From 0d98c94adb25c7f6b247c7571120484ff71e912f Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Tue, 2 Jun 2020 14:33:56 -0700
Subject: [PATCH 01/38] Removed extraneous pipe character and spaces

---
 .../microsoft-defender-application-guard/faq-md-app-guard.md   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
index 738bf5aceb..bbe24a32b2 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@@ -22,7 +22,8 @@ Answering frequently asked questions about Microsoft Defender Application Guard
 
 ## Frequently Asked Questions
 
-### Can I enable Application Guard on machines equipped with 4GB RAM?                                                                   |
+### Can I enable Application Guard on machines equipped with 4GB RAM?
+
 We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
 
 `HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is 4 cores.)                                                   

From 9d38387e3c7831bee94a028e38bf7e64d7e052a9 Mon Sep 17 00:00:00 2001
From: greg-lindsay <greglin@microsoft.com>
Date: Wed, 23 Sep 2020 10:22:43 -0700
Subject: [PATCH 02/38] new landing page

---
 .openpublishing.redirection.json |   5 ++
 windows/hub/index.md             |  68 --------------------
 windows/hub/index.yml            | 107 +++++++++++++++++++++++++++++++
 windows/hub/windows-10.yml       |  77 ----------------------
 4 files changed, 112 insertions(+), 145 deletions(-)
 delete mode 100644 windows/hub/index.md
 create mode 100644 windows/hub/index.yml
 delete mode 100644 windows/hub/windows-10.yml

diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 7fbbafce4f..6dfbb5ebdd 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -16439,6 +16439,11 @@
       "source_path": "windows/deployment/windows-autopilot/windows-autopilot.md",
       "redirect_url": "https://docs.microsoft.com/mem/autopilot/windows-autopilot",
       "redirect_document_id": true
+    },
+    {
+      "source_path": "windows/hub/windows-10.yml",
+      "redirect_url": "https://docs.microsoft.com/windows/windows-10",
+      "redirect_document_id": false
     }
   ]
 }
diff --git a/windows/hub/index.md b/windows/hub/index.md
deleted file mode 100644
index b34eb9cf48..0000000000
--- a/windows/hub/index.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: Windows 10
-description: Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10.
-ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60
-ms.prod: w10
-ms.localizationpriority: high
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.reviewer: dansimp
-manager: dansimp
----
-
-# Windows 10
-
-Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10.
-
-&nbsp;
-
-## Check out [what's new in Windows 10, version 2004](/windows/whats-new/whats-new-windows-10-version-2004).
-<br>
-<table border="0" width="100%" align="center">
-  <tr style="text-align:center;">
-    <td align="center" style="width:25%; border:0;">
-      <a href="/windows/whats-new/whats-new-windows-10-version-2004"> 
-        <img src="images/whatsnew.png" alt="Read what's new in Windows 10" title="Whats new" />
-      <br/>What's New? </a><br>
-    </td>
-     <td align="center">
-      <a href="/windows/configuration/index">
-        <img src="images/configuration.png" alt="Configure Windows 10 in your enterprise" title="Configure Windows 10" />
-      <br/>Configuration </a><br>
-    </td>
-    <td align="center">
-      <a href="/windows/deployment/index">
-        <img src="images/deployment.png" alt="Windows 10 deployment" title="Windows 10 deployment" />
-      <br/>Deployment </a><br>
-  </tr>
-  <tr style="text-align:center;">
-    <td align="center"><br>
-      <a href="/windows/application-management/index">
-        <img src="images/applicationmanagement.png" alt="Manage applications in your Windows 10 enterprise deployment" title="Application management" />
-      <br/>App Management </a>
-    </td>
-       <td align="center"><br>
-      <a href="/windows/client-management/index">
-        <img src="images/clientmanagement.png" alt="Windows 10 client management" title="Client management" />
-      <br/>Client Management </a>
-    </td>
-    <td align="center"><br>
-      <a href="/windows/security/index">
-        <img src="images/threatprotection.png" alt="Windows 10 security" title="W10 security" />
-      <br/>Security </a>
-  </tr>
-</table>
-
->[!TIP]
-> Looking for information about older versions of Windows? Check out our other [Windows libraries](/previous-versions/windows/) on docs.microsoft.com. You can also search this site to find specific information, like this [Windows 8.1 content](https://docs.microsoft.com/search/index?search=Windows+8.1&dataSource=previousVersions).
-
-## Get to know Windows as a Service (WaaS)
-
-The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
-
-These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
-  
-- [Read more about Windows as a Service](/windows/deployment/update/waas-overview)
\ No newline at end of file
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
new file mode 100644
index 0000000000..f6883d8d16
--- /dev/null
+++ b/windows/hub/index.yml
@@ -0,0 +1,107 @@
+### YamlMime:Landing
+
+title: Windows 10 deployment resources and documentation # < 60 chars
+summary: Learn about deploying and keeping Windows 10 up to date.  # < 160 chars
+
+metadata:
+  title: Windows 10 documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
+  description: Evaluate, plan, deploy, secure and manage devices running Windows 10. # Required; article description that is displayed in search results. < 160 chars.
+  services: windows-10
+  ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
+  ms.subservice: subservice
+  ms.topic: landing-page # Required
+  ms.collection: windows-10
+  author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
+  ms.author: greglin #Required; microsoft alias of author; optional team alias.
+  ms.date: 09/23/2020 #Required; mm/dd/yyyy format.
+  localization_priority: medium
+    
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+  # Card (optional)
+  - title: What's new
+    linkLists:
+      - linkListType: overview
+        links:
+          - text: Windows 10, version 2004
+            url: ../whats-new/whats-new-windows-10-version-2004.md
+          - text: Windows 10, version 1909
+            url: ../whats-new/whats-new-windows-10-version-1909.md
+          - text: Windows 10, version 1903
+            url: ../whats-new/whats-new-windows-10-version-1903.md
+          - text: Windows 10 release information
+            url:  https://docs.microsoft.com/windows/release-information/
+
+  # Card (optional)
+  - title: Configuration
+    linkLists:
+      - linkListType: how-to-guide
+        links:
+          - text: Configure Windows 10
+            url: ../configuration/index.md
+          - text: Accesasibility information for IT Pros
+            url: ../configuration/windows-10-accessibility-for-itpros.md
+          - text: Configure access to Microsoft Store
+            url: ../configuration/stop-employees-from-using-microsoft-store.md
+          - text: Set up a shared or guest PC
+            url: ../configuration/set-up-shared-or-guest-pc.md
+
+  # Card (optional)
+  - title: Deployment
+    linkLists:
+      - linkListType: deploy
+        links:
+          - text: Deploy and update Windows 10
+            url: ../deployment/index.yml
+          - text: Windows 10 deployment scenarios
+            url: ../deployment/windows-10-deployment-scenarios.md
+          - text: Create a deployment plan
+            url: ../deployment/update/create-deployment-plan.md
+          - text: Prepare to deploy Windows 10
+            url: ../deployment/update/prepare-deploy-windows.md
+
+ 
+  # Card
+  - title: App management
+    linkLists:
+      - linkListType: how-to-guide
+        links:
+          - text: Windows 10 application management
+            url: ../application-management/index.md
+          - text: Understand the different apps included in Windows 10
+            url: ../application-management/apps-in-windows-10.md
+          - text: Get started with App-V for Windows 10
+            url:  ../application-management/app-v/appv-getting-started.md
+          - text: Keep removed apps from returning during an update
+            url:  ../application-management/remove-provisioned-apps-during-update.md
+
+  # Card
+  - title: Client management
+    linkLists:
+      - linkListType: how-to-guide
+        links:
+          - text: Windows 10 client management
+            url: ../client-management/index.md
+          - text: Administrative tools in Windows 10
+            url: ../client-management/administrative-tools-in-windows-10.md
+          - text: Create mandatory user profiles
+            url: ../client-management/mandatory-user-profile.md
+          - text: New policies for Windows 10
+            url: ../client-management/new-policies-for-windows-10.md
+
+  # Card (optional)
+  - title: Security
+    linkLists:
+      - linkListType: how-to-guide
+        links:
+          - text: Windows 10 Enterprise Security
+            url: ../security/index.yml
+          - text: Identity and access management
+            url: ../security/identity-protection/index.md
+          - text: Threat protection
+            url: ../security/threat-protection/index.md
+          - text: Information protection
+            url: ../security/information-protection/index.md
diff --git a/windows/hub/windows-10.yml b/windows/hub/windows-10.yml
deleted file mode 100644
index 822259efbd..0000000000
--- a/windows/hub/windows-10.yml
+++ /dev/null
@@ -1,77 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Windows 10
-metadata:
-  title: Windows 10
-  description: Find tools, step-by-step guides, and other resources to help you deploy and support Windows 10 in your organization. 
-  keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
-  ms.localizationpriority: medium
-  author: lizap
-  ms.author: elizapo
-  manager: dougkim
-  ms.topic: article
-  ms.devlang: na
-
-sections:
-- items:
-  - type: markdown
-    text: "
-      Find tools, step-by-step guides, and other resources to help you deploy and support Windows 10 in your organization. 
-      "  
-- title: Explore
-- items:
-  - type: markdown
-    text: "
-      Get started with Windows 10. Evaluate free for 90 days and set up virtual labs to test a proof of concept.<br> 
-      <table><tr><td><img src='images/explore1.png' width='192' height='192'><br>**Download a free 90-day evaluation**<br>Try the latest features. Test your apps, hardware, and deployment strategies.<br><a href='https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise'>Start evaluation</a></td><td><img src='images/explore2.png' width='192' height='192'><br>**Get started with virtual labs**<br>Try setup, deployment, and management scenarios in a virtual environment, with no additional software or setup required.<br><a href='https://www.microsoft.com/en-us/itpro/windows-10/virtual-labs'>See Windows 10 labs</a></td><td><img src='images/explore3.png' width='192' height='192'><br>**Conduct a proof of concept**<br>Download a lab environment with MDT, Configuration Manager, Windows 10, and more.<br><a href='https://go.microsoft.com/fwlink/p/?linkid=861441'>Get deployment kit</a></td></tr>
-      </table>
-      "
-- title: What's new
-- items:
-  - type: markdown
-    text: "
-      Learn about the latest releases and servicing options.<br> 
-      <table><tr><td><img src='images/land-new.png'></td><td><a href='https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809'>What's new in Windows 10, version 1809</a><br><a href='https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803'>What's new in Windows 10, version 1803</a><br><a href='https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709'>What's new in Windows 10, version 1709</a><br><a href='https://docs.microsoft.com/windows/windows-10/release-information'>Windows 10 release information</a><br><a href='https://support.microsoft.com/help/12387/windows-10-update-history'>Windows 10 update history</a><br><a href='https://go.microsoft.com/fwlink/p/?linkid=861443'>Windows 10 roadmap</a></td></tr>
-      </table>
-      "
-- title: Frequently asked questions
-- items:
-  - type: markdown
-    text: "
-      Get answers to common questions, or get help with a specific problem.<br> 
-      <table><tr><td><a href='https://docs.microsoft.com/windows/deployment/planning/windows-10-enterprise-faq-itpro'>Windows 10 FAQ for IT Pros</a><br><a href='https://go.microsoft.com/fwlink/p/?linkid=861444'>Windows 10 forums</a><br><a href='https://techcommunity.microsoft.com/t5/Windows-10/bd-p/Windows10space'>Windows 10 TechCommunity</a><br><a href='https://go.microsoft.com/fwlink/p/?linkid=861445'>Which edition is right for your organization?</a><br><a href='https://docs.microsoft.com/windows/deployment/planning/windows-10-infrastructure-requirements'>Infrastructure requirements</a><br><a href='https://www.microsoft.com/itpro/windows-10/windows-as-a-service'>What's Windows as a service?</a><br><a href='https://docs.microsoft.com/windows/client-management/windows-10-mobile-and-mdm'>Windows 10 Mobile deployment and management guide</a></td><td><img src='images/faq.png'></td></tr>
-      </table>
-      "
-- title: Plan
-- items:
-  - type: markdown
-    text: "
-      Prepare to deploy Windows 10 in your organization. Explore deployment methods, compatibility tools, and servicing options. <br> 
-      <table><tr><td><img src='images/plan1.png' width='192' height='192'><br>**Application compatibility**<br>Get best practices and tools to help you address compatibility issues prior to deployment.<br><a href='https://www.readyforwindows.com/'>Find apps that are ready for Windows 10.</a><br><a href='https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness'>Identify and prioritize apps with Upgrade Readiness</a><br><a href='https://technet.microsoft.com/microsoft-edge/mt612809.aspx'>Test, validate, and implement with the Web Application Compatibility Lab Kit</a></td><td><img src='images/plan2.png' width='192' height='192'><br>**Upgrade options**<br>Learn about the options available for upgrading Windows 7, Windows 8, or Windows 8.1 PCs and devices to Windows 10.<br><a href='https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades'>Manage Windows upgrades with Upgrade Readiness</a><br><a href='https://docs.microsoft.com/windows/deployment/upgrade/windows-10-upgrade-paths'>Windows 10 upgrade paths</a><br><a href='https://docs.microsoft.com/windows/deployment/upgrade/windows-10-edition-upgrades'>Windows 10 edition upgrades</a></td><td><img src='images/plan3.png' width='192' height='192'><br>**Windows as a service**<br>Windows as a service provides ongoing new capabilities and updates while maintaining a high level of hardware and software compatibility.<br><a href='https://docs.microsoft.com/windows/deployment/update/windows-as-a-service'>Explore</a></td></tr>
-      </table>
-      "
-- title: Deploy
-- items:
-  - type: markdown
-    text: "
-      Download recommended tools and get step-by-step guidance for in-place upgrades, dynamic provisioning, or traditional deployments.<br> 
-      <table><tr><td><img src='images/deploy1.png' width='192' height='192'><br>**In-place upgrade**<br>The simplest way to upgrade PCs that are currently running WIndows 7, Windows 8, or Windows 8.1 is to do an in-place upgrade.<br><a href='https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager'>Upgrade to Windows 10 with Configuration Manager</a><br><a href='https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit'>Upgrade to Windows 10 with MDT</a></td><td><img src='images/deploy2.png' width='192' height='192'><br>**Traditional deployment**<br>Some organizations may still need to opt for an image-based deployment of Windows 10.<br><a href='https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems'>Deploy Windows 10 with Configuration Manager</a><br><a href='https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit'>Deploy Windows 10 with MDT</a></td></tr><tr><td><img src='images/deploy3.png' width='192' height='192'><br>**Dynamic provisioning**<br>With Windows 10 you can create provisioning packages that let you quickly configure a device without having to install a new image.<br><a href='https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages'>Provisioning packages for Windows 10</a><br><a href='https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package'>Build and apply a provisioning package</a><br><a href='https://docs.microsoft.com/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd'>Customize Windows 10 start and the taskbar</a></td><td><img src='images/deploy4.png' width='192' height='192'><br>**Other deployment scenarios**<br>Get guidance on how to deploy Windows 10 for students, faculty, and guest users - and how to deploy line-of-business apps.<br><a href='https://docs.microsoft.com/education/windows/'>Windows deployment for education environments</a><br><a href='https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc'>Set up a shared or guest PC with Windows 10</a><br><a href='https://docs.microsoft.com/windows/application-management/sideload-apps-in-windows-10'>Sideload apps in Windows 10</a></td></tr>
-      </table>
-      "
-- title: Management and security
-- items:
-  - type: markdown
-    text: "
-      Learn how to manage Windows 10 clients and apps, secure company data, and manage risk.<br> 
-      <table><tr><td><img src='images/manage1.png' width='192' height='192'><br>**Manage Windows 10 updates**<br>Get best practices and tools to help you manage clients and apps.<br><a href='https://docs.microsoft.com/windows/client-management/'>Manage clients in Windows 10</a><br><a href='https://docs.microsoft.com/windows/application-management/'>Manage apps and features in Windows 10</a></td><td><img src='images/manage2.png' width='192' height='192'><br>**Security**<br>Intelligent security, powered by the cloud. Out-of-the-box protection, advanced security features, and intelligent management to respond to advanced threats.<br><a href='https://docs.microsoft.com/windows/security/index'>Windows 10 enterprise security</a><br><a href='https://docs.microsoft.com/windows/security/threat-protection'>Threat protection</a><br><a href='https://docs.microsoft.com/windows/access-protection'>Identity protection</a><br><a href='https://docs.microsoft.com/windows/security/information-protection'>Information protection</a></td></tr>
-      </table>
-      "
-- title: Stay informed
-- items:
-  - type: markdown
-    text: "
-      Stay connected with Windows 10 experts, your colleagues, business trends, and IT pro events.<br>
-      <table><tr><td><img src='images/insider.png' width='192' height='192'><br>**Sign up for the Windows IT Pro Insider**<br>Find out about new resources and get expert tips and tricks on deployment, management, security, and more.<br><a href='https://aka.ms/windows-it-pro-insider'>Learn more</a></td><td><img src='images/twitter.png' width='192' height='192'><br>**Follow us on Twitter**<br>Keep up with the latest desktop and device trends, Windows news, and events for IT pros.<br><a href='https://twitter.com/MSWindowsITPro'>Visit Twitter</a></td><td><img src='images/wip4biz.png' width='192' height='192'><br>**Join the Windows Insider Program for Business**<br>Get early access to new builds and provide feedback on the latest features and functionalities.<br><a href='https://insider.windows.com/ForBusiness'>Get started</a></td></tr>
-      </table>
-      "

