diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md
index 168974c2fa..a69df6d2ff 100644
--- a/store-for-business/includes/store-for-business-content-updates.md
+++ b/store-for-business/includes/store-for-business-content-updates.md
@@ -2,6 +2,15 @@
+## Week of November 23, 2020
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 11/23/2020 | [Microsoft Store for Business and Microsoft Store for Education overview (Windows 10)](/microsoft-store/microsoft-store-for-business-overview) | modified |
+| 11/23/2020 | [Prerequisites for Microsoft Store for Business and Education (Windows 10)](/microsoft-store/prerequisites-microsoft-store-for-business) | modified |
+
+
## Week of October 26, 2020
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index d064a375ca..dcf8eec173 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -2728,6 +2728,7 @@ The following list shows the CSPs supported in HoloLens devices:
| [DiagnosticLog CSP](diagnosticlog-csp.md) |  |  |  |
| [DMAcc CSP](dmacc-csp.md) |  |  |  |
| [DMClient CSP](dmclient-csp.md) |  |  |  |
+| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) |  |  |  10 |
| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) |  |  |  |
| [NetworkProxy CSP](networkproxy-csp.md) |  |  |  |
| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) |  |  |  8|
@@ -2737,6 +2738,7 @@ The following list shows the CSPs supported in HoloLens devices:
| [RemoteFind CSP](remotefind-csp.md) |  |  4 |  |
| [RemoteWipe CSP](remotewipe-csp.md) |  |  4 |  |
| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) |  |  |  |
+| [TenantLockdown CSP](tenantlockdown-csp.md) |  |  |  10 |
| [Update CSP](update-csp.md) |  |  |  |
| [VPNv2 CSP](vpnv2-csp.md) |  |  |  |
| [WiFi CSP](wifi-csp.md) |  |  |  |
@@ -2745,7 +2747,9 @@ The following list shows the CSPs supported in HoloLens devices:
## CSPs supported in Microsoft Surface Hub
-- [Accounts CSP](accounts-csp.md)9 **Note:** Support in Surface Hub is limited to **Domain\ComputerName**.
+- [Accounts CSP](accounts-csp.md)9
+ > [!NOTE]
+ > Support in Surface Hub is limited to **Domain\ComputerName**.
- [AccountManagement CSP](accountmanagement-csp.md)
- [APPLICATION CSP](application-csp.md)
- [CertificateStore CSP](certificatestore-csp.md)
@@ -2813,3 +2817,4 @@ The following list shows the CSPs supported in HoloLens devices:
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
- 9 - Added in Windows 10 Team 2020 Update
+- 10 - Added in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2)
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index c55b476746..f60f34e592 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -388,12 +388,12 @@ On **MDT01**:
1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**.
2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start.
- >[!IMPORTANT]
- >The current version of MDT (8456) has a known issue generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. As a temporary workaround:
- >- Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144.
- >- Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe).
- >- Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim).
- >- After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml.
+ > [!IMPORTANT]
+ > The ADK version 1903 has a [known issue](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](https://docs.microsoft.com/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903:
+ > - Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144.
+ > - Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe).
+ > - Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim).
+ > - After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml.
3. In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry.
4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values:
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index 26a28b9593..8042bad1d8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -24,10 +24,10 @@ ms.reviewer:
- Key trust
-You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
-Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
+Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
On-premises certificate-based deployments of Windows Hello for Business needs one Group Policy setting: Enable Windows Hello for Business
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index c2d26e8f57..f3396e65c3 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -439,16 +439,8 @@
### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
-### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
-
-
-
-
-
-
-
-
-
+### [Threat analytics overview](microsoft-defender-atp/threat-analytics.md)
+#### [Read the analyst report](microsoft-defender-atp/threat-analytics-analyst-reports.md)
## [How-to]()
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 3e1ede3c5e..6c6a1ea7cc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -152,7 +152,7 @@ You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windo
> - The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
> - A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune.
-Support for Windows Server, provide deeper insight into activities happening on the Windows server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
+Support for Windows Server provides deeper insight into server activities, coverage for kernel and memory attack detection, and enables response actions.
