there. You can select each item in the list and it opens a flyout panel with the vulnerability description and other details. See [Weaknesses](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) for more information.
-(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, and **Top exposed machines**.
-**Selected machine groups (#/#)**	| Filter the Threat & Vulnerability Management data that you want to see in the dashboard and widgets by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages only. 
-**Organization Exposure score**	| See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. See [Exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score) for more information.
-**Organization Configuration score** | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. You can click the bars and it takes you to the **Security recommendation** page for details. See [Configuration score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score) for more information.
-**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it takes you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, operating system platform, its health state, when it was last seen, and its tags. 
-**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts ![Possible active alert](images/tvm_alert_icon.png), associated public exploits ![Threat insight](images/tvm_bug_icon.png), and recommendation insights ![Recommendation insight](images/tvm_insight_icon.png). Tags also indicates the remediation type required, such as **Configuration change**, **Software uninstall** (if the software has reached its end-of-life), and **Software update** (if the software version has reached its end-of-life, or if the vulnerable version requires security updates and needs to be updated to the latest one). You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list.
-**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
-**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities, and active exceptions.
-**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list.
+**Dashboard**   | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data.
+[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP.
+[**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions.
+[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates.
+[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details.
 
-See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal.
+## Threat & Vulnerability Management dashboard
+
+Area | Description
+:---|:---
+**Selected machine groups (#/#)**   | Filter the Threat & Vulnerability Management data you want to see in the dashboard and cards by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages.
+[**Exposure score**](tvm-exposure-score.md)   | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
+[**Configuration score**](configuration-score.md) | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. Selecting the bars will take you to the **Security recommendation** page.
+**Machine exposure distribution** | See how many machines are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Machines list** page and view the affected machine names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
+**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Useful icons also quickly calls your attention to <ul><li> ![Possible active alert](images/tvm_alert_icon.png) possible active alerts</li><li>![Threat insight](images/tvm_bug_icon.png) associated public exploits</li><li>![Recommendation insight](images/tvm_insight_icon.png) recommendation insights</li></ul><br>Tags also indicates the remediation type required, such as **Configuration change**, **Software uninstall** (if the software has reached its end-of-life), and **Software update** (if the software version has reached end-of-support, or if a vulnerable version requires updating). You can drill down on the security recommendation to see potential risks, list of exposed machines, and insights. You can then request a remediation for the recommendation. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception.
+**Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
+**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions.
+**Top exposed machines** | View exposed machine names and their exposure level. Select a machine name from the list to go to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed machines. Select **Show more** to see the rest of the exposed machines list. From the machines list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine.
+
+See [Microsoft Defender ATP icons](portal-overview#windows-defender-atp-icons.md) for more information on the icons used throughout the portal.
 
 ## Related topics
+
 - [Supported operating systems and platforms](tvm-supported-os.md)
 - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
 - [Exposure score](tvm-exposure-score.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
index 568f6d7c1d..6a0874b587 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
@@ -1,7 +1,7 @@
 ---
-title: Threat & Vulnerability Management supported operating systems
+title: Threat & Vulnerability Management supported operating systems and platforms
 description: Before you begin, ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your all devices are properly accounted for. 
-keywords: mdatp-tvm supported os, mdatp-tvm, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score    
+keywords: threat & vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, configuration score, exposure score    
 search.appverid: met150
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -19,6 +19,7 @@ ms.topic: article
 # Threat & Vulnerability Management supported operating systems and platforms
 
 **Applies to:**
+
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
@@ -32,7 +33,7 @@ Operating system | Security assessment support
 Windows 7 | Operating System (OS) vulnerabilities
 Windows 8.1 | Not supported
 Windows 10 1607-1703 | Operating System (OS) vulnerabilities
-Windows 10 1709+ |Operating System (OS) vulnerabilities<br/>Software product vulnerabilities<br/>Operating System (OS) configuration assessment<br/>Security controls configuration assessment<br/>Software product configuration assessment 
+Windows 10 1709+ |Operating System (OS) vulnerabilities<br/>Software product vulnerabilities<br/>Operating System (OS) configuration assessment<br/>Security controls configuration assessment<br/>Software product configuration assessment
 Windows Server 2008R2 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities
 Windows Server 2012R2 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities
 Windows Server 2016 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities
@@ -43,6 +44,7 @@ Linux | Not supported (planned)
 Some of the above prerequisites might be different from the [Minimum requirements for Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements) list.
 