From d4f80fbc2bb8a279cce0a34586614959689ea5da Mon Sep 17 00:00:00 2001
From: greg-lindsay <greglin@microsoft.com>
Date: Wed, 23 Sep 2020 10:32:51 -0700
Subject: [PATCH 03/38] fix links

---
 windows/hub/index.yml | 46 +++++++++++++++++++++----------------------
 1 file changed, 23 insertions(+), 23 deletions(-)

diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index f6883d8d16..d0355a458b 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -27,11 +27,11 @@ landingContent:
       - linkListType: overview
         links:
           - text: Windows 10, version 2004
-            url: ../whats-new/whats-new-windows-10-version-2004.md
+            url: /windows/whats-new/whats-new-windows-10-version-2004.md
           - text: Windows 10, version 1909
-            url: ../whats-new/whats-new-windows-10-version-1909.md
+            url: /windows/whats-new/whats-new-windows-10-version-1909.md
           - text: Windows 10, version 1903
-            url: ../whats-new/whats-new-windows-10-version-1903.md
+            url: /windows/whats-new/whats-new-windows-10-version-1903.md
           - text: Windows 10 release information
             url:  https://docs.microsoft.com/windows/release-information/
 
@@ -41,13 +41,13 @@ landingContent:
       - linkListType: how-to-guide
         links:
           - text: Configure Windows 10
-            url: ../configuration/index.md
+            url: /windows/configuration/index.md
           - text: Accesasibility information for IT Pros
-            url: ../configuration/windows-10-accessibility-for-itpros.md
+            url: /windows/configuration/windows-10-accessibility-for-itpros.md
           - text: Configure access to Microsoft Store
-            url: ../configuration/stop-employees-from-using-microsoft-store.md
+            url: /windows/configuration/stop-employees-from-using-microsoft-store.md
           - text: Set up a shared or guest PC
-            url: ../configuration/set-up-shared-or-guest-pc.md
+            url: /windows/configuration/set-up-shared-or-guest-pc.md
 
   # Card (optional)
   - title: Deployment
@@ -55,13 +55,13 @@ landingContent:
       - linkListType: deploy
         links:
           - text: Deploy and update Windows 10
-            url: ../deployment/index.yml
+            url: /windows/deployment/index.yml
           - text: Windows 10 deployment scenarios
-            url: ../deployment/windows-10-deployment-scenarios.md
+            url: /windows/deployment/windows-10-deployment-scenarios.md
           - text: Create a deployment plan
-            url: ../deployment/update/create-deployment-plan.md
+            url: /windows/deployment/update/create-deployment-plan.md
           - text: Prepare to deploy Windows 10
-            url: ../deployment/update/prepare-deploy-windows.md
+            url: /windows/deployment/update/prepare-deploy-windows.md
 
  
   # Card
@@ -70,13 +70,13 @@ landingContent:
       - linkListType: how-to-guide
         links:
           - text: Windows 10 application management
-            url: ../application-management/index.md
+            url: /windows/application-management/index.md
           - text: Understand the different apps included in Windows 10
-            url: ../application-management/apps-in-windows-10.md
+            url: /windows/application-management/apps-in-windows-10.md
           - text: Get started with App-V for Windows 10
-            url:  ../application-management/app-v/appv-getting-started.md
+            url:  /windows/application-management/app-v/appv-getting-started.md
           - text: Keep removed apps from returning during an update
-            url:  ../application-management/remove-provisioned-apps-during-update.md
+            url:  /windows/application-management/remove-provisioned-apps-during-update.md
 
   # Card
   - title: Client management
@@ -84,13 +84,13 @@ landingContent:
       - linkListType: how-to-guide
         links:
           - text: Windows 10 client management
-            url: ../client-management/index.md
+            url: /windows/client-management/index.md
           - text: Administrative tools in Windows 10
-            url: ../client-management/administrative-tools-in-windows-10.md
+            url: /windows/client-management/administrative-tools-in-windows-10.md
           - text: Create mandatory user profiles
-            url: ../client-management/mandatory-user-profile.md
+            url: /windows/client-management/mandatory-user-profile.md
           - text: New policies for Windows 10
-            url: ../client-management/new-policies-for-windows-10.md
+            url: /windows/client-management/new-policies-for-windows-10.md
 
   # Card (optional)
   - title: Security
@@ -98,10 +98,10 @@ landingContent:
       - linkListType: how-to-guide
         links:
           - text: Windows 10 Enterprise Security
-            url: ../security/index.yml
+            url: /windows/security/index.yml
           - text: Identity and access management
-            url: ../security/identity-protection/index.md
+            url: /windows/security/identity-protection/index.md
           - text: Threat protection
-            url: ../security/threat-protection/index.md
+            url: /windows/security/threat-protection/index.md
           - text: Information protection
-            url: ../security/information-protection/index.md
+            url: /windows/security/information-protection/index.md

From 06c303799e3f11db7f60f88f5c01c950cb3bf9cf Mon Sep 17 00:00:00 2001
From: greg-lindsay <greglin@microsoft.com>
Date: Wed, 23 Sep 2020 10:34:25 -0700
Subject: [PATCH 04/38] edit

---
 windows/hub/index.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index d0355a458b..33c4c00b26 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -26,11 +26,11 @@ landingContent:
     linkLists:
       - linkListType: overview
         links:
-          - text: Windows 10, version 2004
+          - text: What's new in Windows 10, version 2004
             url: /windows/whats-new/whats-new-windows-10-version-2004.md
-          - text: Windows 10, version 1909
+          - text: What's new in Windows 10, version 1909
             url: /windows/whats-new/whats-new-windows-10-version-1909.md
-          - text: Windows 10, version 1903
+          - text: What's new in Windows 10, version 1903
             url: /windows/whats-new/whats-new-windows-10-version-1903.md
           - text: Windows 10 release information
             url:  https://docs.microsoft.com/windows/release-information/

From 452c1afef83f7cee2a2d5df3a17c0c9e2d58467f Mon Sep 17 00:00:00 2001
From: greg-lindsay <greglin@microsoft.com>
Date: Wed, 23 Sep 2020 10:46:53 -0700
Subject: [PATCH 05/38] edit

---
 windows/hub/TOC.md                            |  2 +-
 windows/hub/index.yml                         |  4 ++--
 windows/security/docfx.json                   |  1 +
 .../oldTOC.md                                 | 20 -------------------
 4 files changed, 4 insertions(+), 23 deletions(-)
 delete mode 100644 windows/security/threat-protection/windows-defender-security-center/oldTOC.md

diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md
index 1b9bb407c6..25ef07d002 100644
--- a/windows/hub/TOC.md
+++ b/windows/hub/TOC.md
@@ -1,4 +1,4 @@
-# [Windows 10](index.md)
+# [Windows 10](index.yml)
 ## [What's new](/windows/whats-new)
 ## [Release information](/windows/release-information)
 ## [Deployment](/windows/deployment)
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 33c4c00b26..53371276ee 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -1,7 +1,7 @@
 ### YamlMime:Landing
 
-title: Windows 10 deployment resources and documentation # < 60 chars
-summary: Learn about deploying and keeping Windows 10 up to date.  # < 160 chars
+title: Windows 10 resources and documentation for IT Pros # < 60 chars
+summary: Configure, plan, deploy, secure and manage devices running Windows 10.  # < 160 chars
 
 metadata:
   title: Windows 10 documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index d1b2905bad..cb24d92757 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -34,6 +34,7 @@
     "globalMetadata": {
       "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
       "ms.technology": "windows",
+      "ms.prod": "w10",
       "ms.topic": "article",
       "manager": "dansimp",
       "audience": "ITPro",
diff --git a/windows/security/threat-protection/windows-defender-security-center/oldTOC.md b/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
deleted file mode 100644
index 0533ec00f5..0000000000
--- a/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
+++ /dev/null
@@ -1,20 +0,0 @@
----
-ms.author: dansimp
-author: dansimp
-title: The Microsoft Defender Security Center app
----
-
-# [The Microsoft Defender Security Center app](windows-defender-security-center.md)
-
-## [Customize the Microsoft Defender Security Center app for your organization](wdsc-customize-contact-information.md)
-## [Hide Microsoft Defender Security Center app notifications](wdsc-hide-notifications.md)
-## [Manage Microsoft Defender Security Center in Windows 10 in S mode](wdsc-windows-10-in-s-mode.md)
-## [Virus and threat protection](wdsc-virus-threat-protection.md)
-## [Account protection](wdsc-account-protection.md)
-## [Firewall and network protection](wdsc-firewall-network-protection.md)
-## [App and browser control](wdsc-app-browser-control.md)
-## [Device security](wdsc-device-security.md)
-## [Device performance and health](wdsc-device-performance-health.md)
-## [Family options](wdsc-family-options.md)
-
-

