Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.
-DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromized by advanced security threats or running a malicious (jailbroken) operating system.
+DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.
The following list of operations are performed by DHA-Enabled-MDM:
The following list shows some examples of supported values. For the complete list of status see Device HealthAttestation CSP status and error codes.
-- 0 - (HEALTHATTESTATION\_CERT\_RETRI_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service -- 1 - (HEALTHATTESTATION\_CERT\_RETRI_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device +- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service +- 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device - 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob could not be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes -- 3 - (HEALTHATTESTATION\_CERT\_RETRI_COMPLETE): DHA-Data is ready for pick up +- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pick up **ForceRetrieve** (Optional)Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
@@ -220,7 +220,7 @@ The following diagram shows the Device HealthAttestation configuration service p **CorrelationId** (Required)Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
-Value type is integer, the minimum value is - 2,147,483,648 and the maximun value is 2,147,483,647. The supported operation is Get.
+Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.
**HASEndpoint** (Optional)Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
@@ -359,8 +359,8 @@ The following example shows a sample call that triggers collection and verificat After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take. -- If the response is HEALTHATTESTATION\_CERT_RETRI_COMPLETE (3) then proceed to the next section. -- If the response is HEALTHATTESTATION_CERT_RETRI_REQUESTED (1) or HEALTHATTESTATION_CERT_RETRI_UNINITIALIZED (0) wait for an alert, then proceed to the next section. +- If the response is HEALTHATTESTATION\_CERT_RETRIEVAL_COMPLETE (3) then proceed to the next section. +- If the response is HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED (1) or HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED (0) wait for an alert, then proceed to the next section. Here is a sample alert that is issued by DHA_CSP: @@ -830,7 +830,7 @@ Each of these are described in further detail in the following sections, along w-The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information. -3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr /dlv**, and then press ENTER.
+1. On the KMS host, open the event log and confirm that DNS publishing is successful.
+2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.
-The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
+ The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
+3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr.vbs /dlv**, and then press ENTER.
-For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://go.microsoft.com/fwlink/p/?LinkId=733639).
+ The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
+
+For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://docs.microsoft.com/windows-server/get-started/activation-slmgr-vbs-options).
## Key Management Service in earlier versions of Windows
If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps:
-1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
-2. Request a new KMS host key from the Volume Licensing Service Center.
-3. Install the new KMS host key on your KMS host.
-4. Activate the new KMS host key by running the slmgr.vbs script.
+1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
+2. Request a new KMS host key from the Volume Licensing Service Center.
+3. Install the new KMS host key on your KMS host.
+4. Activate the new KMS host key by running the slmgr.vbs script.
For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590).
## See also
-- [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md
index 5152af65fe..45619726e9 100644
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@@ -19,24 +19,26 @@ ms.topic: article
The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012.
-**Note**
-VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
+> [!NOTE]
+> VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
## In this Topic
-- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
-- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
-- [Enterprise Environment](#bkmk-enterpriseenvironment)
-- [VAMT User Interface](#bkmk-userinterface)
+
+- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
+- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
+- [Enterprise Environment](#bkmk-enterpriseenvironment)
+- [VAMT User Interface](#bkmk-userinterface)
## Managing Multiple Activation Key (MAK) and Retail Activation
You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
-- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
-- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
+
+- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
+- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
## Managing Key Management Service (KMS) Activation
-In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
+In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.\
VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
## Enterprise Environment
@@ -55,13 +57,13 @@ The following screenshot shows the VAMT graphical user interface.
VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
-- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
-- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
-- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
-- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
-- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
+
+- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
+- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
+- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
+- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
+- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
## Related topics
+
- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
-
-
diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
index 7dd0eb0898..876cf87f79 100644
--- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
@@ -18,14 +18,14 @@ ms.date: 02/28/2019
ms.custom: bitlocker
---
-# BCD settings and BitLocker
+# Boot Configuration Data settings and BitLocker
**Applies to**
- Windows 10
-This topic for IT professionals describes the BCD settings that are used by BitLocker.
+This topic for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker.
-When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive boot configuration data (BCD) settings have not changed since BitLocker was last enabled, resumed, or recovered.
