Merge pull request #2687 from MicrosoftDocs/FromPrivateRepo

From private repo

.openpublishing.redirection.json

@@ -11,6 +11,11 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-containers-help-protect-windows",
+"redirect_document_id": true
+},
+{
 "source_path": "browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md",
 "redirect_url": "https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility",
 "redirect_document_id": true

windows/deployment/update/waas-configure-wufb.md

@@ -7,7 +7,6 @@ ms.sitesec: library
 author: jaimeo
 ms.localizationpriority: medium
 ms.author: jaimeo
-ms.date: 11/16/2018
 ---
 
 # Configure Windows Update for Business
@@ -17,6 +16,8 @@ ms.date: 11/16/2018
 
 - Windows 10
 - Windows 10 Mobile
+- Windows Server 2016
+- Windows Server 2019
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 

windows/deployment/update/waas-manage-updates-wufb.md

@@ -16,6 +16,8 @@ ms.author: jaimeo
 
 - Windows 10
 - Windows 10 Mobile
+- Windows Server 2016
+- Windows Server 2019
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 

windows/deployment/upgrade/troubleshoot-upgrade-errors.md

@@ -7,7 +7,6 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
-ms.date: 03/30/2018
 ms.localizationpriority: medium
 ---
 
@@ -22,7 +21,7 @@ ms.localizationpriority: medium
 
 If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process. 
 
-Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. 
+Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. Note: Progress is tracked in the registry during the upgrade process using the following key: **HKLM\System\Setup\mosetup\volatile\SetupProgress**. This key is volatile and only present during the upgrade process; it contains a binary value in the range 0-100.
 
 These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered.
 

windows/deployment/upgrade/windows-10-edition-upgrades.md

@@ -8,7 +8,6 @@ ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: mobile
 author: greg-lindsay
-ms.date: 10/25/2018
 ---
 
 # Windows 10 edition upgrade
@@ -59,7 +58,6 @@ X = unsupported <BR>
 | **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
 | **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
 | **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Enterprise LTSC > Enterprise** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
 | **Mobile > Mobile Enterprise** | ![supported, no reboot](../images/check_blu.png) |![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) |
 
 > [!NOTE]

windows/deployment/upgrade/windows-10-upgrade-paths.md

@@ -7,7 +7,6 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.pagetype: mobile
 author: greg-lindsay
-ms.date: 07/06/2018
 ---
 
 # Windows 10 upgrade paths
@@ -24,7 +23,7 @@ This topic provides a summary of available upgrade paths to Windows 10. You can
 
 >**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
 
->In-place upgrade from Windows 7, Windows 8.1, or Windows 10 semi-annual channel to Windows 10 LTSC is not supported.  **Note**: Windows 10 LTSC 2015 did not block this upgrade path.  This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later.
+>In-place upgrade from Windows 7, Windows 8.1, or Windows 10 semi-annual channel to Windows 10 LTSC is not supported.  **Note**: Windows 10 LTSC 2015 did not block this upgrade path.  This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). 
 
 >**Windows N/KN**: Windows "N" and "KN" SKUs follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
 

windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md

@@ -17,13 +17,7 @@ ms.author: greg-lindsay
 
 Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory; it also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
 
--   Windows 10 version 1703 or higher must be used. Supported editions are the following:
-    -   Pro
-    -   Pro Education
-    -   Pro for Workstations
-    -   Enterprise
-    -   Education
--   One of the following, to provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality:
+-   To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required:
     -   [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business)
     -   [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline)
     -   [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx)
@@ -32,6 +26,6 @@ Windows Autopilot depends on specific capabilities available in Windows 10 and A
     -   [Intune for Education subscriptions](https://docs.microsoft.com/en-us/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features
     -   [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/en-us/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service)
 
-Additionally, the following are also recommended but not required:
+Additionally, the following are also recommended (but not required):
 -   [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services)
 -   [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise

windows/deployment/windows-autopilot/windows-autopilot-requirements.md

@@ -15,7 +15,17 @@ ms.author: greg-lindsay
 
 **Applies to: Windows 10**
 
-Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune.  In order to use Windows Autopilot and leverage these capabilities, some requirements must be met:
+Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune.  In order to use Windows Autopilot and leverage these capabilities, some requirements must be met.
+
+- Windows 10 version 1703 (semi-annual channel) or higher is required. 
+- The following editions are supported:
+    -   Pro
+    -   Pro Education
+    -   Pro for Workstations
+    -   Enterprise
+    -   Education
+
+- Windows 10 Enterprise 2019 LTSC is also supported.
 
 See the following topics for details on licensing, network, and configuration requirements:
 - [Licensing requirements](windows-autopilot-requirements-licensing.md)

windows/security/threat-protection/TOC.md

@@ -7,7 +7,7 @@
 ##### [Hardware-based isolation](windows-defender-atp/overview-hardware-based-isolation.md)
 ###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md)
 ####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
-###### [System isolation](windows-defender-atp/how-hardware-based-containers-help-protect-windows.md)
+###### [System integrity](windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md)
 ##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
 ##### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
 ##### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
@@ -122,7 +122,9 @@
 
 ### [Configure and manage capabilities](windows-defender-atp/onboard.md)
 #### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md)
-##### [Hardware-based isolation](windows-defender-application-guard/install-wd-app-guard.md)
+####Hardware-based isolation
+##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
+##### [Application isolation](windows-defender-application-guard/install-wd-app-guard.md)
 ###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) 
 ##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
 ##### Device control

windows/security/threat-protection/intelligence/coinminer-malware.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 # Coin miners
 

windows/security/threat-protection/intelligence/coordinated-malware-eradication.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 07/12/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 # Coordinated Malware Eradication
 

windows/security/threat-protection/intelligence/criteria.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 08/01/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 
 # How Microsoft identifies malware and potentially unwanted applications

windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 07/12/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: conceptual
 ---
 # Industry collaboration programs
 

windows/security/threat-protection/intelligence/developer-faq.md

@@ -10,7 +10,10 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 07/01/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 
 # Software developer FAQ
@@ -18,24 +21,29 @@ ms.date: 07/01/2018
 This page provides answers to common questions we receive from software developers. For general guidance about submitting malware or incorrectly detected files, read the submission guide.
 
 ## Does Microsoft accept files for a known list or false-positive prevention program?
+
 No. We do not accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list or, far less frequently, in adding your digital certificate to a list of trusted publishers.
 