From a57ded6f35d792e2ee80895abc1b07cc5a03c60a Mon Sep 17 00:00:00 2001
From: greg-lindsay <greglin@microsoft.com>
Date: Wed, 23 Sep 2020 10:52:46 -0700
Subject: [PATCH 06/38] warning not fixed

---
 windows/security/docfx.json | 1 -
 1 file changed, 1 deletion(-)

diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index cb24d92757..d1b2905bad 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -34,7 +34,6 @@
     "globalMetadata": {
       "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
       "ms.technology": "windows",
-      "ms.prod": "w10",
       "ms.topic": "article",
       "manager": "dansimp",
       "audience": "ITPro",

From 8372e1fa158747d3fd379b2922cd7f624387aaf5 Mon Sep 17 00:00:00 2001
From: greg-lindsay <greglin@microsoft.com>
Date: Wed, 23 Sep 2020 10:58:07 -0700
Subject: [PATCH 07/38] links

---
 windows/hub/index.yml | 42 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 53371276ee..6c07579a54 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -27,11 +27,11 @@ landingContent:
       - linkListType: overview
         links:
           - text: What's new in Windows 10, version 2004
-            url: /windows/whats-new/whats-new-windows-10-version-2004.md
+            url: /windows/whats-new/whats-new-windows-10-version-2004
           - text: What's new in Windows 10, version 1909
-            url: /windows/whats-new/whats-new-windows-10-version-1909.md
+            url: /windows/whats-new/whats-new-windows-10-version-1909
           - text: What's new in Windows 10, version 1903
-            url: /windows/whats-new/whats-new-windows-10-version-1903.md
+            url: /windows/whats-new/whats-new-windows-10-version-1903
           - text: Windows 10 release information
             url:  https://docs.microsoft.com/windows/release-information/
 
@@ -41,13 +41,13 @@ landingContent:
       - linkListType: how-to-guide
         links:
           - text: Configure Windows 10
-            url: /windows/configuration/index.md
+            url: /windows/configuration/index
           - text: Accesasibility information for IT Pros
-            url: /windows/configuration/windows-10-accessibility-for-itpros.md
+            url: /windows/configuration/windows-10-accessibility-for-itpros
           - text: Configure access to Microsoft Store
-            url: /windows/configuration/stop-employees-from-using-microsoft-store.md
+            url: /windows/configuration/stop-employees-from-using-microsoft-store
           - text: Set up a shared or guest PC
-            url: /windows/configuration/set-up-shared-or-guest-pc.md
+            url: /windows/configuration/set-up-shared-or-guest-pc
 
   # Card (optional)
   - title: Deployment
@@ -57,11 +57,11 @@ landingContent:
           - text: Deploy and update Windows 10
             url: /windows/deployment/index.yml
           - text: Windows 10 deployment scenarios
-            url: /windows/deployment/windows-10-deployment-scenarios.md
+            url: /windows/deployment/windows-10-deployment-scenarios
           - text: Create a deployment plan
-            url: /windows/deployment/update/create-deployment-plan.md
+            url: /windows/deployment/update/create-deployment-plan
           - text: Prepare to deploy Windows 10
-            url: /windows/deployment/update/prepare-deploy-windows.md
+            url: /windows/deployment/update/prepare-deploy-windows
 
  
   # Card
@@ -70,13 +70,13 @@ landingContent:
       - linkListType: how-to-guide
         links:
           - text: Windows 10 application management
-            url: /windows/application-management/index.md
+            url: /windows/application-management/index
           - text: Understand the different apps included in Windows 10
-            url: /windows/application-management/apps-in-windows-10.md
+            url: /windows/application-management/apps-in-windows-10
           - text: Get started with App-V for Windows 10
-            url:  /windows/application-management/app-v/appv-getting-started.md
+            url:  /windows/application-management/app-v/appv-getting-started
           - text: Keep removed apps from returning during an update
-            url:  /windows/application-management/remove-provisioned-apps-during-update.md
+            url:  /windows/application-management/remove-provisioned-apps-during-update
 
   # Card
   - title: Client management
@@ -84,13 +84,13 @@ landingContent:
       - linkListType: how-to-guide
         links:
           - text: Windows 10 client management
-            url: /windows/client-management/index.md
+            url: /windows/client-management/index
           - text: Administrative tools in Windows 10
-            url: /windows/client-management/administrative-tools-in-windows-10.md
+            url: /windows/client-management/administrative-tools-in-windows-10
           - text: Create mandatory user profiles
-            url: /windows/client-management/mandatory-user-profile.md
+            url: /windows/client-management/mandatory-user-profile
           - text: New policies for Windows 10
-            url: /windows/client-management/new-policies-for-windows-10.md
+            url: /windows/client-management/new-policies-for-windows-10
 
   # Card (optional)
   - title: Security
@@ -100,8 +100,8 @@ landingContent:
           - text: Windows 10 Enterprise Security
             url: /windows/security/index.yml
           - text: Identity and access management
-            url: /windows/security/identity-protection/index.md
+            url: /windows/security/identity-protection/index
           - text: Threat protection
-            url: /windows/security/threat-protection/index.md
+            url: /windows/security/threat-protection/index
           - text: Information protection
-            url: /windows/security/information-protection/index.md
+            url: /windows/security/information-protection/index

From 2336f0ab97515cb1c6cb89e909a27c1bda68ca65 Mon Sep 17 00:00:00 2001
From: greg-lindsay <greglin@microsoft.com>
Date: Wed, 23 Sep 2020 11:13:26 -0700
Subject: [PATCH 08/38] minor edit

---
 windows/hub/index.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 6c07579a54..5cc27e10bb 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -1,7 +1,7 @@
 ### YamlMime:Landing
 
 title: Windows 10 resources and documentation for IT Pros # < 60 chars
-summary: Configure, plan, deploy, secure and manage devices running Windows 10.  # < 160 chars
+summary: Plan, deploy, secure, and manage devices running Windows 10.  # < 160 chars
 
 metadata:
   title: Windows 10 documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
@@ -98,7 +98,7 @@ landingContent:
       - linkListType: how-to-guide
         links:
           - text: Windows 10 Enterprise Security
-            url: /windows/security/index.yml
+            url: /windows/security/index
           - text: Identity and access management
             url: /windows/security/identity-protection/index
           - text: Threat protection

From a6d7699369170ae9a4f87508850ede64ffddbbf4 Mon Sep 17 00:00:00 2001
From: greg-lindsay <greglin@microsoft.com>
Date: Wed, 23 Sep 2020 11:49:04 -0700
Subject: [PATCH 09/38] fix link

---
 windows/hub/index.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 5cc27e10bb..b227d256a3 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -55,7 +55,7 @@ landingContent:
       - linkListType: deploy
         links:
           - text: Deploy and update Windows 10
-            url: /windows/deployment/index.yml
+            url: /windows/deployment/index
           - text: Windows 10 deployment scenarios
             url: /windows/deployment/windows-10-deployment-scenarios
           - text: Create a deployment plan

From dae4543a9dd63b54172f0d73427d49ad03160c1d Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 24 Sep 2020 16:10:33 -0700
Subject: [PATCH 10/38] Update automated-investigations.md

---
 .../automated-investigations.md               | 39 ++++++++++---------
 1 file changed, 20 insertions(+), 19 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 8c81015728..2b690278f0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -1,16 +1,17 @@
 ---
 title: Use automated investigations to investigate and remediate threats
-description: Understand the automated investigation flow in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
+description: Understand the automated investigation flow in Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint).
 keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
+ms.technology: windows
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: deniseb
 author: denisebmsft
-ms.date: 09/03/2020
+ms.date: 09/24/2020
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
@@ -27,16 +28,16 @@ ms.custom: AIR
 
 > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
 
-Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, and to reduce the volume of alerts that must be investigated individually,  Microsoft Defender ATP includes automated investigation and remediation capabilities. 
+Microsoft Defender for Endpoint offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, and to reduce the volume of alerts that must be investigated individually, Microsoft Defender for Endpoint includes automated investigation and remediation capabilities. 
 
 Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when each investigation was initiated.
 
 > [!TIP]
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
 
 ## How the automated investigation starts
 
-When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
+When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender for Endpoint checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
 
 >[!NOTE]
 >Currently, automated investigation only supports the following OS versions:
@@ -72,26 +73,26 @@ If an incriminated entity is seen in another device, the automated investigation
 Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically remediates threats.
 