+When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings have not changed since BitLocker was last enabled, resumed, or recovered.
## BitLocker and BCD Settings
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index 77dc97b3eb..d3cf8244bd 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
----
+---g
# BitLocker basic deployment
@@ -28,7 +28,7 @@ This topic explains how to use BitLocker features to protect your data through d
## Using BitLocker to encrypt volumes
-BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This partition is automatically created during a new installation of both client and server operating systems.
+BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems.
In the event that the drive was prepared as a single contiguous space, BitLocker requires a new partition to hold the boot files. BdeHdCfg.exe can create these volumes.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index 6de06c740a..981252ffbf 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -43,7 +43,7 @@ Before Windows starts, you must rely on security features implemented as part of
### Trusted Platform Module
-A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys.
+A trusted platform module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys.
On some platforms, TPM can alternatively be implemented as a part of secure firmware.
BitLocker binds encryption keys with the TPM to ensure that a computer has not been tampered with while the system was offline.
For more info about TPM, see [Trusted Platform Module](https://docs.microsoft.com/windows/device-security/tpm/trusted-platform-module-overview).
@@ -126,7 +126,7 @@ For SBP-2 and 1394 (a.k.a. Firewire), refer to the “SBP-2 Mitigation” sectio
## Attack countermeasures
-This section covers countermeasures for specific types attacks.
+This section covers countermeasures for specific types of attacks.
### Bootkits and rootkits
@@ -162,7 +162,7 @@ The following sections cover mitigations for different types of attackers.
Physical access may be limited by a form factor that does not expose buses and memory.
For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard.
-This attacker of opportunity does not use destructive methods or sophisticated forensics hardware/software.
+This attacker of opportunity does not use destructive methods or sophisticated forensics hardware/software.
Mitigation:
- Pre-boot authentication set to TPM only (the default)
@@ -172,7 +172,7 @@ Mitigation:
Targeted attack with plenty of time; this attacker will open the case, will solder, and will use sophisticated hardware or software.
Mitigation:
-- Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN to help the TPM anti-hammering mitigation).
+- Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN [enhanced pin] to help the TPM anti-hammering mitigation).
-And-
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index 34008453ad..358ea6cfab 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -23,7 +23,7 @@ ms.custom: bitlocker
- Windows 10
This topic explains how BitLocker Device Encryption can help protect data on devices running Windows 10.
-For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md).
+For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md).
When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and by providing new strategies.
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 867c020956..f69cdfadb5 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -544,6 +544,7 @@
####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-machine.md)
+####### [Set device value](microsoft-defender-atp/set-device-value.md)
###### [Machine Action]()
####### [Machine Action methods and properties](microsoft-defender-atp/machineaction.md)
@@ -708,7 +709,7 @@
##### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md)
#### [Troubleshoot next-generation protection](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md)
-
+#### [Troubleshoot migration issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
index ca821701f2..8d013685ee 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
@@ -1,7 +1,7 @@
---
title: Collect diagnostic data of Microsoft Defender Antivirus
description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus
-keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av
+keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av, group policy object, setting, diagnostic data
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: manage
@@ -25,7 +25,7 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV.
+This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you might encounter when using the Microsoft Defender AV.
> [!NOTE]
> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices).
@@ -54,7 +54,7 @@ On at least two devices that are experiencing the same issue, obtain the .cab di
4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`.