 ## How do I dispute the detection of my program?
-Submit the file in question as a software developer. Wait until your submission has a final determination. 
+
+Submit the file in question as a software developer. Wait until your submission has a final determination.
 
 If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
 
 We encourage all software vendors and developers to read about how Microsoft identifies malware and unwanted software. 
 
 ## Why is Microsoft asking for a copy of my program?
+
 This can help us with our analysis. Participants of the Microsoft Active Protection Service (MAPS) may occasionally receive these requests. The requests will stop once our systems have received and processed the file.
 
 ## Why does Microsoft classify my installer as a software bundler?
+
 It contains instructions to offer a program classified as unwanted software. You can review the criteria we use to check applications for behaviors that are considered unwanted.
 
 ## Why is the Windows Firewall blocking my program?
+
 This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more about Windows Firewall from the Microsoft Developer Network.
 
 ## Why does the Windows Defender SmartScreen say my program is not commonly downloaded?
-This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website.
 
+This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website.

windows/security/threat-protection/intelligence/developer-info.md

@@ -10,14 +10,19 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 07/13/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 
 # Information for developers
+
 Learn about the common questions we receive from software developers and get other developer resources such as detection criteria and file submissions.
 
-## In this section 
-Topic | Description 
+## In this section
+
+Topic | Description
 :---|:---
 [Software developer FAQ](developer-faq.md) | Provides answers to common questions we receive from software developers.
 [Developer resources](developer-resources.md) | Provides information about how to submit files, detection criteria, and how to check your software against the latest Security intelligence and cloud protection from Microsoft.

windows/security/threat-protection/intelligence/developer-resources.md

@@ -6,11 +6,14 @@ search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: medium
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
-ms.localizationpriority: medium
-ms.date: 07/13/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 
 # Software developer resources
@@ -19,7 +22,9 @@ Concerned about the detection of your software?
 If you believe that your application or program has been incorrectly detected by Microsoft security software, submit the relevant files for analysis.
 
 Check out the following resources for information on how to submit and view submissions:
+
 - [Submit files](https://www.microsoft.com/en-us/wdsi/filesubmission)
+
 - [View your submissions](https://www.microsoft.com/en-us/wdsi/submissionhistory)
 
 ## Additional resources
@@ -34,4 +39,4 @@ Find more guidance about the file submission and detection dispute process in ou
 
 ### Scan your software
 
-Use [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) to check your software against the latest Security intelligence and cloud protection from Microsoft.
+Use [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to check your software against the latest Security intelligence and cloud protection from Microsoft.

windows/security/threat-protection/intelligence/exploits-malware.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 # Exploits and exploit kits
 
@@ -26,7 +29,7 @@ The infographic below shows how an exploit kit might attempt to exploit a device
 
 ![example of how exploit kits work](./images/ExploitKit.png)
 
-*Example of how exploit kits work*
+*Figure 1. Example of how exploit kits work*
 
 Several notable threats, including Wannacry, exploit the Server Message Block (SMB) vulnerability CVE-2017-0144 to launch malware.
 

windows/security/threat-protection/intelligence/fileless-threats.md

@@ -6,12 +6,15 @@ ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
-ms.author: eravena
-author: eavena
-ms.date: 09/14/2018
+ms.author: ellevin
+author: levinec
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 
-#Fileless threats
+# Fileless threats
 
 What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The terms is used broadly; it's also used to describe malware families that do rely on files in order to operate. 
 
@@ -24,50 +27,50 @@ To shed light on this loaded term, we grouped fileless threats into different ca
 
 We can classify fileless threats by their entry point, which indicates how fileless malware can arrive on a machine: via an exploit; through compromised hardware; or via regular execution of applications and scripts. 
 
-Next, we can list the form of entry point: for example, exploits can be based on files or network data; PCI peripherals are a type of hardware vector; and scripts and executables are sub-categories of the execution vector. 
+Next, we can list the form of entry point: for example, exploits can be based on files or network data; PCI peripherals are a type of hardware vector; and scripts and executables are sub-categories of the execution vector.
 
 Finally, we can classify the host of the infection: for example, a Flash application that may contain an exploit; a simple executable; a malicious firmware from a hardware device; or an infected MBR, which could bootstrap the execution of a malware before the operating system even loads.
 
 This helps us divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same: some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced. 
 
-From this categorization, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines. 
+From this categorization, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines.
 
-##Type I: No file activity performed
+## Type I: No file activity performed
 
-A completely fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? An example scenario could be a target machine receiving malicious network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file. 
+A completely fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? An example scenario could be a target machine receiving malicious network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file.
 
 Another scenario could involve compromised devices, where malicious code could be hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these examples do not require a file on the disk in order to run and can theoretically live only in memory, surviving even reboots, disk reformats, and OS reinstalls. 
 
 Infections of this type can be extra difficult to detect and remediate. Antivirus products usually don’t have the capability to access firmware for inspection; even if they did, it would be extremely challenging to detect and remediate threats at this level. Because this type of fileless malware requires high levels of sophistication and often depend on particular hardware or software configuration, it’s not an attack vector that can be exploited easily and reliably. For this reason, while extremely dangerous, threats of this type tend to be very uncommon and not practical for most attacks.
 
-##Type II: Indirect file activity
+## Type II: Indirect file activity
 
-There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type don’t directly write files on the file system, but they can end up using files indirectly. This is the case for [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html). Attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run such command periodically. 
+There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type don’t directly write files on the file system, but they can end up using files indirectly. This is the case for [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html). Attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run such command periodically.
 
 It’s possible to carry out such installation via command line without requiring the presence of the backdoor to be on a file in the first place. The malware can thus be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file that is a central storage area managed by the CIM Object Manager and usually contains legitimate data. Therefore, while the infection chain does technically use a physical file, for practical purposes it’s considered a fileless attack given that the WMI repository is a multi-purpose data container that cannot be simply detected and removed.
 
-##Type III: Files required to operate
+## Type III: Files required to operate
 
 Some malware can have some sort of fileless persistence but not without using files in order to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. This action means that opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe.
 
 ![Image of Kovter's registry key](images/kovter-reg-key.png)<br>
 *Figure 2. Kovter’s registry key*
 
-When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-run key configured to open such file when the machine starts. 
+When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-run key configured to open such file when the machine starts.
 