 > [!NOTE]
-> Microsoft Defender ATP tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
+> Microsoft Defender for Endpoint tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
 
 You can configure the following levels of automation:
 
 |Automation level | Description|
 |---|---|
-|**Full - remediate threats automatically** | All remediation actions are performed automatically.<br/><br/>***This option is recommended** and is selected by default for Microsoft Defender ATP tenants that were created on or after August 16, 2020, and that have no device groups defined. <br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.*|
-|**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. <br/><br/> Files or executables in all other folders are automatically remediated, if needed.|
-|**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders. <br/><br/> Files or executables in temporary folders, such as the user's download folder or the user's temp folder, are automatically be remediated (if needed).|
-|**Semi - require approval for any remediation** | An approval is needed for any remediation action. <br/><br/>*This option is selected by default for Microsoft Defender ATP tenants that were created before August 16, 2020, and that have no device groups defined. <br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
+|**Full - remediate threats automatically** | All remediation actions are performed automatically.<br/><br/>***This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, and that have no device groups defined. If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.*|
+|**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories, such as your **Windows** and **Program files** folders. <br/><br/> Files or executables in other folders are automatically remediated, if those files or executables are determined to be malicious.<br/><br/>|
+|**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders. <br/><br/> Examples of temporary folders include the user's **Downloads** folder, the user's `\AppData\Local\Temp` folder, and local settings for documents. Files or executables in temporary folders are automatically be remediated if they are determined to be malicious. |
+|**Semi - require approval for any remediation** | An approval is needed for any remediation action. <br/><br/>*This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, and that have no device groups defined. If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
 |**No automated response** | Devices do not get any automated investigations run on them. <br/><br/>***This option is not recommended**, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* |
 
 
 > [!IMPORTANT]
 > Regarding automation levels and default settings:
 > - If your tenant already has device groups defined, the automation level settings are not changed for those device groups.
-> - If your tenant was onboarded to Microsoft Defender ATP *before* August 16, 2020, and you have not defined a device group, your organization's default setting is **Semi - require approval for any remediation**.
-> - If your tenant was onboarded to Microsoft Defender ATP *before* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Semi - require approval for any remediation**. 
-> - If your tenant was onboarded to Microsoft Defender ATP *on or after* August 16, 2020, and you have not defined a device group, your orgnaization's default setting is **Full - remediate threats automatically**.
-> - If your tenant was onboarded to Microsoft Defender ATP *on or after* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Full - remediate threats automatically**.
+> - If your tenant was onboarded to Microsoft Defender for Endpoint *before* August 16, 2020, and you have not defined a device group, your organization's default setting is **Semi - require approval for any remediation**.
+> - If your tenant was onboarded to Microsoft Defender for Endpoint *before* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Semi - require approval for any remediation**. 
+> - If your tenant was onboarded to Microsoft Defender for Endpoint *on or after* August 16, 2020, and you have not defined a device group, your orgnaization's default setting is **Full - remediate threats automatically**.
+> - If your tenant was onboarded to Microsoft Defender for Endpoint *on or after* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Full - remediate threats automatically**.
 > - To change an automation level, **[edit your device groups](configure-automated-investigations-remediation.md#set-up-device-groups)**.
 
 
@@ -99,18 +100,18 @@ You can configure the following levels of automation:
 
 - Your level of automation is determined by your device group settings. See [Set up device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
 
-- If your Microsoft Defender ATP tenant was created before August 16, 2020, you have a default device group that is configured for semi-automatic remediation. Any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). You can configure your device groups to use full automation so that no user approval is needed. 
+- If your Microsoft Defender for Endpoint tenant was created before August 16, 2020, you have a default device group that is configured for semi-automatic remediation. Any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). You can configure your device groups to use full automation so that no user approval is needed. 
 
-- If your Microsoft Defender ATP tenant was created on or after August 16, 2020, you have a default device group that is configured for full automation. Remediation actions are taken automatically for entities that are considered to be malicious. Remediation actions that were taken can be viewed on the **History** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center).
+- If your Microsoft Defender for Endpoint tenant was created on or after August 16, 2020, you have a default device group that is configured for full automation. Remediation actions are taken automatically for entities that are considered to be malicious. Remediation actions that were taken can be viewed on the **History** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center).
 
 ## Next steps
 
 - [Learn about the automated investigations dashboard](manage-auto-investigation.md)
 
-- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
+- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
 
 ## See also
 
-- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
+- [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
 
-- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
+- [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)

From dd1a0b4454deba7640464bae188939df4a218077 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 24 Sep 2020 16:15:42 -0700
Subject: [PATCH 11/38] AIR

---
 .../microsoft-defender-atp/auto-investigation-action-center.md | 3 ++-
 .../microsoft-defender-atp/automated-investigations.md         | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index d8526c28d0..dde69872b1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -14,7 +14,8 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.reviewer: ramarom, evaldm, isco, mabraitm
+ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
+ms.date: 09/24/2020
 ---
 
 # View details and results of automated investigations
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 2b690278f0..c2063efc27 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -17,7 +17,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: conceptual
-ms.reviewer: ramarom, evaldm, isco, mabraitm
+ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
 ms.custom: AIR
 ---
 

From b4cdf4ab53d4f3aed837b466facf2a6d275270f4 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 24 Sep 2020 16:21:12 -0700
Subject: [PATCH 12/38] Update auto-investigation-action-center.md

---
 .../auto-investigation-action-center.md                       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index dde69872b1..bca632927a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -23,7 +23,7 @@ ms.date: 09/24/2020
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 
-During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP) is configured for your organization, some remediation actions are taken automatically. 
+During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) is configured for your organization, some remediation actions are taken automatically. 
 
 If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation.
 
@@ -165,5 +165,5 @@ When you click on the pending actions link, you'll be taken to the Action center
 
 - [View and approve remediation actions](manage-auto-investigation.md)
 
-- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
+- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
  

From 2b22e243d006e6aed21780767e6006c6e7a98cbf Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 24 Sep 2020 16:23:22 -0700
Subject: [PATCH 13/38] Update
 configure-automated-investigations-remediation.md

---
 .../configure-automated-investigations-remediation.md  | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
index c5015477eb..abaee0e466 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
@@ -1,10 +1,11 @@
 ---
 title: Configure automated investigation and remediation capabilities
-description: Set up your automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
+description: Set up your automated investigation and remediation capabilities in Microsoft Defender for Endpoint.
 keywords: configure, setup, automated, investigation, detection, alerts, remediation, response
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
+ms.technology: windows
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -14,11 +15,12 @@ ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
-ms.topic: conceptual
-ms.reviewer: ramarom, evaldm, isco, mabraitm
+ms.topic: article
+ms.date: 09/24/2020
+ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
 ---
 
-# Configure automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection
+# Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 

From 3059d27a8a348390a9aa948b46d5180fff47495a Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 24 Sep 2020 16:26:44 -0700
Subject: [PATCH 14/38] Update
 configure-automated-investigations-remediation.md

---
 .../configure-automated-investigations-remediation.md         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
index abaee0e466..6a3872d1b2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
@@ -27,9 +27,9 @@ ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
 
 **Applies to**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). 
+If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). 
 
 To configure automated investigation and remediation, you [turn on the features](#turn-on-automated-investigation-and-remediation), and then you [set up device groups](#set-up-device-groups).
 

From d1df2170e773cf58a3c73b09f710e53ce3058c23 Mon Sep 17 00:00:00 2001
From: ManikaDhiman <v-madhi@microsoft.com>
Date: Fri, 25 Sep 2020 14:15:13 -0700
Subject: [PATCH 15/38] Updated per task 4471196

---
 .../configuration-service-provider-reference.md    | 14 +++++++-------
 .../client-management/mdm/networkqospolicy-csp.md  |  2 +-
 .../new-in-windows-mdm-enrollment-management.md    |  1 +
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index 0cd97100aa..d064a375ca 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -1557,13 +1557,13 @@ Additional lists:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 </tr>
 </table>
 
diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md
index ee81816701..7fa8f960ce 100644
--- a/windows/client-management/mdm/networkqospolicy-csp.md
+++ b/windows/client-management/mdm/networkqospolicy-csp.md
@@ -25,7 +25,7 @@ The following actions are supported:
 - Layer 3 tagging using a differentiated services code point (DSCP) value
 
 > [!NOTE]
-> The NetworkQoSPolicy configuration service provider is supported only in Microsoft Surface Hub.
+> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on Azure AD Hybrid joined devices and for devices using GPO and CSP at the same time. The minimum operating system requirement for this CSP is Windows 10, version 2004.
 
 The following diagram shows the NetworkQoSPolicy configuration service provider in tree format.
 