> [!NOTE]
-> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation
For more information see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
+> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation
For more information, see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
@@ -78,7 +78,7 @@ mpcmdrun.exe -GetFiles -SupportLogLocation
September-2020 (Platform: 4.18.2009.X | Engine: 1.1.17500.4)
+
+ Security intelligence update version: **1.325.10.0**
+ Released: **October 01, 2020**
+ Platform: **4.18.2009.X**
+ Engine: **1.1.17500.4**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+*Admin permissions are required to restore files in quarantine
+*XML formatted events are now supported
+*CSP support for ignoring exclusion merge
+*New management interfaces for:
++UDP Inspection
++Network Protection on Server 2019
++IP Address exclusions for Network Protection
+*Improved visibility into TPM measurements
+*Improved Office VBA module scanning
+
+### Known Issues
+No known issues
+
+ August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)
Security intelligence update version: **1.323.9.0**
@@ -84,7 +108,7 @@ All our updates contain:
* Improved scan event telemetry
* Improved behavior monitoring for memory scans
* Improved macro streams scanning
-* Added "AMRunningMode" to Get-MpComputerStatus Powershell CmdLet
+* Added "AMRunningMode" to Get-MpComputerStatus PowerShell CmdLet
### Known Issues
No known issues
@@ -116,7 +140,7 @@ No known issues
Released: **June 22, 2020**
Platform: **4.18.2006.10**
Engine: **1.1.17200.2**
- Support phase: **Security and Critical Updates**
+ Support phase: **Technical upgrade Support (Only)**
### What's new
* Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
index c3358561d8..7bf4c22d0e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
@@ -64,6 +64,9 @@ See [Prevent users from locally modifying policy settings](configure-local-polic
You can prevent users from pausing scans, which can be helpful to ensure scheduled or on-demand scans are not interrupted by users.
+> [!NOTE]
+> This setting is not supported on Windows 10.
+
### Use Group Policy to prevent users from pausing a scan
1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
new file mode 100644
index 0000000000..09535418a1
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
@@ -0,0 +1,134 @@
+---
+title: Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution
+description: Troubleshoot common errors when migrating to Microsoft Defender Antivirus
+keywords: event, error code, logging, troubleshooting, microsoft defender antivirus, windows defender antivirus, migration
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+author: martyav
+ms.author: v-maave
+ms.custom: nextgen
+ms.date: 09/11/2018
+ms.reviewer:
+manager: dansimp
+---
+
+# Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus.
+
+## Review event logs
+
+Open the Event viewer app by selecting the **Search** icon in the taskbar, and searching for *event viewer*.
+
+Information about Microsoft Defender Antivirus can be found under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender**.
+
+From there, select **Open** underneath **Operational**.
+
+Selecting an event from the details pane will show you more information about an event in the lower pane, under the **General** and **Details** tabs.
+
+## Microsoft Defender Antivirus won't start
+
+This issue can manifest in the form of several different event IDs, all of which have the same underlying cause.
+
+### Associated event IDs
+
+ Event ID | Log name | Description | Source
+-|-|-|-
+15 | Application | Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF. | Security Center
+5007 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
**Old value:** Default\IsServiceRunning = 0x0
**New value:** HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 | Windows Defender
+5010 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus scanning for spyware and other potentially unwanted software is disabled. | Windows Defender
+
+### How to tell if Microsoft Defender Antivirus won't start because a third-party antivirus is installed
+
+On a Windows 10 device, if you are not using Microsoft Defender Advanced Threat Protection (ATP), and you have a third-party antivirus installed, then Microsoft Defender Antivirus will be automatically turned off. If you are using Microsoft Defender ATP with a third-party antivirus installed, Microsoft Defender Antivirus will start in passive mode, with reduced functionality.
+
+> [!TIP]
+> The scenario just described applies only to Windows 10. Other versions of Windows have [different responses](microsoft-defender-antivirus-compatibility.md) to Microsoft Defender Antivirus being run alongside third-party security software.
+
+#### Use Services app to check if Microsoft Defender Antivirus is turned off
+
+To open the Services app, select the **Search** icon from the taskbar and search for *services*. You can also open the app from the command-line by typing *services.msc*.
+
+Information about Microsoft Defender Antivirus will be listed within the Services app under **Windows Defender** > **Operational**. The antivirus service name is *Windows Defender Antivirus Service*.
+
+While checking the app, you may see that *Windows Defender Antivirus Service* is set to manual — but when you try to start this service manually, you get a warning stating, *The Windows Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.*
+
+This indicates that Microsoft Defender Antivirus has been automatically turned off to preserve compatibility with a third-party antivirus.
+
+#### Generate a detailed report
+
+You can generate a detailed report about currently active group policies by opening a command prompt in **Run as admin** mode, then entering the following command:
+
+```powershell
+GPresult.exe /h gpresult.html
+```
+
+This will generate a report located at *./gpresult.html*. Open this file and you might see the following results, depending on how Microsoft Defender Antivirus was turned off.