 Despite the use of files, and despite the fact that the registry too is stored in physical files, Kovter is considered a fileless threat because the file system is of no practical use: the files with random extension contain junk data that is not usable in verifying the presence of the threat, and the files that store the registry are containers that cannot be detected and deleted if malicious content is present.
 
-##Categorizing fileless threats by infection host
+## Categorizing fileless threats by infection host
 
 Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware does not get the upper hand in the arms race.
 
-###Exploits
+### Exploits
 
 **File-based** (Type III: executable, Flash, Java, documents): An initial file may exploit the operating system, the browser, the Java engine, the Flash engine, etc. in order to execute a shellcode and deliver a payload in memory. While the payload is fileless, the initial entry vector is a file.
 
 **Network-based** (Type I): A network communication that takes advantage of a vulnerability in the target machine can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory. 
 
-###Hardware
+### Hardware
 
 **Device-based** (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and dedicated software to function. A software residing and running in the chipset of a device is called a firmware. Although a complex task, the firmware can be infected by malware, as the [Equation espionage group has been caught doing](https://www.kaspersky.com/blog/equation-hdd-malware/7623/).
 
@@ -79,7 +82,7 @@ Having described the broad categories, we can now dig into the details and provi
 
 **Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor in order to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although very few are known to date.
 
-###Execution and injection
+### Execution and injection
 
 **File-based** (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory or inject it into other legitimate running processes.
 
@@ -89,8 +92,8 @@ Having described the broad categories, we can now dig into the details and provi
 
 **Disk-based** (Type II: Boot Record): The [Boot Record](https://en.wikipedia.org/wiki/Boot_sector) is the first sector of a disk or volume and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code, so that when the machine is booted the malware immediately gains control (and in the case of Petya, with disastrous consequences). The Boot Record resides outside the file system, but it’s accessible by the operating system, and modern antivirus products have the capability to scan and restore it.
 
-##Defeating fileless malware
+## Defeating fileless malware
 
-At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Windows Defender Advanced Threat Protection [(Windows Defender ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
+At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Windows Defender Advanced Threat Protection [(Windows Defender ATP)](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
 
 To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/)

windows/security/threat-protection/intelligence/index.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: conceptual
 ---
 # Security intelligence
 
@@ -19,6 +22,6 @@ Here you will find information about different types of malware, safety tips on
 * [Submit files for analysis](submission-guide.md)
 * [Safety Scanner download](safety-scanner-download.md)
 
-Keep up with the latest malware news and research. Check out our [Windows security blogs](https://aka.ms/wdsecurityblog) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
+Keep up with the latest malware news and research. Check out our [Windows security blogs](https://cloudblogs.microsoft.com/microsoftsecure/?product=windows,windows-defender-advanced-threat-protection) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
 
 Learn more about [Windows security](https://docs.microsoft.com/windows/security/index).

windows/security/threat-protection/intelligence/macro-malware.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 # Macro malware
 

windows/security/threat-protection/intelligence/malware-naming.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 # Malware names
 

windows/security/threat-protection/intelligence/phishing.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 
 # Phishing

windows/security/threat-protection/intelligence/prevent-malware-infection.md

@@ -8,14 +8,15 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 # Prevent malware infection
 
 Malware authors are always looking for new ways to infect computers. Follow the simple tips below to stay protected and minimize threats to your data and accounts.
 
-You can also browse the many [software and application solutions](https://review.docs.microsoft.com/en-us/windows/security/intelligence/prevent-malware-infection?branch=wdsi-migration-stuff#software-solutions) available to you.
-
 ## Keep software up-to-date
 
 [Exploits](exploits-malware.md) typically use vulnerabilities in popular software such as web browsers, Java, Adobe Flash Player, and Microsoft Office to infect devices. Software updates patch vulnerabilities so they aren't available to exploits anymore.
@@ -28,7 +29,7 @@ Email and other messaging tools are a few of the most common ways your device ca
 
 * Use an email service that provides protection against malicious attachments, links, and abusive senders. [Microsoft Office 365](https://support.office.com/article/Anti-spam-and-anti-malware-protection-in-Office-365-5ce5cf47-2120-4e51-a403-426a13358b7e) has built-in antimalware, link protection, and spam filtering.
 
-For more information, see [Phishing](phishing.md).
+For more information, see [phishing](phishing.md).
 
 ## Watch out for malicious or compromised websites
 
@@ -50,7 +51,7 @@ Using pirated content is not only illegal, it can also expose your device to mal
 
 Users do not openly discuss visits to these sites, so any untoward experience are more likely to stay unreported.
 
-To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/windows/windows-10-s?ocid=cx-wdsi-articles), which ensures that only vetted apps from the Windows Store are installed.
+To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/en-us/windows/s-mode?ocid=cx-wdsi-articles), which ensures that only vetted apps from the Windows Store are installed.
 
 ## Don't attach unfamiliar removable drives
 
@@ -94,7 +95,7 @@ Microsoft provides comprehensive security capabilities that help protect against
 
 * [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies.
 
-* [Microsoft Safety Scanner](https://www.microsoft.com/wdsi/products/scanner) helps remove malicious software from computers. NOTE: This tool does not replace your antimalware product.
+* [Microsoft Safety Scanner](safety-scanner-download.md) helps remove malicious software from computers. NOTE: This tool does not replace your antimalware product.
 
 * [Microsoft 365](https://docs.microsoft.com/microsoft-365/enterprise/#pivot=itadmin&panel=it-security) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data.
 
@@ -114,4 +115,4 @@ Microsoft provides comprehensive security capabilities that help protect against
 
 Windows Defender ATP antivirus capabilities helps reduce the chances of infection and will automatically remove threats that it detects.
 
-In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
+In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware).

windows/security/threat-protection/intelligence/ransomware-malware.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 # Ransomware
 

windows/security/threat-protection/intelligence/rootkits-malware.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 # Rootkits
 
@@ -50,7 +53,7 @@ For more general tips, see [prevent malware infection](prevent-malware-infection
 
 Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you might have a rootkit on your device and your antimalware software isn’t detecting it, you might need an extra tool that lets you boot to a known trusted environment.
 
-[Windows Defender Offline](https://windows.microsoft.com/windows/what-is-windows-defender-offline) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection.
+[Windows Defender Offline](https://support.microsoft.com/help/17466/windows-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection.
 