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 6e07246916..d919c5f1a7 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -1996,6 +1996,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
 ### September 2020
 |New or updated topic | Description|
 |--- | ---|
+|[NetworkQoSPolicy CSP](networkqospolicy-csp.md)|Updated support information of the NetworkQoSPolicy CSP.|
 |[Policy CSP - LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)|Removed the following unsupported LocalPoliciesSecurityOptions policy settings from the documentation:<br>- RecoveryConsole_AllowAutomaticAdministrativeLogon <br>- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways<br>- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible<br>- DomainMember_DisableMachineAccountPasswordChanges<br>- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems<br>|
 
 ### August 2020

From cdcb6c958f95bfbbda7166b19101191fcda365a1 Mon Sep 17 00:00:00 2001
From: ManikaDhiman <v-madhi@microsoft.com>
Date: Mon, 28 Sep 2020 08:40:15 -0700
Subject: [PATCH 16/38] Updated the note

---
 windows/client-management/mdm/networkqospolicy-csp.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md
index 7fa8f960ce..61bdfa0cdc 100644
--- a/windows/client-management/mdm/networkqospolicy-csp.md
+++ b/windows/client-management/mdm/networkqospolicy-csp.md
@@ -25,7 +25,7 @@ The following actions are supported:
 - Layer 3 tagging using a differentiated services code point (DSCP) value
 
 > [!NOTE]
-> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on Azure AD Hybrid joined devices and for devices using GPO and CSP at the same time. The minimum operating system requirement for this CSP is Windows 10, version 2004.
+> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on Azure AD Hybrid joined devices and for devices using GPO and CSP at the same time. The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub for versions prior to Window 10, 2004.
 
 The following diagram shows the NetworkQoSPolicy configuration service provider in tree format.
 

From 37f6ce8e7042fe777f9854aebca2f67067eeec34 Mon Sep 17 00:00:00 2001
From: ManikaDhiman <v-madhi@microsoft.com>
Date: Mon, 28 Sep 2020 08:46:30 -0700
Subject: [PATCH 17/38] minor update

---
 windows/client-management/mdm/networkqospolicy-csp.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md
index 61bdfa0cdc..19a52ed0be 100644
--- a/windows/client-management/mdm/networkqospolicy-csp.md
+++ b/windows/client-management/mdm/networkqospolicy-csp.md
@@ -25,7 +25,7 @@ The following actions are supported:
 - Layer 3 tagging using a differentiated services code point (DSCP) value
 
 > [!NOTE]
-> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on Azure AD Hybrid joined devices and for devices using GPO and CSP at the same time. The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub for versions prior to Window 10, 2004.
+> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on Azure AD Hybrid joined devices and for devices using GPO and CSP at the same time. The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Window 10, version 2004.
 
 The following diagram shows the NetworkQoSPolicy configuration service provider in tree format.
 

From b42e4eeb073c7b296501112066c64c0e8c0a52d7 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 11:30:57 -0700
Subject: [PATCH 18/38] Update
 review-scan-results-microsoft-defender-antivirus.md

---
 .../review-scan-results-microsoft-defender-antivirus.md       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
index 48ed7d3439..da893a1b8a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
@@ -40,7 +40,7 @@ The following cmdlet will return each detection on the endpoint. If there are mu
 Get-MpThreatDetection
 ```
 
-![IMAGEALT](images/defender/wdav-get-mpthreatdetection.png)
+![screenshot of PowerShell cmdlets and outputs](images/defender/wdav-get-mpthreatdetection.png)
 
 You can specify `-ThreatID` to limit the output to only show the detections for a specific threat.
 
@@ -50,7 +50,7 @@ If you want to list threat detections, but combine detections of the same threat
 Get-MpThreat
 ```
 
-![IMAGEALT](images/defender/wdav-get-mpthreat.png)
+![screenshot of PowerShell](images/defender/wdav-get-mpthreat.png)
 
 See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
 

From c3e2a3d210b8c3e9884117f5b03e4f3ad72d9fd8 Mon Sep 17 00:00:00 2001
From: ManikaDhiman <v-madhi@microsoft.com>
Date: Mon, 28 Sep 2020 12:02:59 -0700
Subject: [PATCH 19/38] Removed unsupported DisableHomeGroup setting

---
 .../policy-configuration-service-provider.md  |  3 -
 .../mdm/policy-csp-admx-sharing.md            | 77 -------------------
 .../mdm/policy-csps-admx-backed.md            |  1 -
 3 files changed, 81 deletions(-)

diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index d6adbd08d4..0349f6cde6 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -1014,9 +1014,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 ### ADMX_Sharing policies
 
 <dl>
-  <dd>
-    <a href="./policy-csp-admx-sharing.md#admx-sharing-disablehomegroup" id="admx-sharing-disablehomegroup">ADMX_Sharing/DisableHomeGroup</a>
-  </dd>
   <dd>
     <a href="./policy-csp-admx-sharing.md#admx-sharing-noinplacesharing" id="admx-sharing-noinplacesharing">ADMX_Sharing/NoInplaceSharing</a>
   </dd>
diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md
index 0a6a1a20dc..a293d2b013 100644
--- a/windows/client-management/mdm/policy-csp-admx-sharing.md
+++ b/windows/client-management/mdm/policy-csp-admx-sharing.md
@@ -22,9 +22,6 @@ manager: dansimp
 ## ADMX_Sharing policies  
 
 <dl>
-  <dd>
-    <a href="#admx-sharing-disablehomegroup">ADMX_Sharing/DisableHomeGroup</a>
-  </dd>
   <dd>
     <a href="#admx-sharing-noinplacesharing">ADMX_Sharing/NoInplaceSharing</a>
   </dd>
@@ -32,80 +29,6 @@ manager: dansimp
 
 <hr/>
 
-<!--Policy-->
-<a href="" id="admx-sharing-disablehomegroup"></a>**ADMX_Sharing/DisableHomeGroup**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Windows Edition</th>
-    <th>Supported?</th>
-</tr>
-<tr>
-    <td>Home</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-<tr>
-    <td>Pro</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-<tr>
-    <td>Business</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-<tr>
-    <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-<tr>
-    <td>Education</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can add computers to a homegroup. By default, users can add their computer to a homegroup on a private network.
-
-If you enable this policy setting, users cannot add computers to a homegroup. This policy setting does not affect other network sharing features.
-
-If you disable or do not configure this policy setting, users can add computers to a homegroup. However, data on a domain-joined computer is not shared with the homegroup.
-
-This policy setting is not configured by default.
-
-You must restart the computer for this policy setting to take effect.
-
-<!--/Description-->
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-> 
-> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-> 
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-<!--ADMXBacked-->
-ADMX Info:  
--   GP English name: *Prevent the computer from joining a homegroup*
--   GP name: *DisableHomeGroup*
--   GP path: *Windows Components\HomeGroup*
--   GP ADMX file name: *Sharing.admx*
-
-<!--/ADMXBacked-->
-<!--/Policy-->
-
-<hr/>
-
 <!--Policy-->
 <a href="" id="admx-sharing-noinplacesharing"></a>**ADMX_Sharing/NoInplaceSharing**  
 
diff --git a/windows/client-management/mdm/policy-csps-admx-backed.md b/windows/client-management/mdm/policy-csps-admx-backed.md
index a28103799c..a580f4a524 100644
--- a/windows/client-management/mdm/policy-csps-admx-backed.md
+++ b/windows/client-management/mdm/policy-csps-admx-backed.md
@@ -254,7 +254,6 @@ ms.date: 08/18/2020
 - [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing)
 - [ADMX_SharedFolders/PublishDfsRoots](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishdfsroots)
 - [ADMX_SharedFolders/PublishSharedFolders](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishsharedfolders)
-- [ADMX_Sharing/DisableHomeGroup](./policy-csp-admx-sharing.md#admx-sharing-disablehomegroup)
 - [ADMX_Sharing/NoInplaceSharing](./policy-csp-admx-sharing.md#admx-sharing-noinplacesharing)
 - [ADMX_ShellCommandPromptRegEditTools/DisableCMD](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd)
 - [ADMX_ShellCommandPromptRegEditTools/DisableRegedit](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disableregedit)

From b8f6e64d66e2b5c00e4036cbdfacff2628745381 Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Mon, 28 Sep 2020 14:22:19 -0700
Subject: [PATCH 20/38] Added "http" to unlabeled code blocks

---
 .../exposed-apis-odata-samples.md                  | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
index 9b5489f7ab..e5f5fcad0b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
@@ -41,7 +41,7 @@ Not all properties are filterable.
 