+
+##### Group policy results
+
+##### If security settings are implemented via group policy (GPO) at the domain or local level, or though System center configuration manager (SCCM)
+
+Within the GPResults report, under the heading, *Windows Components/Windows Defender Antivirus*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.
+
+Policy | Setting | Winning GPO
+-|-|-
+Turn off Windows Defender Antivirus | Enabled | Win10-Workstations
+
+###### If security settings are implemented via Group policy preference (GPP)
+
+Under the heading, *Registry item (Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, Value name: DisableAntiSpyware)*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.
+
+DisableAntiSpyware | -
+-|-
+Winning GPO | Win10-Workstations
+Result: Success |
+**General** |
+Action | Update
+**Properties** |
+Hive | HKEY_LOCAL_MACHINE
+Key path | SOFTWARE\Policies\Microsoft\Windows Defender
+Value name | DisableAntiSpyware
+Value type | REG_DWORD
+Value data | 0x1 (1)
+
+###### If security settings are implemented via registry key
+
+The report may contain the following text, indicating that Microsoft Defender Antivirus is turned off:
+
+> Registry (regedit.exe)
+>
+> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
+> DisableAntiSpyware (dword) 1 (hex)
+
+###### If security settings are set in Windows or your Windows Server image
+
+Your imagining admin might have set the security policy, **[DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](https://docs.microsoft.com/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Microsoft Defender Antivirus.
+
+### Turn Microsoft Defender Antivirus back on
+
+Microsoft Defender Antivirus will automatically turn on if no other antivirus is currently active. You'll need to turn the third-party antivirus completely off to ensure Microsoft Defender Antivirus can run with full functionality.
+
+> [!WARNING]
+> Solutions suggesting that you edit the *Windows Defender* start values for *wdboot*, *wdfilter*, *wdnisdrv*, *wdnissvc*, and *windefend* in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system.
+
+Passive mode is available if you start using Microsoft Defender ATP and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](../microsoft-defender-atp/information-protection-in-windows-overview.md) is deployed.
+
+Another feature, known as [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), is available to end-users when Microsoft Defender Antivirus is set to automatically turn off. This feature allows Microsoft Defender Antivirus to scan files periodically alongside a third-party antivirus, using a limited number of detections.
+
+> [!IMPORTANT]
+> Limited periodic scanning is not recommended in enterprise environments. The detection, management and reporting capabilities available when running Microsoft Defender Antivirus in this mode are reduced as compared to active mode.
+
+### See also
+
+* [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md)
+* [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
index 761dd08cfa..1a87a09ee4 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
@@ -10,8 +10,8 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer:
+ms.date: 10/01/2018
+ms.reviewer: ksarens
manager: dansimp
---
@@ -96,7 +96,7 @@ Root | Allow antimalware service to start up with normal priority | [Configure r
Root | Allow antimalware service to remain running always | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
Root | Turn off routine remediation | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
Root | Randomize scheduled task times | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md)
+Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) (Not supported on Windows 10)
Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
index 5408508e47..d8b5e85940 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
@@ -29,104 +29,104 @@ Endpoint detection and response capabilities in Microsoft Defender ATP for Mac a
## Enable the Insider program with Jamf
-a. Create configuration profile com.microsoft.wdav.plist with the following content:
+1. Create configuration profile com.microsoft.wdav.plist with the following content:
-```XML
-
-
-
**Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
-| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
+| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-10) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
## Download installation and onboarding packages
Download the installation and onboarding packages from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**.
+
2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**.
3. Select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
+
4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
+
5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
+
6. From a command prompt, verify that you have the three files.
@@ -130,228 +137,116 @@ You do not need any special provisioning for a Mac device beyond a standard [Com
2. Select **Continue** and complete the enrollment.
-You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
+ You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed:
-
+ > [!div class="mx-imgBorder"]
+ > 
+
+## Approve System Extensions
+
+To approve the system extensions:
+
+1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+
+2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Extensions**. Select **Create**.
+
+3. In the `Basics` tab, give a name to this new profile.