1. Configure Defender for Endpoint onboarding settings on the Windows server. For more information, see [Onboard Windows 10 devices](configure-endpoints.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
index 298867cbc0..f311d48c09 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
@@ -27,25 +27,50 @@ ms.topic: article
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-There are three phases in deploying Defender for Endpoint:
-|Phase | Description |
-|:-------|:-----|
-| 
[Phase 1: Prepare](prepare-deployment.md)| Learn about what you need to consider when deploying Defender for Endpoint:
- Stakeholders and sign-off
- Environment considerations
- Access
- Adoption order
-| 
[Phase 2: Setup](production-deployment.md)| Take the initial steps to access Microsoft Defender Security Center. You'll be guided on:
- Validating the licensing
- Completing the setup wizard within the portal
- Network configuration|
-| 
[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them.
+Microsoft Defender for Endpoint has the capabilities to effectively protect your enterprise from cyber threats.
+
+Learn how to deploy Microsoft Defender for Endpoint so that your enterprise can take advantage of preventative protection, post-breach detection, automated investigation, and response.
+This solution provides guidance on the three phases of deployment. Each section corresponds to a separate article in this solution.
-The deployment guide will guide you through the recommended path in deploying Defender for Endpoint.
+
-If you're unfamiliar with the general deployment planning steps, check out the [Plan deployment](deployment-strategy.md) topic to get a high-level overview of the general deployment steps and methods.
+Regardless of the environment architecture and method of deployment you choose outlined in the [Plan deployment](deployment-strategy.md) guidance, this guide is going to support you in onboarding endpoints.
+## Prepare
+Learn about what you need to consider when deploying Defender for Endpoint such as stakeholder approvals, environment considerations, access permissions, and adoption order of capabilities.
-## In Scope
+## Setup
+Get guidance on the initial steps you need to take so that you can access the portal such as validating licensing, completing the setup wizard, and network configuration.
-The following is in scope for this deployment guide:
+## Onboard
+Learn how to make use of deployment rings, supported onboarding tools based on the type of endpoint, and configuring available capabilities.
+
+
+## Key capabilities
+
+This solution provides the following key capabilities:
+
+Capability | Description
+:---|:---
+Eliminate risks and reduce your attack surface| Use attack surface reduction to minimize the areas where your organization could be vulnerable to threats.
+Block sophisticated threats and malware | Defend against never-before-seen polymorphic and metamorphic malware and fileless and file-based threats with next-generation protection.
+Remediation at scale with automation | Automatically investigate alerts and remediate complex threats in minutes. Apply best practices and intelligent decision-making algorithms to determine whether a threat is active and what action to take.
+Discover vulnerabilities and misconfigurations in real time | Bring security and IT together with Microsoft Threat & Vulnerability Management to quickly discover, prioritize, and remediate vulnerabilities and misconfigurations.
+Get expert-level threat monitoring and analysis | Empower your security operations centers with Microsoft Threat Experts. Get deep knowledge, advanced threat monitoring, analysis, and support to identify critical threats in your unique environment.
+Detect and respond to advanced attacks with behavioral monitoring | Spot attacks and zero-day exploits using advanced behavioral analytics and machine learning.
+Cross-platform support | Microsoft Defender for Endpoint provides security for non-Windows platforms including Mac, Linux servers, and Android.
+Evaluate capabilities | Fully evaluate our capabilities with a few simple clicks in the Microsoft Defender for Endpoint evaluation lab.
+Streamline and integrate via APIs | Integrate Microsoft Defender for Endpoint with your security solutions and streamline and automate security workflows with rich APIs.
+Simplify endpoint security management | Use a single pane of glass for all endpoint security actions, such as endpoint configuration, deployment, and management with Microsoft Endpoint Manager.
+
+
+## Scope
+
+### In scope
- Use of Microsoft Endpoint Configuration Manager and Microsoft Endpoint Manager to onboard endpoints into the service and configure capabilities
@@ -59,10 +84,19 @@ The following is in scope for this deployment guide:
- Attack surface reduction
-## Out of scope
+### Out of scope
The following are out of scope of this deployment guide:
- Configuration of third-party solutions that might integrate with Defender for Endpoint
- Penetration testing in production environment
+
+
+
+
+## See also
+- [Phase 1: Prepare](prepare-deployment.md)
+- [Phase 2: Set up](production-deployment.md)
+- [Phase 3: Onboard](onboarding.md)
+- [Plan deployment](deployment-strategy.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
index 9c14158aa2..b7def4676f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
@@ -25,15 +25,14 @@ ms.topic: article
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink)
-Depending on the requirements of your environment, we've put together material to help guide you through the various options you can adopt to deploy Defender for Endpoint.