 Get 10 latest Alerts with related Evidence
 
-```
+```http
 HTTP GET  https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
 ```
 
@@ -149,7 +149,7 @@ HTTP GET  https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
 
 Get all the alerts last updated after 2019-11-22 00:00:00
 
-```
+```http
 HTTP GET  https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z
 ```
 
@@ -205,7 +205,7 @@ HTTP GET  https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTi
 
 Get all the devices with 'High' 'RiskScore'
 
-```
+```http
 HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=riskScore+eq+'High'
 ```
 
@@ -244,7 +244,7 @@ HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=riskScore+
 
 Get top 100 devices with 'HealthStatus' not equals to 'Active'
 
-```
+```http
 HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100 
 ```
 
@@ -283,7 +283,7 @@ HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=healthStat
 
 Get all the devices that last seen after 2018-10-20
 
-```
+```http
 HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z
 ```
 
@@ -322,7 +322,7 @@ HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=lastSeen g
 
 Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP
 
-```
+```http
 HTTP GET  https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan'
 ```
 
@@ -354,7 +354,7 @@ json{
 
 Get the count of open alerts for a specific device:
 
-```
+```http
 HTTP GET  https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?$filter=status ne 'Resolved'
 ```
 

From 6b1363115cc0d0081e8bdf5b62ddf861e4174d1a Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 14:24:00 -0700
Subject: [PATCH 21/38] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index c2063efc27..ffa07d00d3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -79,10 +79,10 @@ You can configure the following levels of automation:
 
 |Automation level | Description|
 |---|---|
-|**Full - remediate threats automatically** | All remediation actions are performed automatically.<br/><br/>***This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, and that have no device groups defined. If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.*|
+|**Full - remediate threats automatically** | All remediation actions are performed automatically.<br/><br/>***This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, and that have no device groups defined.* <br/><br/> *If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.* |
 |**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories, such as your **Windows** and **Program files** folders. <br/><br/> Files or executables in other folders are automatically remediated, if those files or executables are determined to be malicious.<br/><br/>|
 |**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders. <br/><br/> Examples of temporary folders include the user's **Downloads** folder, the user's `\AppData\Local\Temp` folder, and local settings for documents. Files or executables in temporary folders are automatically be remediated if they are determined to be malicious. |
-|**Semi - require approval for any remediation** | An approval is needed for any remediation action. <br/><br/>*This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, and that have no device groups defined. If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
+|**Semi - require approval for any remediation** | An approval is needed for any remediation action. <br/><br/>*This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, and that have no device groups defined*.<br/><br/> *If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
 |**No automated response** | Devices do not get any automated investigations run on them. <br/><br/>***This option is not recommended**, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* |
 
 

From 976ff713296d7fc50b8608556c56aaa2df533fa1 Mon Sep 17 00:00:00 2001
From: greg-lindsay <greglin@microsoft.com>
Date: Mon, 28 Sep 2020 15:51:42 -0700
Subject: [PATCH 22/38] add privacy

---
 windows/hub/index.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index b227d256a3..0ac1aa5523 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -93,15 +93,23 @@ landingContent:
             url: /windows/client-management/new-policies-for-windows-10
 
   # Card (optional)
-  - title: Security
+  - title: Security and Privacy
     linkLists:
       - linkListType: how-to-guide
         links:
           - text: Windows 10 Enterprise Security
             url: /windows/security/index
+          - text: Windows Privacy
+            url: /windows/privacy/index
           - text: Identity and access management
             url: /windows/security/identity-protection/index
           - text: Threat protection
             url: /windows/security/threat-protection/index
           - text: Information protection
             url: /windows/security/information-protection/index
+          - text: Required diagnostic data
+            url: /windows/privacy/required-windows-diagnostic-data-events-and-fields-2004
+          - text: Optional diagnostic data
+            url: /windows/privacy/windows-diagnostic-data
+          - text: Changes to Windows diagnostic data collection
+            url: /windows/privacy/changes-to-windows-diagnostic-data-collection

From 0089cdae4f9fdb24e129e8838ca981bbd266901f Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 15:53:30 -0700
Subject: [PATCH 23/38] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index ffa07d00d3..df01a2271f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -79,11 +79,11 @@ You can configure the following levels of automation:
 
 |Automation level | Description|
 |---|---|
-|**Full - remediate threats automatically** | All remediation actions are performed automatically.<br/><br/>***This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, and that have no device groups defined.* <br/><br/> *If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.* |
-|**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories, such as your **Windows** and **Program files** folders. <br/><br/> Files or executables in other folders are automatically remediated, if those files or executables are determined to be malicious.<br/><br/>|
-|**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders. <br/><br/> Examples of temporary folders include the user's **Downloads** folder, the user's `\AppData\Local\Temp` folder, and local settings for documents. Files or executables in temporary folders are automatically be remediated if they are determined to be malicious. |
-|**Semi - require approval for any remediation** | An approval is needed for any remediation action. <br/><br/>*This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, and that have no device groups defined*.<br/><br/> *If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
-|**No automated response** | Devices do not get any automated investigations run on them. <br/><br/>***This option is not recommended**, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* |
+|**Full - remediate threats automatically** | All remediation actions are performed automatically. Remediation actions that were taken can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.<br/><br/>**This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet. <br/><br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**. |
+|**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. These pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md). <br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** and **Program files** folders (`'System': ['?:\windows\*']`). |
+|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. These pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folder locations can include the following: <br/>- `?:\users\*\appdata\local\temp\*`<br/>- `?:\documents and settings\*\local settings\temp\*` <br/>- `?:\documents and settings\*\local settings\temporary\*`<br/>- `?:\windows\temp\*`<br/>- `?:\users\*\downloads\*', r'?:\downloads\*`<br/>- `?:\program files\*', r'?:\program files (x86)\*`<br/>- `?:\documents and settings\*', r'?:\users\*` |
+|**Semi - require approval for any remediation** | Approval is required for any remediation action. <br/><br/>This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.<br/><br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.|
+|**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. <br/><br/>**This option is not recommended**, because it reduces the security posture of your organization's devices. |
 
 
 > [!IMPORTANT]

From 24c8bbb9e55bb7f42b85d8d8d8533cedca152f35 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 16:04:13 -0700
Subject: [PATCH 24/38] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index df01a2271f..0200a973b4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -81,7 +81,7 @@ You can configure the following levels of automation:
 |---|---|
 |**Full - remediate threats automatically** | All remediation actions are performed automatically. Remediation actions that were taken can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.<br/><br/>**This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet. <br/><br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**. |
 |**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. These pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md). <br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** and **Program files** folders (`'System': ['?:\windows\*']`). |
-|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. These pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folder locations can include the following: <br/>- `?:\users\*\appdata\local\temp\*`<br/>- `?:\documents and settings\*\local settings\temp\*` <br/>- `?:\documents and settings\*\local settings\temporary\*`<br/>- `?:\windows\temp\*`<br/>- `?:\users\*\downloads\*', r'?:\downloads\*`<br/>- `?:\program files\*', r'?:\program files (x86)\*`<br/>- `?:\documents and settings\*', r'?:\users\*` |
+|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. These pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folder locations can include the following: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*', \downloads\*`<br/>- `\program files\*', r'?:\program files (x86)\*`<br/>- `\documents and settings\*\users\*` |
 |**Semi - require approval for any remediation** | Approval is required for any remediation action. <br/><br/>This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.<br/><br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.|
 |**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. <br/><br/>**This option is not recommended**, because it reduces the security posture of your organization's devices. |
 

From d474f14623acec0f664c38571dafbef770d7e2bc Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 16:07:01 -0700
Subject: [PATCH 25/38] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 0200a973b4..878ac369c2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -81,7 +81,7 @@ You can configure the following levels of automation:
 |---|---|
 |**Full - remediate threats automatically** | All remediation actions are performed automatically. Remediation actions that were taken can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.<br/><br/>**This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet. <br/><br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**. |
 |**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. These pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md). <br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** and **Program files** folders (`'System': ['?:\windows\*']`). |
-|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. These pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folder locations can include the following: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*', \downloads\*`<br/>- `\program files\*', r'?:\program files (x86)\*`<br/>- `\documents and settings\*\users\*` |
+|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. These pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folder locations can include the following: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*` |
 |**Semi - require approval for any remediation** | Approval is required for any remediation action. <br/><br/>This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.<br/><br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.|
 |**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. <br/><br/>**This option is not recommended**, because it reduces the security posture of your organization's devices. |
 

From 620d92f4c5bb230cebcaa6101b56ebf0f61a14d4 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 17:05:30 -0700
Subject: [PATCH 26/38] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 878ac369c2..630f0e3730 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -80,9 +80,9 @@ You can configure the following levels of automation:
 |Automation level | Description|
 |---|---|
 |**Full - remediate threats automatically** | All remediation actions are performed automatically. Remediation actions that were taken can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.<br/><br/>**This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet. <br/><br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**. |
-|**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. These pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md). <br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** and **Program files** folders (`'System': ['?:\windows\*']`). |
-|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. These pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folder locations can include the following: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*` |
-|**Semi - require approval for any remediation** | Approval is required for any remediation action. <br/><br/>This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.<br/><br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.|
+|**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md). <br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** and **Program files** folders (`\windows\*`). |
+|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folder locations can include the following: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*` |
+|**Semi - require approval for any remediation** | Approval is required for any remediation action. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/>This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.<br/><br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.|
 |**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. <br/><br/>**This option is not recommended**, because it reduces the security posture of your organization's devices. |
 
 

From d08bc883a04654c74fee7fbb4f0c2a06b84a617f Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 17:12:44 -0700
Subject: [PATCH 27/38] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 630f0e3730..0fdcfad7d8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -79,11 +79,11 @@ You can configure the following levels of automation:
 
 |Automation level | Description|