+
+4. In the `Configuration settings` tab, add the following entries in the `Allowed system extensions` section:
+
+ Bundle identifier | Team identifier
+ --------------------------|----------------
+ com.microsoft.wdav.epsext | UBF8T346G9
+ com.microsoft.wdav.netext | UBF8T346G9
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+5. In the `Assignments` tab, assign this profile to **All Users & All devices**.
+
+6. Review and create this configuration profile.
## Create System Configuration profiles
1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+
2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
+
3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections.
+
4. Select **OK**.
5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
+
6. Repeat steps 1 through 5 for more profiles.
+
7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
-8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it.
+
+8. Download `fulldisk.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) and save it as `tcc.xml`. Create another profile, give it any name and upload this file to it.
> [!CAUTION]
> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
>
- > The following configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile.
+ > This configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile.
- ```xml
-
-
-
+ **Scope**
+
Select **Add**.
+
- **Self-Service**
+ **Self-Service**
+
20. Select **Done**.
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index 074b8fc31f..e2bb55c2a6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -41,6 +41,7 @@ Method|Return Type |Description
[Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine.
[Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP.
[Get missing KBs](get-missing-kbs-machine.md) | KB collection | Get a list of missing KBs associated with the machine ID
+[Set device value](set-device-value.md)| [machine](machine.md) collection | Set the value of a device, See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md).
## Properties
@@ -63,3 +64,5 @@ exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evalu
aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is Aad Joined).
machineTags | String collection | Set of [machine](machine.md) tags.
exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
+deviceValue | Nullable Enum | The value of the device, See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md). Possible values are: 'Normal', 'Low' and 'High'.
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index f8627a6658..e67120d349 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -54,11 +54,9 @@ The following features are included in the preview release:
- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
Microsoft Defender ATP now adds support for Android. Learn how to install, configure, and use Microsoft Defender ATP for Android.
- - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os)
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019.
+- [Web Content Filtering](web-content-filtering.md)
Web content filtering is part of web protection capabilities in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
-- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
You can now see a comprehensive set of details on the vulnerabilities found in your device to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
-
- - [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
+ - [Threat and vulnerability management supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os)
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019.
- [Device health and compliance report](machine-reports.md)
The device health and compliance report provides high-level information about the devices in your organization.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
new file mode 100644
index 0000000000..65012f7ca0
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
@@ -0,0 +1,78 @@
+---
+title: Set device value API
+description: Learn how to specify the value of a device using a Microsoft Defender Advanced Threat Protection API.
+keywords: apis, graph api, supported apis, tags, machine tags
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Set device value API
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+## API description
+
+Set the device value of a specific [Machine](machine.md).
+See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md) for more information.
+
+## Limitations
+
+1. You can post on devices last seen according to your configured retention period.
+
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Machine.ReadWrite.All | 'Read and write all machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>
+>- The user needs to have at least the following role permission: 'Manage security setting'. For more (See [Create and manage roles](user-roles.md) for more information)
+>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
+
+## HTTP request
+
+```http
+POST https://api.securitycenter.microsoft.com/api/machines/{machineId}/setDeviceValue
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+
+```json
+{
+ "DeviceValue": "{device value}"
+}
+```
+
+## Response
+
+If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 9e981319a8..85d599cd64 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -57,6 +57,8 @@ DeviceName=any(DeviceName) by DeviceId, AlertId
Defining a device’s value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the threat and vulnerability management exposure score calculation. Devices marked as “high value” will receive more weight.
+You can also use the [set device value API](set-device-value.md).
+
Device value options:
- Low
@@ -82,6 +84,7 @@ Examples of devices that should be marked as high value:
3. A flyout will appear with the current device value and what it means. Review the value of the device and choose the one that best fits your device.
+
## Related topics
- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
index 692170a5cc..4dd4166246 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
@@ -21,22 +21,23 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+> [!IMPORTANT]
+> **Web content filtering is currently in public preview**
+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
+> For more information, see [Microsoft Defender ATP preview features](preview.md).