-These are the general steps you need to take to deploy Defender for Endpoint:
+Plan your Microsoft Defender for Endpoint deployment so that you can maximize the security capabilities within the suite and better protect your enterprise from cyber threats.
-
-- Identify architecture
-- Select deployment method
-- Configure capabilities
+This solution provides guidance on how to identify your environment architecture, select the type of deployment tool that best fits your needs, and guidance on how to configure capabilities.
+
+
+
## Step 1: Identify architecture
@@ -43,7 +42,7 @@ Depending on your environment, some tools are better suited for certain architec
Use the following material to select the appropriate Defender for Endpoint architecture that best suites your organization.
-|**Item**|**Description**|
+| Item | Description |
|:-----|:-----|
|[](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)
[PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) \| [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures: - Cloud-native
- Co-management
- On-premise
- Evaluation and local onboarding
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
index ba855cf88a..83538214ec 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
@@ -10,7 +10,7 @@ ms.sitesec: library
ms.localizationpriority: medium
audience: ITPro
author: appcompatguy
-ms.author: cjacks
+ms.author: saudm
ms.date: 07/20/2020
ms.reviewer:
manager: saudm
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/deployment-phases.png b/windows/security/threat-protection/microsoft-defender-atp/images/deployment-phases.png
new file mode 100644
index 0000000000..0875ace467
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/deployment-phases.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/plan-deployment.png b/windows/security/threat-protection/microsoft-defender-atp/images/plan-deployment.png
new file mode 100644
index 0000000000..60313bb2da
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/plan-deployment.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report-small.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report-small.png
new file mode 100644
index 0000000000..c71d67f43f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report-small.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png
index 8106b9e665..957d61d441 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png and b/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
index 9e61246a70..7aa3fdcc1e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
@@ -31,19 +31,26 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
## Before you begin:
1. Create an [event hub](https://docs.microsoft.com/azure/event-hubs/) in your tenant.
-2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****.
+
+2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights**.
## Enable raw data streaming:
1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) with a Global Admin user.
-2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
-3. Click on **Add data export settings**.
-4. Choose a name for your new settings.
-5. Choose **Forward events to Azure Event Hubs**.
-6. Type your **Event Hubs name** and your **Event Hubs resource ID**.
- In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**:
- 
+2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
+
+3. Click on **Add data export settings**.
+
+4. Choose a name for your new settings.
+
+5. Choose **Forward events to Azure Event Hubs**.
+
+6. Type your **Event Hubs name** and your **Event Hubs resource ID**.
+
+ In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**:
+
+ 
7. Choose the events you want to stream and click **Save**.
@@ -64,8 +71,11 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
```
- Each event hub message in Azure Event Hubs contains list of records.
+
- Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".
+
- For more information about the schema of Microsoft Defender for Endpoint events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+
- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information.
## Data types mapping:
@@ -73,21 +83,22 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
To get the data types for event properties do the following:
1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package).
+
2. Run the following query to get the data types mapping for each event:
-```
-{EventType}
-| getschema
-| project ColumnName, ColumnType
-
-```
+ ```
+ {EventType}
+ | getschema
+ | project ColumnName, ColumnType
+ ```
- Here is an example for Device Info event:
-
+ 
## Related topics
- [Overview of Advanced Hunting](advanced-hunting-overview.md)
- [Microsoft Defender for Endpoint streaming API](raw-data-export.md)
- [Stream Microsoft Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md)
- [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/)
+- [Troubleshoot connectivity issues - Azure Event Hubs](https://docs.microsoft.com/azure/event-hubs/troubleshooting-guide)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
index 804a1ff98e..8dae2a2358 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
@@ -31,19 +31,24 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
## Before you begin:
1. Create a [Storage account](https://docs.microsoft.com/azure/storage/common/storage-account-overview) in your tenant.
+
2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights**.