 [System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) in Windows 10 protects against rootkits and threats that impact system integrity.
 

windows/security/threat-protection/intelligence/safety-scanner-download.md

@@ -6,11 +6,15 @@ ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-ms.date: 08/01/2018
+ms.author: ellevin
+author: levinec
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 # Microsoft Safety Scanner
+
 Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.
 
 - [Download Microsoft Safety Scanner (32-bit)](https://go.microsoft.com/fwlink/?LinkId=212733) 
@@ -37,9 +41,9 @@ For more information about the Safety Scanner, see the support article on [how t
 
 ## Related resources
 
-- [Troubleshooting Safety Scanner](https://support.microsoft.com/kb/2520970)
-- [Windows Defender Antivirus](https://www.microsoft.com/en-us/windows/windows-defender)
+- [Troubleshooting Safety Scanner](https://support.microsoft.com/help/2520970/how-to-troubleshoot-an-error-when-you-run-the-microsoft-safety-scanner)
+- [Windows Defender Antivirus](https://www.microsoft.com/windows/comprehensive-security)
 - [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download)
-- [Removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection)
-- [Submit file for malware analysis](https://www.microsoft.com/en-us/wdsi/filesubmission)
-- [Microsoft antimalware and threat protection solutions](https://www.microsoft.com/en-us/wdsi/products)
+- [Removing difficult threats](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware)
+- [Submit file for malware analysis](https://www.microsoft.com/wdsi/filesubmission)
+- [Microsoft antimalware and threat protection solutions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection)

windows/security/threat-protection/intelligence/submission-guide.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 08/01/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 
 # Submit files for analysis

windows/security/threat-protection/intelligence/supply-chain-malware.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 
 # Supply chain attacks

windows/security/threat-protection/intelligence/support-scams.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 # Tech support scams
 
@@ -60,4 +63,4 @@ Help Microsoft stop scammers, whether they claim to be from Microsoft or from an
 
 **www.microsoft.com/reportascam**
 
-You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site) or using built in web browser functionality.
+You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/wdsi/support/report-unsafe-site) or using built in web browser functionality.

windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md

@@ -8,11 +8,15 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 
 # Top scoring in industry tests
 
-Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis.
+Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis.
 
 ## Endpoint detection & response
 
@@ -106,8 +110,8 @@ SE Labs tests a range of solutions used by products and services to detect and/o
 
 It is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the evaluations highlighted above. For example, in an average month, we identify over 100 million new threats.  Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats.
 
-The capabilities within [Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports) provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Windows Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports)  that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our security suite protects customers in the real world.
+The capabilities within [Windows Defender ATP](https://www.microsoft.com/en-us/windowsforbusiness?ocid=cx-docs-avreports) provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Windows Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports)  that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our security suite protects customers in the real world.
 
-Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/windowsforbusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports).
+Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports).
 
 ![ATP](./images/wdatp-pillars2.png)

windows/security/threat-protection/intelligence/trojans-malware.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 
 # Trojans
@@ -37,6 +40,6 @@ Use the following free Microsoft software to detect and remove it:
 
 - [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows.
 
-- [Microsoft Safety Scanner](https://www.microsoft.com/wdsi/products/scanner)
+- [Microsoft Safety Scanner](safety-scanner-download.md)
 
 For more general tips, see [prevent malware infection](prevent-malware-infection.md).

windows/security/threat-protection/intelligence/understanding-malware.md

@@ -1,6 +1,6 @@
 ---
 title: Understanding malware & other threats
-description: Learn about the world's most prevalent viruses, malware, and other threats. Understand how they arrive, their detailed behaviors, infection symptoms, and how to prevent & remove them.
+description: Learn about the most prevalent viruses, malware, and other threats. Understand how they arrive, their detailed behaviors, infection symptoms, and how to prevent & remove them.
 keywords: security, malware, virus, malware, threat, analysis, research, encyclopedia, dictionary, glossary, ransomware, support scams, unwanted software, computer infection, virus infection, descriptions, remediation, latest threats, mmpc, microsoft malware protection center, wdsi
 ms.prod: w10
 ms.mktglfcycl: secure
@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: conceptual
 ---
 # Understanding  malware & other threats
 
@@ -16,7 +19,7 @@ Malware is a term used to describe malicious applications and code that can caus
 
 Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims.
 
-As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf), businesses can stay protected with next-generation protection and other security capabilities.
+As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)), businesses can stay protected with next-generation protection and other security capabilities.
 
 For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic.
 

windows/security/threat-protection/intelligence/unwanted-software.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 # Unwanted software
 
@@ -30,7 +33,7 @@ Here are some indications of unwanted software:
 
 Some indicators are harder to recognize because they are less disruptive, but are still unwanted. For example, unwanted software can modify web pages to display specific ads, monitor browsing activities, or remove control of the browser.
 
-Microsoft uses an extensive [evaluation criteria](https://www.microsoft.com/wdsi/antimalware-support/malware-and-unwanted-software-evaluation-criteria) to identify unwanted software.
+Microsoft uses an extensive [evaluation criteria](https://docs.microsoft.com/windows/security/threat-protection/intelligence/criteria) to identify unwanted software.
 
 ## How to protect against unwanted software
 
@@ -57,4 +60,4 @@ If you only recently noticed symptoms of unwanted software infection, consider s
 
 You may also need to **remove browser add-ons** in your browsers, such as Internet Explorer, Firefox, or Chrome.
 