 ## Related topics
+
 - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
 - [Exposure score](tvm-exposure-score.md)
 - [Configuration score](configuration-score.md)
@@ -52,4 +54,3 @@ Some of the above prerequisites might be different from the [Minimum requirement
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
 - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-

From 4ed77dcf24518da4fa9d6701e989939a861a32bc Mon Sep 17 00:00:00 2001
From: Beth Levin <elizabeth.levin@microsoft.com>
Date: Mon, 9 Mar 2020 18:13:08 -0700
Subject: [PATCH 10/21] fix redirects and other updates

---
 .openpublishing.redirection.json              |  6 +++---
 .../configuration-score.md                    |  3 ++-
 .../next-gen-threat-and-vuln-mgt.md           |  4 ++--
 .../tvm-dashboard-insights.md                 |  4 ++--
 .../tvm-exposure-score.md                     | 21 +++++++++++--------
 .../tvm-supported-os.md                       |  4 ++--
 6 files changed, 23 insertions(+), 19 deletions(-)

diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 9a240da9cc..c320bdc8fb 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1732,17 +1732,17 @@
 "redirect_document_id": false
 },
 {
-"source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/overview-secure-score.md",
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score",
 "redirect_document_id": true
 },
 {
-"source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/secure-score-dashboard.md",
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score",
 "redirect_document_id": false
 },
 {
-"source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/enable-secure-score.md",
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score",
 "redirect_document_id": false
 },
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
index 5b876f90b8..da85274100 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
@@ -19,12 +19,13 @@ ms.topic: conceptual
 # Configuration score
 
 **Applies to:**
+
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 >[!NOTE]
 > Secure score is now part of Threat & Vulnerability Management as Configuration score.
 
-Your Configuration score is visible in the Threat & Vulnerability Management dashboard of the Microsoft Defender Security Center. It reflects the collective security configuration state of your machines across the following categories:
+Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects the collective security configuration state of your machines across the following categories:
 
 - Application
 - Operating system
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index 0dcf2d9ac5..7773ecd54f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -8,8 +8,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index 074eac3838..ee78021935 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -8,8 +8,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
index ad6de378c5..6785da1317 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -1,35 +1,37 @@
 ---
 title: Exposure score
-description: The Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) exposure score reflects how vulnerable your organization is to cybersecurity threats.
-keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score
+description: The Microsoft Defender ATP exposure score reflects how vulnerable your organization is to cybersecurity threats.
+keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score, threat and vulnerability management, Microsoft Defender Advanced Threat Protection
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: conceptual
-ms.date: 06/30/2019
 ---
 # Exposure score
+
 **Applies to:**
+
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Your exposure score reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your machines are less vulnerable from exploitation. 
+Your Exposure score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your machines are less vulnerable from exploitation.
 
-The widget also gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further. 
+The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further.
 
-![Exposure score widget](images/tvm_exp_score.png)
+![Exposure score card](images/tvm_exp_score.png)
 
 ## How it works
 
-Several factors affect your organization exposure score: 
+Several factors affect your organization exposure score:
+
 - Weakness discovered on the device
 - Likelihood of a device getting breached
 - Value of the device to the organization
@@ -38,6 +40,7 @@ Several factors affect your organization exposure score:
 Reduce the exposure score by addressing what needs to be remediated based on the prioritized security recommendations. See [Security recommendations](tvm-security-recommendation.md) for details.
 
 ## Related topics
+
 - [Supported operating systems and platforms](tvm-supported-os.md)
 - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
 - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
index 6a0874b587..bd569252f4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
@@ -8,8 +8,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro

From 53fffa89d1ddd4fe9cd2705b90aebf17f016c3ec Mon Sep 17 00:00:00 2001
From: Beth Levin <elizabeth.levin@microsoft.com>
Date: Mon, 9 Mar 2020 18:16:33 -0700
Subject: [PATCH 11/21] fix link

---
 .../microsoft-defender-atp/tvm-dashboard-insights.md            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index ee78021935..c76ad6a966 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -77,7 +77,7 @@ Area | Description
 **Top remediation activities** | Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions.
 **Top exposed machines** | View exposed machine names and their exposure level. Select a machine name from the list to go to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed machines. Select **Show more** to see the rest of the exposed machines list. From the machines list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine.
 