-3. Go to **Settings > Advanced Features > Preview features** and turn Preview features **On**.
## Enable raw data streaming:
1. Log in to [Microsoft Defender for Endpoint portal](https://securitycenter.windows.com) with Global Admin user.
-2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
-3. Click on **Add data export settings**.
-4. Choose a name for your new settings.
-5. Choose **Forward events to Azure Storage**.
-6. Type your **Storage Account Resource Id**. In order to get your **Storage Account Resource Id**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**:
- 
+2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
+
+3. Click on **Add data export settings**.
+
+4. Choose a name for your new settings.
+
+5. Choose **Forward events to Azure Storage**.
+
+6. Type your **Storage Account Resource ID**. In order to get your **Storage Account Resource ID**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**:
+
+ 
7. Choose the events you want to stream and click **Save**.
@@ -51,22 +56,25 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
- A blob container will be created for each event type:
-
+ 
- The schema of each row in a blob is the following JSON:
-```
-{
- "time": ""
- "tenantId": ""
- "category": ""
- "properties": { }
-}
-```
+ ```
+ {
+ "time": ""
+ "tenantId": ""
+ "category": ""
+ "properties": { }
+ }
+ ```
- Each blob contains multiple rows.
+
- Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
+
- For more information about the schema of Microsoft Defender for Endpoint events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+
- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information.
## Data types mapping:
@@ -74,18 +82,18 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
In order to get the data types for our events properties do the following:
1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package).
+
2. Run the following query to get the data types mapping for each event:
-```
-{EventType}
-| getschema
-| project ColumnName, ColumnType
-
-```
+ ```
+ {EventType}
+ | getschema
+ | project ColumnName, ColumnType
+ ```
- Here is an example for Device Info event:
-
+ 
## Related topics
- [Overview of Advanced Hunting](advanced-hunting-overview.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md
new file mode 100644
index 0000000000..30c8152b76
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md
@@ -0,0 +1,85 @@
+---
+title: Understand the analyst report section in threat analytics
+ms.reviewer:
+description: Learn about the analyst report section of each threat analytics report. Understand how it provides information about threats, mitigations, detections, advanced hunting queries, and more.
+keywords: analyst report, threat analytics, detections, advanced hunting queries, mitigations,
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Understand the analyst report in threat analytics
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Each [threat analytics report](threat-analytics.md) includes dynamic sections and a comprehensive written section called the _analyst report_. To access this section, open the report about the tracked threat and select the **Analyst report** tab.
+
+
+
+_Analyst report section of a threat analytics report_
+
+## Scan the analyst report
+Each section of the analyst report is designed to provide actionable information. While reports vary, most reports include the sections described in the following table.
+
+| Report section | Description |
+|--|--|
+| Executive summary | Overview of the threat, including when it was first seen, its motivations, notable events, major targets, and distinct tools and techniques. You can use this information to further assess how to prioritize the threat in the context of your industry, geographic location, and network. |
+| Analysis | Technical information about the threats, including the details of an attack and how attackers might utilize a new technique or attack surface |
+| MITRE ATT&CK techniques observed | How observed techniques map to the [MITRE ATT&CK attack framework](https://attack.mitre.org/) |
+| [Mitigations](#apply-additional-mitigations) | Recommendations that can stop or help reduce the impact of the threat. This section also includes mitigations that aren't tracked dynamically as part of the threat analytics report. |
+| [Detection details](#understand-how-each-threat-can-be-detected) | Specific and generic detections provided by Microsoft security solutions that can surface activity or components associated with the threat. |
+| [Advanced hunting](#find-subtle-threat-artifacts-using-advanced-hunting) | [Advanced hunting queries](advanced-hunting-overview.md) for proactively identifying possible threat activity. Most queries are provided to supplement detections, especially for locating potentially malicious components or behaviors that couldn't be dynamically assessed to be malicious. |
+| References | Microsoft and third-party publications referenced by analysts during the creation of the report. Threat analytics content is based on data validated by Microsoft researchers. Information from publicly available, third-party sources are identified clearly as such. |
+| Change log | The time the report was published and when significant changes were made to the report. |
+
+## Apply additional mitigations
+Threat analytics dynamically tracks the [status of security updates and secure configurations](threat-analytics.md#mitigations-review-list-of-mitigations-and-the-status-of-your-devices). This information is available as charts and tables in the **Mitigations** tab.