-In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
+In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware).

windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 07/12/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 # Virus Information Alliance
 
@@ -46,4 +49,4 @@ To be eligible for VIA your organization must:
 
 3. Be willing to sign and adhere to the VIA membership agreement.
 
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).

windows/security/threat-protection/intelligence/virus-initiative-criteria.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 07/12/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 
 # Microsoft Virus Initiative
@@ -54,4 +57,4 @@ Your organization must meet the following eligibility requirements to participat
 
 ### Apply now
 
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).

windows/security/threat-protection/intelligence/worms-malware.md

@@ -8,7 +8,10 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
 ---
 
 # Worms

windows/security/threat-protection/windows-defender-atp/TOC.md

@@ -5,7 +5,7 @@
 #### [Hardware-based isolation](overview-hardware-based-isolation.md)
 ##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md)
 ###### [System requirements](../windows-defender-application-guard/reqs-wd-app-guard.md)
-##### [System isolation](how-hardware-based-containers-help-protect-windows.md)
+##### [System integrity](../windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md)
 #### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
 #### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
 #### [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md)
@@ -120,7 +120,9 @@
 
 ## [Configure and manage capabilities](onboard.md)
 ### [Configure attack surface reduction](configure-attack-surface-reduction.md)
-#### [Hardware-based isolation](../windows-defender-application-guard/install-wd-app-guard.md)
+###Hardware-based isolation
+#### [System integrity](../windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
+#### [Application isolation](../windows-defender-application-guard/install-wd-app-guard.md)
 ##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md) 
 #### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
 #### Device control
@@ -136,7 +138,6 @@
 #### [Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
 ##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md)
 #### [Attack surface reduction controls](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)
-##### [Customize attack surface reduction](../windows-defender-exploit-guard/customize-attack-surface-reduction.md)
 #### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
 
 

windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md

@@ -15,7 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 11/14/2018
+ms.date: 02/14/2019
 ---
 
 
@@ -89,7 +89,7 @@ netsh winhttp set proxy <proxy>:<port>
 For example: netsh winhttp set proxy 10.0.0.6:8080
 
 ## Enable access to Windows Defender ATP service URLs in the proxy server
-If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
+If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Windows Defender ATP service in port 80 and 443:
 
 >[!NOTE]
 > URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later. 
@@ -103,7 +103,7 @@ United States | ```us.vortex-win.data.microsoft.com```<br> ```us-v20.events.data
 
 
 
-If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP  sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.
+If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
 
 ## Windows Defender ATP service backend IP range 
 If you network devices don't support the URLs white-listed in the prior section, you can use the following information.

windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md

@@ -1,58 +0,0 @@
----
-title: How hardware-based containers help protect Windows 10 (Windows 10)
-description: Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
-author: justinha
-ms.date: 08/01/2018
----
-
-
-# Windows Defender System Guard: How hardware-based containers help protect Windows 10
-
-Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised. 
-Windows 10 protects critical resources, such as the Windows authentication stack, single sign-on tokens, Windows Hello biometric stack, and Virtual Trusted Platform Module, by using a container type called Windows Defender System Guard. 
-
-Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make the these security guarantees:
-
-- Protect and maintain the integrity of the system as it starts up
-- Protect and maintain the integrity of the system after it's running
-- Validate that system integrity has truly been maintained through local and remote attestation
-
-## Maintaining the integrity of the system as it starts
-
-With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
-
-With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) we have a hardware-based root of trust that helps us ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). 
-
-After successful verification and startup of the device’s firmware and Windows bootloader, the next opportunity for attackers to tamper with the system’s integrity is while the rest of the Windows operating system and defenses are starting. As an attacker, embedding your malicious code using a rootkit within the boot process enables you to gain the maximum level of privilege and gives you the ability to more easily persist and evade detection. 
-
-This is where Windows Defender System Guard protection begins with its ability to ensure that only properly signed and secure Windows files and drivers, including third party, can start on the device. At the end of the Windows boot process, System Guard will start the system’s antimalware solution, which scans all third party drivers, at which point the system boot process is completed. In the end, Windows Defender System Guard helps ensure that the system securely boots with integrity and that it hasn’t been compromised before the remainder of your system defenses start.
-
-![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png)
-
-## Maintaining integrity of the system after it’s running (run time)
-
-Prior to Windows 10, if an attacker exploited the system and gained SYSTEM level privilege or they compromised the kernel itself, it was game over. The level of control that an attacker would acquire in this condition would enable them to tamper with and bypass many, if not all, of your system defenses. While we have a number of development practices and technologies (such as Windows Defender Exploit Guard) that have made it difficult to gain this level of privilege in Windows 10, the reality is that we needed a way to maintain the integrity of the most sensitive Windows services and data, even when the highest level of privilege has been secured by an adversary.
-
-With Windows 10, we introduced the concept of virtualization-based security (VBS), which enables us to contain the most sensitive Windows services and data in hardware-based isolation, which is the Windows Defender System Guard container. This secure environment provides us with the hardware-based security boundary we need to be able to secure and maintain the integrity of critical system services at run time like Credential Guard, Device Guard, Virtual TPM and parts of Windows Defender Exploit Guard, just to name a few.
-
-![Windows Defender System Guard](images/windows-defender-system-guard.png) 
-
-## Validating platform integrity after Windows is running (run time)
-
-While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity.
-
-As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
-
-
-![Windows Defender System Guard](images/windows-defender-system-guard-validate-system-integrity.png)

windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

@@ -1,6 +1,6 @@
 ---
 title: Use attack surface reduction rules to prevent malware infection
-description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
+description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware
 keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -11,7 +11,6 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 11/29/2018
 ---
 
 # Reduce attack surfaces with attack surface reduction rules 
@@ -20,26 +19,25 @@ ms.date: 11/29/2018
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature is part of Windows Defender Advanced Threat Protection and provides:
+Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1803 or later, or Windows Server 2019. 
 
-- Rules you can set to enable or disable specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
-	- Executable files and scripts used in Office apps or web mail that attempt to download or run files
-	- Scripts that are obfuscated or otherwise suspicious
-	- Behaviors that apps undertake that are not usually initiated during normal day-to-day work
-- Centralized monitoring and reporting with deep optics that help you connect the dots across events, computers and devices, and networks
-- Analytics to enable ease of deployment, by using [audit mode](audit-windows-defender-exploit-guard.md) to show how attack surface reduction rules would impact your organization if they were enabled
+To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
 
-When an attack surface reduction rule is triggered, a notification displays from the Action Center on the user's computer. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information.
+Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
 
-Attack surface reduction is supported on Windows 10, version 1709 and later and Windows Server 2019.
+- Executable files and scripts used in Office apps or web mail that attempt to download or run files
+- Obfuscated or otherwise suspicious scripts
+- Behaviors that apps don't usually initiate during normal day-to-day work
 
-## Requirements
+You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
 
-Attack surface reduction rules are a feature of Windows Defender ATP and require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
+Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Windows Defender ATP Security Center and on the M365 console. 
+
+For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
 
 ## Attack surface reduction rules
 
-The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table.
+The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy:
 
 Rule name | GUID
 -|-
@@ -50,7 +48,7 @@ Block Office applications from injecting code into other processes | 75668C1F-73
 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
 Block execution of potentially obfuscated scripts  | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
 Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
+Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25
 Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
@@ -58,147 +56,186 @@ Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9
 Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
-### Rule: Block executable content from email client and webmail
+Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps.
 