-See [Microsoft Defender ATP icons](portal-overview#windows-defender-atp-icons.md) for more information on the icons used throughout the portal.
+See [Microsoft Defender ATP icons](portal-overview.md#windows-defender-atp-icons) for more information on the icons used throughout the portal.
 
 ## Related topics
 

From eabd170eac5ffbf2409a7bf89411a06bb47b92ea Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 9 Mar 2020 18:47:51 -0700
Subject: [PATCH 12/21] add e5 security

---
 .../microsoft-defender-atp/minimum-requirements.md               | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index 5c52a93ff5..50bd231776 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -37,6 +37,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
 - Windows 10 Enterprise E5
 - Windows 10 Education A5
 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
+- Microsoft 365 E5 Security
 - Microsoft 365 A5 (M365 A5)
 
 

From 3fe6d702b2f208ba3c964e777e79213ce7a2d016 Mon Sep 17 00:00:00 2001
From: DanPandre <54847950+DanPandre@users.noreply.github.com>
Date: Tue, 10 Mar 2020 10:19:12 -0400
Subject: [PATCH 13/21] Correct QoS settings

Documented settings were incorrect for P2P scenarios, and conflicted with each other if used together
---
 .../surface-hub-2s-manage-intune.md           | 24 +++++++++++--------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/devices/surface-hub/surface-hub-2s-manage-intune.md b/devices/surface-hub/surface-hub-2s-manage-intune.md
index 1aaeb331ee..c36d53f1f6 100644
--- a/devices/surface-hub/surface-hub-2s-manage-intune.md
+++ b/devices/surface-hub/surface-hub-2s-manage-intune.md
@@ -50,22 +50,26 @@ To ensure optimal video and audio quality on Surface Hub 2S, add the following Q
 
 |**Name**|**Description**|**OMA-URI**|**Type**|**Value**|
 |:------ |:------------- |:--------- |:------ |:------- |
-|**Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DestinationPortMatchCondition | String  | 3478-3479 |
-|**Audio DSCP**| Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DSCPAction | Integer | 46 |
-|**Video Ports**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DestinationPortMatchCondition | String  | 3480 |
-|**Video DSCP**| Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DSCPAction | Integer | 34 |
+|**Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsAudio/DestinationPortMatchCondition | String  | 3478-3479 |
+|**Audio DSCP**| Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsAudio/DSCPAction | Integer | 46 |
+|**Video Port**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsVideo/DestinationPortMatchCondition | String  | 3480 |
+|**Video DSCP**| Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsVideo/DSCPAction | Integer | 34 |
+|**P2P Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsP2PAudio/DestinationPortMatchCondition | String  | 50000-50019 |
+|**P2P Audio DSCP**| Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsP2PAudio/DSCPAction | Integer | 46 |
+|**P2P Video Ports**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsP2PVideo/DestinationPortMatchCondition | String  | 50020-50039 |
+|**P2P Video DSCP**| Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsP2PVideo/DSCPAction | Integer | 34 |
 