+
+In addition to these tracked mitigations, the analyst report also discusses mitigations that are _not_ dynamically monitored. Here are some examples of important mitigations that are not dynamically tracked:
+
+- Block emails with _.lnk_ attachments or other suspicious file types
+- Randomize local administrator passwords
+- Educate end users about phishing email and other threat vectors
+- Turn on specific [attack surface reduction rules](attack-surface-reduction.md)
+
+While you can use the **Mitigations** tab to assess your security posture against a threat, these recommendations let you take additional steps towards improving your security posture. Carefully read all the mitigation guidance in the analyst report and apply them whenever possible.
+
+## Understand how each threat can be detected
+The analyst report also provides the detections from Microsoft Defender for Endpoint antivirus and _endpoint detection and response_ (EDR) capabilities.
+
+### Antivirus detections
+These detections are available on devices with [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) turned on. When these detections occur on devices that have been onboarded to Microsoft Defender for Endpoint, they also trigger alerts that light up the charts in the report.
+
+>[!NOTE]
+>The analyst report also lists **generic detections** that can identify a wide-range of threats, in addition to components or behaviors specific to the tracked threat. These generic detections don't reflect in the charts.
+
+### Endpoint detection and response (EDR) alerts
+EDR alerts are raised for [devices onboarded to Microsoft Defender for Endpoint](onboard-configure.md). These alerts generally rely on security signals collected by the Microsoft Defender for Endpoint sensor and other endpoint capabilities—such as antivirus, network protection, tamper protection—that serve as powerful signal sources.
+
+Like the list of antivirus detections, some EDR alerts are designed to generically flag suspicious behavior that might not be associated with the tracked threat. In such cases, the report will clearly identify the alert as "generic" and that it doesn't influence any of the charts in the report.
+
+## Find subtle threat artifacts using advanced hunting
+While detections allow you to identify and stop the tracked threat automatically, many attack activities leave subtle traces that require additional inspection. Some attack activities exhibit behaviors that can also be normal, so detecting them dynamically can result in operational noise or even false positives.
+
+[Advanced hunting](advanced-hunting-overview.md) provides a query interface based on Kusto Query Language that simplifies locating subtle indicators of threat activity. It also allows you to surface contextual information and verify whether indicators are connected to a threat.
+
+Advanced hunting queries in the analyst reports have been vetted by Microsoft analysts and are ready for you to run in the [advanced hunting query editor](https://securitycenter.windows.com/advanced-hunting). You can also use the queries to create [custom detection rules](custom-detection-rules.md) that trigger alerts for future matches.
+
+
+## Related topics
+- [Threat analytics overview](threat-analytics.md)
+- [Proactively find threats with advanced hunting](advanced-hunting-overview.md)
+- [Custom detection rules](custom-detection-rules.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
index cb44743101..5618f4c5a4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
@@ -41,7 +41,7 @@ Threat analytics is a set of reports from expert Microsoft security researchers
- Common attack surfaces
- Prevalent malware
-Each report provides a detailed analysis of a threat and extensive guidance on how to defend against the threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable security updates and recommended settings in place.
+Each report provides a detailed analysis of a threat and extensive guidance on how to defend against that threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable protections in place.
Watch this short video to learn more about how threat analytics can help you track the latest threats and stop them.
@@ -54,7 +54,7 @@ The threat analytics dashboard is a great jump off point for getting to the repo
- **Latest threats**—lists the most recently published threat reports, along with the number of devices with active and resolved alerts.
- **High-impact threats**—lists the threats that have had the highest impact to the organization. This section ranks threats by the number of devices that have active alerts.
-- **Threat summary**—shows the overall impact of all the threats reported in threat analytics by showing the number of threats with active and resolved alerts.
+- **Threat summary**—shows the overall impact of tracked threats by showing the number of threats with active and resolved alerts.
Select a threat from the dashboard to view the report for that threat.
@@ -64,38 +64,43 @@ Select a threat from the dashboard to view the report for that threat.