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
Web content filtering is part of [Web protection](web-protection-overview.md) capabilities in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
-You can configure policies across your device groups to block certain categories, effectively preventing users within specified device groups from accessing URLs that are associated with the category. For any category that's not blocked, they are automatically audited. That means your users will be able to access the URLs without disruption, and you will continue to gather access statistics to help create a more custom policy decision. If an element on the page you’re viewing is making calls to a resource that is blocked, your users will see a block notification.
+Configure policies across your device groups to block certain categories. Blocking a category prevents users within specified device groups from accessing URLs associated with the category. For any category that's not blocked, the URLs are automatically audited. Your users can access the URLs without disruption, and you'll gather access statistics to help create a more custom policy decision. Your users will see a block notification if an element on the page they're viewing is making calls to a blocked resource.
Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome and Firefox). For more information about browser support, see the prerequisites section.
Summarizing the benefits:
- Users are prevented from accessing websites in blocked categories, whether they're browsing on-premises or away
-- Conveniently deploy varied policies to various sets of users using the device groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
+- Conveniently deploy policies to groups of users using device groups defined in [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
- Access web reports in the same central location, with visibility over actual blocks and web usage
## User experience
@@ -47,17 +48,17 @@ For a more user-friendly in-browser experience, consider using Microsoft Edge.
## Prerequisites
-Before trying out this feature, make sure you have the following:
+Before trying out this feature, make sure you have the following requirements:
- Windows 10 Enterprise E5 license OR Microsoft 365 E3 + Microsoft 365 E5 Security add-on.
- Access to Microsoft Defender Security Center portal
- Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update.
-If Windows Defender SmartScreen is not turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device.
+If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device.
## Data handling
-For this feature, we will follow whichever region you have elected to use as part of your [Microsoft Defender ATP data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds.
+We will follow whichever region you have elected to use as part of your [Microsoft Defender ATP data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds.
## Turn on web content filtering
@@ -89,31 +90,25 @@ Tip: You can deploy a policy without selecting any category on a device group. T
### Allow specific websites
-It is possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it is applied to the device group in question.
+It's possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it's applied to the device group in question.
1. Create a custom indicator in the Microsoft Defender Security Center by going to **Settings** > **Indicators** > **URL/Domain** > **Add Item**
2. Enter the domain of the site
3. Set the policy action to **Allow**.
-## Web content filtering
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
- cards and details
+## Web content filtering cards and details
Select **Reports > Web protection** to view cards with information about web content filtering and web threat protection. The following cards provide summary information about web content filtering.
### Web activity by category
-This card lists the parent web content categories with the largest percentage change in the number of access attempts, whether they have increased or decreased. You can use this card to understand drastic changes in web activity patterns in your organization from last 30 days, 3 months, or 6 months. Select a category name to view more information about that particular category.
+This card lists the parent web content categories with the largest increase or decrease in the number of access attempts. Understand drastic changes in web activity patterns in your organization from last 30 days, 3 months, or 6 months. Select a category name to view more information.
-In the first 30 days of using this feature, your organization might not have sufficient data to display in this card.
+In the first 30 days of using this feature, your organization might not have enough data to display this information.
-### Web content filtering
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
- summary card
+### Web content filtering summary card
This card displays the distribution of blocked access attempts across the different parent web content categories. Select one of the colored bars to view more information about a specific parent web category.
@@ -143,9 +138,9 @@ Use the time range filter at the top left of the page to select a time period. Y
### Limitations and known issues in this preview
-- Only Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). This is because Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across Chrome/Firefox.
+- Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across Chrome/Firefox.
-- Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices in the interim before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts.
+- Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts.
## Related topics
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 27fc2277eb..314e4d3826 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -130,7 +130,6 @@ General battery life and power efficiency improvements for PCs with certain proc
[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
[What Windows 10, version 1909 Means for Developers](https://blogs.windows.com/windowsdeveloper/2019/10/16/what-windows-10-version-1909-means-for-developers/): New and updated features in Windows 10 that are of interest to developers.
-[What's new in Windows 10, version 1909 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-1909): This list also includes consumer focused new features.
[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
[Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
[How to get the Windows 10 November 2019 Update](https://aka.ms/how-to-get-1909): John Cable blog.