 
 ### Skype for Business QoS settings
 
 | Name               | Description         | OMA-URI                                                                  | Type    | Value                          |
 | ------------------ | ------------------- | ------------------------------------------------------------------------ | ------- | ------------------------------ |
-| Audio Ports        | Audio Port range    | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/SourcePortMatchCondition  | String  | 50000-50019                    |
-| Audio DSCP         | Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DSCPAction                | Integer | 46                             |
-| Audio Media Source | Skype App name      | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/AppPathNameMatchCondition | String  | Microsoft.PPISkype.Windows.exe |
-| Video Ports        | Video Port range    | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/SourcePortMatchCondition  | String  | 50020-50039                    |
-| Video DSCP         | Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DSCPAction                | Integer | 34                             |
-| Video Media Source | Skype App name      | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/AppPathNameMatchCondition | String  | Microsoft.PPISkype.Windows.exe |
+| Audio Ports        | Audio Port range    | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBAudio/SourcePortMatchCondition  | String  | 50000-50019                    |
+| Audio DSCP         | Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBAudio/DSCPAction                | Integer | 46                             |
+| Audio Media Source | Skype App name      | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBAudio/AppPathNameMatchCondition | String  | Microsoft.PPISkype.Windows.exe |
+| Video Ports        | Video Port range    | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBVideo/SourcePortMatchCondition  | String  | 50020-50039                    |
+| Video DSCP         | Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBVideo/DSCPAction                | Integer | 34                             |
+| Video Media Source | Skype App name      | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBVideo/AppPathNameMatchCondition | String  | Microsoft.PPISkype.Windows.exe |
 
 > [!NOTE]
 > Both tables show default port ranges. Administrators may change the port ranges in the Skype for Business and Teams control panel.

From 5a7d86ba73c7e82b3248089a92c85721fa0aeb0a Mon Sep 17 00:00:00 2001
From: Beth Levin <elizabeth.levin@microsoft.com>
Date: Tue, 10 Mar 2020 09:04:10 -0700
Subject: [PATCH 14/21] Update tvm-dashboard-insights.md

---
 .../microsoft-defender-atp/tvm-dashboard-insights.md            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index c76ad6a966..ce96bd9856 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -77,7 +77,7 @@ Area | Description
 **Top remediation activities** | Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions.
 **Top exposed machines** | View exposed machine names and their exposure level. Select a machine name from the list to go to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed machines. Select **Show more** to see the rest of the exposed machines list. From the machines list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine.
 
-See [Microsoft Defender ATP icons](portal-overview.md#windows-defender-atp-icons) for more information on the icons used throughout the portal.
+See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-icons) for more information on the icons used throughout the portal.
 
 ## Related topics
 

From 0163595acbb0ff2d60ea5e780f2bc9b276f49059 Mon Sep 17 00:00:00 2001
From: Beth Levin <elizabeth.levin@microsoft.com>
Date: Tue, 10 Mar 2020 09:06:21 -0700
Subject: [PATCH 15/21] redirect

---
 .openpublishing.redirection.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index c320bdc8fb..855f312b05 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1384,7 +1384,7 @@
 {
 "source_path": "windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score",
-"redirect_document_id": true
+"redirect_document_id": false
 },
 {
 "source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md",

From f33a9ee97e5fcf14f030cc5e55ddb189bec879c0 Mon Sep 17 00:00:00 2001
From: Beth Levin <elizabeth.levin@microsoft.com>
Date: Tue, 10 Mar 2020 09:29:46 -0700
Subject: [PATCH 16/21] redirect and videos

---
 .openpublishing.redirection.json                       | 10 ----------
 .../microsoft-defender-atp/tvm-dashboard-insights.md   |  4 ++++
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 855f312b05..62b310e4e4 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1382,11 +1382,6 @@
 "redirect_document_id": true
 },
 {
-"source_path": "windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md",
-"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score",
-"redirect_document_id": false
-},
-{
 "source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md",
 "redirect_url": "https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection",
 "redirect_document_id": true
@@ -1742,11 +1737,6 @@
 "redirect_document_id": false
 },
 {
-"source_path": "windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md",
-"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score",
-"redirect_document_id": false
-},
-{
 "source_path": "windows/security/threat-protection/windows-defender-atp/partner-applications.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/partner-applications",
 "redirect_document_id": true
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index ce96bd9856..d2c196a62c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -40,6 +40,10 @@ You can use the Threat & Vulnerability Management capability in [Microsoft Defen
 > [!NOTE]
 > Machines that are not active in the last 30 days are not factored in on the data that reflects your organization's Threat & Vulnerability Management exposure score and configuration score.
 