-This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
+### Block executable content from email client and webmail
+
+This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and other popular webmail providers:
 
 - Executable files (such as .exe, .dll, or .scr) 
 - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
-- Script archive files
 
-### Rule: Block all Office applications from creating child processes
+Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
 
-Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
+SCCM name: Block executable content from email client and webmail
 
->[!NOTE]
->This does not include Outlook. For Outlook, please see [Block Office communication applications from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#rule-block-office-communication-applications-from-creating-child-processes).
+GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
 
-This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
+### Block all Office applications from creating child processes
 
-### Rule: Block Office applications from creating executable content
+This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
 
-This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique.
+This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings.
 
-Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
+Intune name: Office apps launching child processes
 
-### Rule: Block Office applications from injecting code into other processes
+SCCM name: Block Office application from creating child processes
 
-Office apps, including Word, Excel, PowerPoint, and OneNote, will not be able to inject code into other processes. 
+GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
 
-This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
+### Block Office applications from creating executable content
 
-### Rule: Block JavaScript or VBScript From launching downloaded executable content
+This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content. 
 
-JavaScript and VBScript scripts can be used by malware to launch other malicious apps. 
+This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk.
 
-This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
+Intune name: Office apps/macros creating executable content
 
-### Rule: Block execution of potentially obfuscated scripts
+SCCM name: Block Office applications from creating executable content
 
-Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. 
+GUID: 3B576869-A4EC-4529-8536-B80A7769E899
 
-This rule prevents scripts that appear to be obfuscated from running. 
+### Block Office applications from injecting code into other processes
 
-### Rule: Block Win32 API calls from Office macro
+Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection.
 
-Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.
+This rule applies to Word, Excel, and PowerPoint. 
 
-This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote.
+Intune name: Office apps injecting code into other processes (no exceptions)
 
-### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
+SCCM name: Block Office applications from injecting code into other processes
+
+GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
+
+### Block JavaScript or VBScript from launching downloaded executable content
+
+Malware often uses JavaScript and VBScript scripts to launch other malicious apps. 
+
+Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. You can exclude scripts so they're allowed to run.
+
+>[!IMPORTANT]
+>File and folder exclusions don't apply to this attack surface reduction rule.
+
+Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
+
+SCCM name: Block JavaScript or VBScript from launching downloaded executable content
+
+GUID: D3E037E1-3EB8-44C8-A917-57927947596D
+
+### Block execution of potentially obfuscated scripts
+
+Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script.
+
+Intune name: Obfuscated js/vbs/ps/macro code
+
+SCCM name: Block execution of potentially obfuscated scripts.
+
+GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
+
+### Block Win32 API calls from Office macros
+
+Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using Win32 APIs in VBA macros, which reduces the attack surface.
+
+Intune name: Win32 imports from Office macro code
+
+SCCM name: Block Win32 API calls from Office macros
+
+GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+
+### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  
-This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:
+This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or they're in a trusted list or exclusion list:
  
 - Executable files (such as .exe, .dll, or .scr) 
 
 >[!NOTE]
 >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+
+Intune name: Executables that don't meet a prevalence, age, or trusted list criteria
+
+SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
+
+GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
  
-### Rule: Use advanced protection against ransomware
+### Use advanced protection against ransomware
  
-This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list.
+This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list.
 
 >[!NOTE]
 >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+
+Intune name: Advanced ransomware protection
+
+SCCM name: Use advanced protection against ransomware
+
+GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
  
-### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
+### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  
 Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
 
  >[!NOTE]
- >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.
+ >In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
+
+Intune name: Flag credential stealing from the Windows local security authority subsystem
+
+SCCM name: Block credential stealing from the Windows local security authority subsystem
+
+GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
+
+### Block process creations originating from PSExec and WMI commands
 
-### Rule: Block process creations originating from PSExec and WMI commands
- 
 This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
 
+>[!IMPORTANT]
+>File and folder exclusions do not apply to this attack surface reduction rule.
+
 >[!WARNING]
->[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.]
+>Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
+
+Intune name: Process creation from PSExec and WMI commands
+
+SCCM name: Not applicable
+
+GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
  
-### Rule: Block untrusted and unsigned processes that run from USB
+### Block untrusted and unsigned processes that run from USB
  
 With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:
  
 - Executable files (such as .exe, .dll, or .scr) 
 - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
 
-### Rule: Block Office communication application from creating child processes
+Intune name: Untrusted and unsigned processes that run from USB
 
-Outlook will not be allowed to create child processes.
+SCCM name: Block untrusted and unsigned processes that run from USB
 
-This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
+GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
+
+### Block Office communication application from creating child processes
+
+This rule prevents Outlook from creating child processes. It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
 
 >[!NOTE]
->This rule applies to Outlook only.
+>This rule applies to Outlook and Outlook.com only.
 
-### Rule: Block Adobe Reader from creating child processes
+Intune name: Not yet available
 
-This rule blocks Adobe Reader from creating child processes.
+SCCM name: Not yet available
 
-## Review attack surface reduction rule events in the Windows Defender ATP Security Center
+GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
 
-Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). 
+### Block Adobe Reader from creating child processes
 
-You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how attack surface reduction rules would affect your environment if they were enabled.
+Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes. 
 
-## Review attack surface reduction rule events in Windows Event Viewer
+Intune name: Not applicable
 
-You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited):
+SCCM name: Not applicable
 
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
+GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
-2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
-
-3. On the left panel, under **Actions**, click **Import custom view...**
-  
-4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
-
-5. Click **OK**.
-
-6. This will create a custom view that filters to only show the following events related to attack surface reduction rules:
-
- Event ID | Description
--|-
-5007 | Event when settings are changed
-1122 | Event when rule fires in Audit-mode 
-1121 | Event when rule fires in Block-mode 
-
-### Event fields
-
-- **ID**: matches with the Rule-ID that triggered the block/audit.
-- **Detection time**: Time of detection
-- **Process Name**: The process that performed the "operation" that was blocked/audited
-- **Description**: Additional details about the event or audit, including Security intelligence, engine, and product version of Windows Defender Antivirus
-
-## Attack surface reduction rules in Windows 10 Enterprise E3
-
-A subset of attack surface reduction rules are also available on Windows 10 Enterprise E3 without the benefit of centralized monitoring, reporting, and analytics. For more information, see [Use attack surface reduction rules in Windows 10 Enterprise E3](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3).
-
- ## In this section
-
-Topic | Description 
----|---
-[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created.
-[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network.
-[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file. 
+## Related topics
 
+- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)

windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md

@@ -11,101 +11,168 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 10/17/2018
 ---
 
 # Enable attack surface reduction rules
 
-**Applies to:**
+Attack surface reduction rules help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. 
 
-- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules.
 
-Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
+## Exclude files and folders from ASR rules
+
+You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
+
+>[!WARNING]
+>Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
+> 
+>If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules).
+
+>[!IMPORTANT]
+>File and folder exclusions do not apply to the following ASR rules:
+>
+>- Block process creations originating from PSExec and WMI commands
+>- Block JavaScript or VBScript from launching downloaded executable content
+
+You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to.
+
+ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). 
+
+The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
 
 ## Enable and audit attack surface reduction rules
 
-You can use Group Policy, PowerShell, or MDM CSPs to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode.
+It's best to use an enterprise-level management platform like Intune or System Center Configuration Manager (SCCM) to configure ASR rules, but you can also use Group Policy, PowerShell, or third-party mobile device management (MDM) CSPs.
 
-For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+>[!WARNING]
+>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy or PowerShell settings on startup.
 
-Attack surface reduction rules are identified by their unique rule ID. 
+For a complete list of ASR rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md).
 
-You can manually add the rules by using the GUIDs in the following table:
+Each ASR rule contains three settings:
 
-Rule description | GUID
--|-
-Block executable content from email client and webmail | be9ba2d9-53ea-4cdc-84e5-9B1eeee46550
-Block all Office applications from creating child processes | d4f940ab-401b-4efc-aadc-ad5f3c50688a
-Block Office applications from creating executable content  | 3b576869-a4eC-4529-8536-b80a7769e899
-Block Office applications from injecting code into other processes | 75668c1f-73b5-4Cf0-bb93-3ecf5cb7cc84
-Block JavaScript or VBScript from launching downloaded executable content | d3e037e1-3eb8-44c8-a917-57927947596d
-Block execution of potentially obfuscated scripts  | 5beb7efe-fd9A-4556-801d-275e5ffc04cc
-Block Win32 API calls from Office macro | 92e97fa1-2edf-4476-bdd6-9dd0B4dddc7b
-Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
-Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
-Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
-Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
-Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
-Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
+* Not configured: Disable the ASR rule
+* Block: Enable the ASR rule
+* Audit: Evaluate how the ASR rule would impact your organization if enabled
 
-See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
+For further details on how audit mode works and when to use it, see [Audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md).
 
-### Use Group Policy to enable or audit attack surface reduction rules
+### Enable ASR rules in Intune
 
-1.  On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In Intune, select *Device configuration* > *Profiles*. Choose an existing endpoint protection profile or create a new one. To create a new one, select *Create profile* and enter information for this profile. For *Profile type*, select *Endpoint protection*. If you've chosen an existing profile, select *Properties* and then select *Settings*.
 
-2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the *Endpoint protection* pane, select *Windows Defender Exploit Guard*, then select *Attack Surface Reduction*. Select the desired setting for each ASR rule.
 
-3.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
+3. Under *Attack Surface Reduction exceptions*, you can enter individual files and folders, or you can select *Import* to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
+	
+	
 
-4. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
+4. Select *OK* on the three configuration panes and then select *Create* if you're creating a new endpoint protection file or *Save* if you're editing an existing one.
+
+### Enable ASR rules in SCCM
+
+For information about enabling ASR rules and setting exclusions in SCCM, see [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy).
+
+### Enable ASR rules with Group Policy
+
+>[!WARNING]
+>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
+
+4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section:
     - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
-        -  Block mode = 1
-        -  Disabled = 0
-        -  Audit mode = 2
+        -  Disable = 0
+        -  Block (enable ASR rule) = 1
+        -  Audit = 2
 
-![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png)
+	![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png)
+
+5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. 
  
-### Use PowerShell to enable or audit attack surface reduction rules
+### Enable ASR rules with PowerShell
+
+>[!WARNING]
+>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
 
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
 
     ```PowerShell
     Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
     ```
 
-You can enable the feature in audit mode using the following cmdlet:
+	To enable ASR rules in audit mode, use the following cmdlet:
 
-```PowerShell
-Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
-```
-Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
+	```PowerShell
+	Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
+	```
 
->[!IMPORTANT>
->You must specify the state individually for each rule, but you can combine rules and states in a comma seperated list. 
->
->In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode:
->
->```PowerShell
->Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID 1>,<rule ID 2>,<rule ID 3>,<rule ID 4> -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
->```
+	To turn off ASR rules, use the following cmdlet:
 
+	```PowerShell
+	Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Disabled
+	```
 
-You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. 
+	>[!IMPORTANT]
+	>You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list. 
+	>
+	>In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode:
+	>
+	>```PowerShell
+	>Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID 1>,<rule ID 2>,<rule ID 3>,<rule ID 4> -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
+	>```
 
->[!WARNING]
->`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
->You can obtain a list of rules and their current state by using `Get-MpPreference`
+	You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. 
 
+	>[!WARNING]
+	>`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
+	>You can obtain a list of rules and their current state by using `Get-MpPreference`
 
-### Use MDM CSPs to enable attack surface reduction rules
+3. To exclude files and folders from ASR rules, use the following cmdlet:
 
-Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
+    ```PowerShell
+    Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"
+    ```
+
+	Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list. 
+
+	>[!IMPORTANT]
+	>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
+
+### Enable ASR rules with MDM CSPs
+
+Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
+
+The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). 
+
+OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
+
+Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1
+
+The values to enable, disable, or enable in audit mode are:
+
+-  Disable = 0
+-  Block (enable ASR rule) = 1
+-  Audit = 2
+
+Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
+
+Example:
+
+OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
+
+Value: c:\path|e:\path|c:\Whitelisted.exe
+
+>[!NOTE]
+>Be sure to enter OMA-URI values without spaces.
 