 |---|---|
-|**Full - remediate threats automatically** | All remediation actions are performed automatically. Remediation actions that were taken can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.<br/><br/>**This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet. <br/><br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**. |
-|**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md). <br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** and **Program files** folders (`\windows\*`). |
-|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folder locations can include the following: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*` |
-|**Semi - require approval for any remediation** | Approval is required for any remediation action. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/>This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.<br/><br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.|
-|**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. <br/><br/>**This option is not recommended**, because it reduces the security posture of your organization's devices. |
+|**Full - remediate threats automatically** | All remediation actions are performed automatically. Remediation actions that were taken can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.<br/><br/>***This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* <br/><br/>*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.* |
+|**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md). <br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). |
+|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folders can include the following examples: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*` |
+|**Semi - require approval for any remediation** | Approval is required for any remediation action. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/>*This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*<br/><br/>*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
+|**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. <br/><br/>***This option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)* |
 
 
 > [!IMPORTANT]

From c557e358f05cf4cb1a6da18c4f32ea6ba2618e0b Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 17:13:57 -0700
Subject: [PATCH 28/38] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 0fdcfad7d8..d086b4d656 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -11,7 +11,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: deniseb
 author: denisebmsft
-ms.date: 09/24/2020
+ms.date: 09/28/2020
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro

From 7b1dbdd3474405e945965016285efe192d5997a1 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 17:16:37 -0700
Subject: [PATCH 29/38] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index d086b4d656..1ae99ac9ef 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -1,7 +1,7 @@
 ---
 title: Use automated investigations to investigate and remediate threats
-description: Understand the automated investigation flow in Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint).
-keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export
+description: Understand the automated investigation flow in Microsoft Defender for Endpoint.
+keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export, defender atp
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10

From aa1dd7fd39dab39e15342bfc62246282e90ecaa6 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 17:28:27 -0700
Subject: [PATCH 30/38] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 1ae99ac9ef..9b4bcf4d73 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -28,9 +28,9 @@ ms.custom: AIR
 
 > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
 
-Microsoft Defender for Endpoint offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, and to reduce the volume of alerts that must be investigated individually, Microsoft Defender for Endpoint includes automated investigation and remediation capabilities. 
+Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. It can be challenging for a security operations team to address the multitude of alerts that can arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively. 
 
-Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when each investigation was initiated.
+Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and pending or completed actions.
 
 > [!TIP]
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)

From 3c83c2f56a6525bafc099f58bd5e32dac63cdf0f Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 17:29:05 -0700
Subject: [PATCH 31/38] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 9b4bcf4d73..02e93804e6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -28,7 +28,7 @@ ms.custom: AIR
 
 > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
 
-Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. It can be challenging for a security operations team to address the multitude of alerts that can arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively. 
+Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. It can be challenging for a security operations team to address the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address such threats more efficiently and effectively. 
 
 Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and pending or completed actions.
 

From 5cdf2791b9742e53ae1ca608377223e68cffbb2e Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 17:30:17 -0700
Subject: [PATCH 32/38] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 02e93804e6..af924f7b4e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -28,9 +28,9 @@ ms.custom: AIR
 
 > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
 
-Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. It can be challenging for a security operations team to address the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address such threats more efficiently and effectively. 
+Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. It can be challenging for your security operations team to address the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address such threats more efficiently and effectively. 
 
-Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and pending or completed actions.
+Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
 
 > [!TIP]
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)

From c34611c8c20d9a43a56f1800688bce79c39fd740 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 17:34:33 -0700
Subject: [PATCH 33/38] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md    | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index af924f7b4e..31c5202907 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -28,7 +28,7 @@ ms.custom: AIR
 
 > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
 
-Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. It can be challenging for your security operations team to address the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address such threats more efficiently and effectively. 
+Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. It can be challenging for your security operations team to address the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation an d remediation capabilities that can help your security operations team address such threats more efficiently and effectively. 
 
 Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
 
@@ -98,11 +98,11 @@ You can configure the following levels of automation:
 
 ### A few points to keep in mind
 
-- Your level of automation is determined by your device group settings. See [Set up device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
+- Your level of automation is determined by your device group settings. To learn more, see [Set up device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
 
-- If your Microsoft Defender for Endpoint tenant was created before August 16, 2020, you have a default device group that is configured for semi-automatic remediation. Any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). You can configure your device groups to use full automation so that no user approval is needed. 
+- If your Microsoft Defender for Endpoint tenant was created before August 16, 2020, then you have a default device group that is configured for semi-automatic remediation. In this case, some or all remediation actions for malicious entities require approval. Such actions are listed on the **Pending actions** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). You can set your [device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups) to use full automation so that no user approval is needed. 
 
-- If your Microsoft Defender for Endpoint tenant was created on or after August 16, 2020, you have a default device group that is configured for full automation. Remediation actions are taken automatically for entities that are considered to be malicious. Remediation actions that were taken can be viewed on the **History** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center).
+- If your Microsoft Defender for Endpoint tenant was created on or after August 16, 2020, then you have a default device group that is configured for full automation. In this case, remediation actions are taken automatically for entities that are considered to be malicious. Such actions are listed on the **History** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center).
 
 ## Next steps
 

From e4a2d0e0b0d511a341436e340377b347b00e1fb8 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 17:35:28 -0700
Subject: [PATCH 34/38] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 31c5202907..7dded81134 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -88,7 +88,7 @@ You can configure the following levels of automation:
 
 > [!IMPORTANT]
 > Regarding automation levels and default settings:
-> - If your tenant already has device groups defined, the automation level settings are not changed for those device groups.
+> - If your tenant already has device groups defined, then the automation level settings are not changed for those device groups.
 > - If your tenant was onboarded to Microsoft Defender for Endpoint *before* August 16, 2020, and you have not defined a device group, your organization's default setting is **Semi - require approval for any remediation**.
 > - If your tenant was onboarded to Microsoft Defender for Endpoint *before* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Semi - require approval for any remediation**. 
 > - If your tenant was onboarded to Microsoft Defender for Endpoint *on or after* August 16, 2020, and you have not defined a device group, your orgnaization's default setting is **Full - remediate threats automatically**.

From ef6796205d4cd8060c7564d8da17befb970ef48c Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 17:36:12 -0700
Subject: [PATCH 35/38] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 7dded81134..83dccf978d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -28,7 +28,7 @@ ms.custom: AIR
 
 > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
 
-Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. It can be challenging for your security operations team to address the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation an d remediation capabilities that can help your security operations team address such threats more efficiently and effectively. 
+Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. It can be challenging for your security operations team to address the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively. 
 
 Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
 

From 4e2cb994a424a25e8cf41cd6d66db4ab3a689079 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 17:37:39 -0700
Subject: [PATCH 36/38] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 83dccf978d..8a4f8821f9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -28,7 +28,7 @@ ms.custom: AIR
 
 > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
 
-Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. It can be challenging for your security operations team to address the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively. 
+Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively. 
 
 Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
 

From b20b118e5fc1426c4de425403746e76030d97268 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 17:39:16 -0700
Subject: [PATCH 37/38] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 8a4f8821f9..60ce36b363 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -30,7 +30,7 @@ ms.custom: AIR
 
 Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively. 
 
-Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
+Automated investigation uses various inspection algorithms and processes used by analysts to examine alerts and take immediate action to resolve breaches. These capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
 
 > [!TIP]
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)

From 6227aed3495be1a2436e08e5ebdde010a9d28a56 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 17:42:17 -0700
Subject: [PATCH 38/38] Update automated-investigations.md

---
 .../automated-investigations.md                    | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 60ce36b363..898c4f141e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -52,15 +52,15 @@ During and after an automated investigation, you can view details about the inve
 
 |Tab |Description |
 |--|--|
-|**Alerts**| Shows the alert that started the investigation.|
-|**Devices** |Shows where the alert was seen.|
-|**Evidence** |Shows the entities that were found to be malicious during the investigation.|
-|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
-|**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.|
+|**Alerts**| The alert(s) that started the investigation.|
+|**Devices** |The device(s) where the threat was seen.|
+|**Evidence** |The entities that were found to be malicious during an investigation.|
+|**Entities** |Details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
+|**Log** |The chronological, detailed view of all the investigation actions taken on the alert.|
 |**Pending actions** |If there are any actions awaiting approval as a result of the investigation, the **Pending actions** tab is displayed. On the **Pending actions** tab, you can approve or reject each action. |
 
 > [!IMPORTANT]
-> Go to the **Action center** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions. 
+> Go to the **[Action center](auto-investigation-action-center.md)** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions. 
 
 ## How an automated investigation expands its scope
 
@@ -70,7 +70,7 @@ If an incriminated entity is seen in another device, the automated investigation
 
 ## How threats are remediated
 
-Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically remediates threats.
+Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically takes action to remediate threats.
 
 > [!NOTE]
 > Microsoft Defender for Endpoint tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).