+Watch this video for a quick overview of what is in the Threat & Vulnerability Management dashboard.
+
+>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r1nv]
+
 ## Threat & Vulnerability Management in Microsoft Defender Security Center
 
 When you open the portal, you'll see the main areas of the capability:

From d837d040c99ee8b599dc30d3d4912cc363f99ffa Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Tue, 10 Mar 2020 09:43:21 -0700
Subject: [PATCH 17/21] Quick adjustment per customer feedback

---
 .../windows-defender-smartscreen-overview.md                   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
index d22f241c9b..43f202c156 100644
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
@@ -55,6 +55,9 @@ Windows Defender SmartScreen provide an early warning system against websites th
 
 - **Blocking URLs associated with potentially unwanted applications.** In the next major version of Microsoft Edge (based on Chromium), SmartScreen will blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md).
 
+> [!IMPORTANT]
+> SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares such asshared folders with a UNC paths (SMB/CIFS shares).
+
 ## Viewing Windows Defender SmartScreen anti-phishing events
 
 When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx).

From 0505a009fa714a017d6eb5e9076c9c7f1c06a240 Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Tue, 10 Mar 2020 09:47:18 -0700
Subject: [PATCH 18/21] quick edit

---
 .../windows-defender-smartscreen-overview.md                    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
index 43f202c156..b9d400165d 100644
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
@@ -56,7 +56,7 @@ Windows Defender SmartScreen provide an early warning system against websites th
 - **Blocking URLs associated with potentially unwanted applications.** In the next major version of Microsoft Edge (based on Chromium), SmartScreen will blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md).
 
 > [!IMPORTANT]
-> SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares such asshared folders with a UNC paths (SMB/CIFS shares).
+> SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.
 
 ## Viewing Windows Defender SmartScreen anti-phishing events
 

From 643308133391bff2667b683b71d15c9c871e95d1 Mon Sep 17 00:00:00 2001
From: isbrahm <43386070+isbrahm@users.noreply.github.com>
Date: Tue, 10 Mar 2020 10:01:04 -0700
Subject: [PATCH 19/21] Add ms.date to ISG doc metadata

---
 ...fender-application-control-with-intelligent-security-graph.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 172f124bcb..7cdaf54c24 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -14,6 +14,7 @@ author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
+ms.date: 03/10/20
 ---
 
 # Authorize reputable apps with the Intelligent Security Graph (ISG) 

From 8c93d02c627f2b2f4a393e5d7bb298d56996da29 Mon Sep 17 00:00:00 2001
From: Tina Burden <v-tibur@microsoft.com>
Date: Tue, 10 Mar 2020 10:52:20 -0700
Subject: [PATCH 20/21] pencil edits

---
 ...der-application-control-with-intelligent-security-graph.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 7cdaf54c24..7c9d0b4790 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -14,7 +14,7 @@ author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 03/10/20
+ms.date: 03/10/2020
 ---
 
 # Authorize reputable apps with the Intelligent Security Graph (ISG) 
@@ -34,7 +34,7 @@ The Microsoft Intelligent Security Graph relies on the same vast security intell
 
 Additionally, an application installer which is determined to have known good reputation will pass along that positive reputation to any files that it writes. This way, all the files needed to install and run an app are granted positive reputation data.
 
-WDAC periodically re-queries the reputation data on a file. Additonally, enterprises can specify that any cached reputation results are flushed on reboot by using the **Enabled:Invalidate EAs on Reboot** option.
+WDAC periodically re-queries the reputation data on a file. Additionally, enterprises can specify that any cached reputation results are flushed on reboot by using the **Enabled:Invalidate EAs on Reboot** option.
 
 >[!NOTE]
 >Admins should make sure there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, such as custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Manager Configuration Manager (MEMCM) and Microsoft Endpoint Manager Intune (MEM Intune) can be used to create and push a WDAC policy to your client machines.  

From 649f41e5b20fc4d9d8a54568a9423535908f6083 Mon Sep 17 00:00:00 2001
From: Tina Burden <v-tibur@microsoft.com>
Date: Tue, 10 Mar 2020 10:53:07 -0700
Subject: [PATCH 21/21] pencil edit

---
 .../windows-defender-application-control.md                     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index 82904d8b9c..827bc6fab0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -59,7 +59,7 @@ WDAC policies apply to the managed computer as a whole and affects all users of
 ### WDAC System Requirements
 
 WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above.
-WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a scripthost like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.
+WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.
 
 ## AppLocker