 ## Related topics
 
 - [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Customize attack surface reduction](customize-attack-surface-reduction.md)
 - [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)

windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md

@@ -11,7 +11,6 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 09/18/2018
 ---
 
 # Troubleshoot attack surface reduction rules
@@ -40,7 +39,7 @@ Attack surface reduction rules will only work on devices with the following cond
 > - Endpoints are running Windows 10 Enterprise E5, version 1709 (also known as the Fall Creators Update).
 > - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
 > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
-> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
+> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
 
 If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
 
@@ -61,7 +60,7 @@ Follow the instructions in [Use the demo tool to see how attack surface reductio
 
 Audit mode allows the rule to report as if it actually blocked the file or process, but will still allow the file to run.
 
-1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
+1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
 2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
 3. [Review the attack surface reductio rule event logs](attack-surface-reduction-exploit-guard.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
 

windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md

@@ -0,0 +1,83 @@
+---
+title: How a hardware-based root of trust helps protect Windows 10 (Windows 10)
+description: Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: justinha
+ms.date: 02/14/2019
+---
+
+
+# Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10
+
+In order to protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
+
+Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees:
+
+- Protect and maintain the integrity of the system as it starts up
+- Validate that system integrity has truly been maintained through local and remote attestation
+
+## Maintaining the integrity of the system as it starts
+
+### Static Root of Trust for Measurement (SRTM)
+
+With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. 
+This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
+
+With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. 
+This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). 
+This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM). 
+
+As there are thousands of PC vendors that produce numerous models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup. 
+Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blacklist), or a list of known 'good' SRTM measurements (also known as a whitelist). 
+Each option has a drawback:
+
+- A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed.
+- A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which is slow. 
+In addition, a bug fix for UEFI code can take a long time to design, build, retest, validate, and redeploy.
+
+### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM)
+
+Windows Defender System Guard Secure Launch, first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). 
+DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. 
+This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
+
+
+![System Guard Secure Launch](images/system-guard-secure-launch.png)
+
+Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly. 
+
+### System Management Mode (SMM) protection
+
+System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful. 
+Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. 
+SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if DRTM is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor. 
+To defend against this, two techniques are used:
+
+1. Paging protection to prevent inappropriate access to code and data
+2. SMM hardware supervision and attestation
+
+Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. 
+This prevents access to any memory that has not been specifically assigned. 
+
+A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it does not access any part of the address space that it is not supposed to. 
+
+SMM protection is built on top of the Secure Launch technology and requires it to function. 
+In the future, Windows 10 will also measure this SMI Handler’s behavior and attest that no OS-owned memory has been tampered with. 
+
+## Validating platform integrity after Windows is running (run time)
+
+While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity.
+
+As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. 
+
+
+![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png)
+
+After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
+

windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md

@@ -0,0 +1,66 @@
+---
+title: System Guard Secure Launch and SMM protection (Windows 10)
+description: Explains how to configure System Guard Secure Launch and System Management Mode (SMM protection) to improve the startup security of Windows 10 devices.
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: justinha
+ms.date: 02/14/2019
+---
+
+# System Guard Secure Launch and SMM protection
+
+This topic explains how to configure System Guard Secure Launch and System Management Mode (SMM) protection to improve the startup security of Windows 10 devices.
+
+## How to enable System Guard Secure Launch
+
+You can enable System Guard Secure Launch by using any of these options:
+
+- [Mobile Device Management (MDM)](#mobile-device-management)
+- [Group Policy](#group-policy)
+- [Windows Security app](#windows-security-app)
+- [Registry](#registry)
+
+### Mobile Device Management
+
+System Guard Secure Launch can be configured for Mobile Device Management (MDM) by using DeviceGuard policies in the Policy CSP, specifically [DeviceGuard/ConfigureSystemGuardLaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch).
+
+### Group Policy
+
+1. Click **Start** > type and then click **Edit group policy**. 
+2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**.
+
+![Secure Launch Group Policy](images/secure-launch-group-policy.png)
+
+### Windows Security app
+
+Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**.
+
+![Secure Launch Security App](images/secure-launch-security-app.png)
+
+### Registry
+
+1. Open Registry editor.
+2. Click **HKEY_LOCAL_MACHINE** > **SYSTEM** > **CurrentControlSet** > **Control** > **DeviceGuard** > **Scenarios**.
+3. Right-click **Scenarios** > **New** > **Key** and name the new key **SystemGuard**.
+4. Right-click **SystemGuard** > **New** > **DWORD (32-bit) Value** and name the new DWORD **Enabled**. 
+5. Double-click **Enabled**, change the value to **1**, and click **OK**.
+
+![Secure Launch Registry](images/secure-launch-registry.png)
+
+## How to verify System Guard Secure Launch is configured and running
+
+To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.
+
+![Secure Launch Security App](images/secure-launch-msinfo.png)
+
+
+
+
+
+
+
+

windows/whats-new/ltsc/whats-new-windows-10-2019.md

@@ -32,8 +32,9 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use
 
 ## Microsoft Intune
 
->[!NOTE]
->Some features that are described on this page require Microsoft Intune. Currently, information about Microsoft Intune support for LTSC 2019 is pending. 
+>Microsoft Intune supports LTSC 2019 and later. 
+
+
 
 ## Security
 
@@ -188,6 +189,20 @@ This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/clie
 
 This feature will soon be enabled on Olympia Corp as an optional feature.
 
+####  Delivering BitLocker policy to AutoPilot devices during OOBE 
+
+You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. 
+
+For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
+
+To achieve this:
+
+1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. 
+2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. 
+    - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
+3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. 
+    - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts.
+
 ### Identity protection
 
 Improvements have been added are to Windows Hello for Business and Credential Guard.
@@ -258,6 +273,33 @@ We’ve continued to work on the **Current threats** area in  [Virus & threat pr
 
 ![Virus & threat protection settings](../images/virus-and-threat-protection.png "Virus & threat protection settings")
 
+## Deployment
+
+### Windows Autopilot
+
+[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise 2019 LTSC (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. 
+
+Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information.
+
+Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. 
+
+You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices).
+
+#### Windows Autopilot self-deploying mode
+
+Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot. 
+
+This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. 
+
+You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. 
+
+To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying). 
+
+
+#### Autopilot Reset	
+
+IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset).
+
 ## Sign-in
 
 ### Faster sign-in to a Windows 10 shared pc