Each threat analytics report provides information in three sections: **Overview**, **Analyst report**, and **Mitigations**.
-### Quickly understand a threat and assess its impact to your network in the overview
+### Overview: Quickly understand the threat, assess its impact, and review defenses
The **Overview** section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization and your exposure through misconfigured and unpatched devices.
_Overview section of a threat analytics report_
-#### Organizational impact
+#### Assess the impact to your organization
Each report includes charts designed to provide information about the organizational impact of a threat:
- **Devices with alerts**—shows the current number of distinct devices that have been impacted by the threat. A device is categorized as **Active** if there is at least one alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved.
- **Devices with alerts over time**—shows the number of distinct devices with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
-#### Organizational resilience and exposure
+#### Review security resilience and posture
Each report includes charts that provide an overview of how resilient your organization is against a given threat:
- **Security configuration status**—shows the number of devices that have applied the recommended security settings that can help mitigate the threat. Devices are considered **Secure** if they have applied _all_ the tracked settings.
- **Vulnerability patching status**—shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat.
-### Get expert insight from the analyst report
+### Analyst report: Get expert insight from Microsoft security researchers
Go to the **Analyst report** section to read through the detailed expert write-up. Most reports provide detailed descriptions of attack chains, including tactics and techniques mapped to the MITRE ATT&CK framework, exhaustive lists of recommendations, and powerful [threat hunting](advanced-hunting-overview.md) guidance.
-
-_Analyst report section of a threat analytics report_
+[Learn more about the analyst report](threat-analytics-analyst-reports.md)
-### Review list of mitigations and the status of your devices
-In the **Mitigations** section, review the list of specific actionable recommendations that can help you increase your organizational resilience against the threat. The list of tracked mitigations includes recommended settings and vulnerability patches. It also shows the number of devices that don't have these mitigations in place.
+### Mitigations: Review list of mitigations and the status of your devices
+In the **Mitigations** section, review the list of specific actionable recommendations that can help you increase your organizational resilience against the threat. The list of tracked mitigations includes:
+- **Security updates**—deployment of security updates or patches for vulnerabilities
+- **Microsoft Defender Antivirus settings**
+ - Security intelligence version
+ - Cloud-delivered protection
+ - Potentially unwanted application (PUA) protection
+ - Real-time protection
+
Mitigation information in this section incorporates data from [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md), which also provides detailed drill-down information from various links in the report.
_Mitigations section of a threat analytics report_
-
## Additional report details and limitations
When using the reports, keep the following in mind:
@@ -107,4 +112,5 @@ When using the reports, keep the following in mind:
## Related topics
- [Proactively find threats with advanced hunting](advanced-hunting-overview.md)
-- [Assess and resolve security weaknesses and exposures](next-gen-threat-and-vuln-mgt.md)
+- [Understand the analyst report section](threat-analytics-analyst-reports.md)
+- [Assess and resolve security weaknesses and exposures](next-gen-threat-and-vuln-mgt.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md
index 6f64c59f54..ef781abcdd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md
@@ -42,6 +42,7 @@ Ensure that your devices:
> Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
- Are onboarded to [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) to help remediate threats found by threat and vulnerability management. If you're using Configuration Manager, update your console to the latest version.
+ - **Note**: If you have the Intune connection enabled, you get an option to create an Intune security task when creating a remediation request. This option does not appear if the connection is not set.
- Have at least one security recommendation that can be viewed in the device page
- Are tagged or marked as co-managed
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index edc7850d76..37f460afea 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -36,6 +36,8 @@ The threat and vulnerability management capability in Microsoft Defender for End
To use this capability, enable your Microsoft Intune connections. In the Microsoft Defender Security Center, navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**.
+**Note**: If you have the Intune connection enabled, you get an option to create an Intune security task when creating a remediation request. This option does not appear if the connection is not set.
+
See [Use Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
### Remediation request steps
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md
index fa51efb6f6..5ce499f8fe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md
@@ -23,11 +23,6 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-> [!IMPORTANT]
-> **Vulnerable devices report is currently in public preview**
-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
-> For more information, see [Microsoft Defender for Endpoint preview features](preview.md).
-
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)