Merge remote-tracking branch 'refs/remotes/origin/rs1' into jdrs

windows/keep-secure/TOC.md

@@ -401,6 +401,30 @@
 ### [User Account Control](user-account-control-overview.md)
 #### [How User Account Control works](how-user-account-control-works.md)
 #### [User Account Control security policy settings](user-account-control-security-policy-settings.md)
+#### [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md)
+### [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
+#### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
+#### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
+#### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)
+<!--##### [Service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
+##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+##### [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+##### [Additional configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
+##### [Monitor onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+#### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
+#### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md)
+##### [View the  Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+##### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+##### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
+##### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)
+##### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
+##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
+##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
+#### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
 ### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
 #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
 #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
@@ -411,4 +435,3 @@
 ### [Microsoft Passport guide](microsoft-passport-guide.md)
 ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
 ### [Windows 10 security overview](windows-10-security-guide.md)
-

windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,46 @@
+---
+title: Additional Windows Defender ATP configuration settings
+description: Use the Group Policy Console to configure settings that enable sample sharing from your endpoints. These settings are used in the deep analysis feature.
+keywords: configuration settings, Windows Defender ATP configuration settings, Windows Defender Advanced Threat Protection configuration settings, group policy Management Editor, computer configuration, policies, administrative templates,
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Additional Windows Defender ATP configuration settings
+
+**Applies to**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
+
+## Configure sample collection settings with Group Policy
+1.  On your GP management machine, copy the following files from the
+    configuration package:
+
+    a.  Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_
+
+    b.  Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
+
+2.  Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor**, go to **Computer configuration**.
+
+4.  Click **Policies**, then **Administrative templates**.
+
+5.  Click **Windows components** and then **Windows Advanced Threat Protection**.
+
+6.  Choose to enable or disable sample sharing from your endpoints.
+
+## Related topics
+<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
+- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,70 @@
+---
+title: View and organize the Windows Defender ATP Alerts queue
+description: Learn about how the Windows Defender ATP alerts queue work, and how to sort and filter lists of alerts.
+keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+
+# View and organize the Windows Defender Advanced Threat Protection Alerts queue
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+As a security operations team member, you can manage Windows Defender ATP alerts as part of your routine activities. Alerts will appear in queues according to their current status.
+
+To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.
+
+> **Note**&nbsp;&nbsp;By default, the queues are sorted from newest to oldest.
+
+The following table and screenshot demonstrate the main areas of the **Alerts queue**.
+
+![Screenshot of the Dashboard showing the New Alerts list and navigation bar](images/alertsq.png)
+
+Highlighted area|Area name|Description
+:---|:---|:---
+(1)|**Alerts queue**| Select to show **New**, **In Progress**, or **Resolved alerts**
+(2)|Alerts|Each alert shows:<ul><li>The severity of an alert as a colored bar</li><li>A short description of the alert, including the name of the threat actor (in cases where the attribution is possible)</li><li>The last occurrence of the alert on any machine</li><li>The number of days the alert has been in the queue</li><li>The severity of the alert</li><li>The general category or type of alert, or the alert's kill-chain stage</li><li>The affected machine (if there are multiple machines, the number of affected machines will be shown)</li><li>A **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) that allows you to update the alert's status and add comments</li></ul>Clicking an alert expands to display more information about the threat and brings you to the date in the timeline when the alert was detected.
+(3)|Alerts sorting and filters | You can sort alerts by: <ul><li>**Newest** (when the threat was last seen on your network)</li><li>**Time in queue** (how long the threat has been in your queue)</li><li>**Severity**</li></ul>You can also filter the displayed alerts by:<ul><li>Severity</li><li>Time period</li></ul>See [Windows Defender ATP alerts](use-windows-defender-advanced-threat-protection.md#windows-defender-atp-alerts) for more details.
+
+##Sort and filter the Alerts queue
+You can filter and sort (or "pivot") the Alerts queue to identify specific alerts based on certain criteria.
+There are three mechanisms to pivot the queue against:
+
+1. Sort the queue by opening the drop-down menu in the **Sort by** field and choosing:
+
+  - **Newest** - Sorts alerts based on when the alert was last seen on an endpoint.
+  - **Time in queue** - Sorts alerts by the length of time an alert has been in the queue.
+  - **Severity** - Sorts alerts by their level of severity.
+
+2. Filter alerts by their **Severity** by opening the drop-down menu in the **Filter by** field and selecting one or more of the check boxes:
+
+  - High (Red) - Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints.
+  - Medium (Orange) - Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
+  - Low (Yellow) - Threats associated with prevalent malware and hack-tools that do not appear to indicate an advanced threat targeting the organization.
+
+3. Limit the queue to see alerts from various set periods by clicking the drop-down menu in the date range field (by default, this is selected as **6 months**):
+
+  - **1 day**
+  - **3 days**
+  - **7 days**
+  - **30 days**
+  - **6 months**
+
+  > **Note**&nbsp;&nbsp;You can change the sort order (for example, from most recent to least recent) by clicking the sort order icon ![the sort order icon looks like two arrows on top of each other](images/sort-order-icon.png)
+
+### Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)

windows/keep-secure/change-history-for-keep-windows-10-secure.md

@@ -11,6 +11,14 @@ author: brianlic-msft
 # Change history for Keep Windows 10 secure
 This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
+## May 2016
+
+|New or changed topic | Description |
+|----------------------|-------------|
+| [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. |
+| [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content |
+| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview |
+
 ## April 2016
 
 |New or changed topic | Description |

windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,103 @@
+---
+title: Configure Windows Defender ATP endpoints
+description: Use Group Policy or SCCM to deploy the configuration package or do manual registry changes on endpoints so that they are onboarded to the service.
+keywords: configure endpoints, client onboarding, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm, system center configuration manager
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: iaanw
+---
+
+# Configure Windows Defender ATP endpoints
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+You can use a Group Policy (GP) configuration package, a System Center Configuration Manager (SCCM) package, or an automated script to configure endpoints.
+
+## Configure with Group Policy
+Using the GP configuration package ensures your endpoints will be correctly configured to report to the Windows Defender ATP service.
+
+> **Note**&nbsp;&nbsp;To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. The endpoints must be running Windows 10 Insider Preview Build 14332 or later.
+
+1.  Open the GP configuration package .zip file (*WindowsATPOnboardingPackage_GroupPolicy.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+    a.  Click **Client onboarding** on the **Navigation pane**.
+
+    b.  Select **Group Policy**, click **Download package** and save the .zip file.
+
+2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
+
+3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+
+4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
+
+5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
+
+6. In the  **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**.
+
+7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
+
+8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.cmd* file.
+
+9. Click **OK** and close any open GPMC windows.
+
+For additional settings, see the [Additional configuration settings section](additional-configuration-windows-defender-advanced-threat-protection.md).
+
+
+## Configure with System Center Configuration Manager
+
+1. Open the SCCM configuration package .zip file (*WindowsATPOnboardingPackage_ConfigurationManager.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+    a. Click **Client onboarding** on the **Navigation pane**.
+
+    b. Select **System Center Configuration Manager**, click **Download package**, and save the .zip file.
+
+2.	Copy the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package.
+
+3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
+
+4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
+
+    a. Choose a predefined device collection to deploy the package to.
+
+
+## Configure endpoints individually with an automated script
+<a name="manual"></a>
+You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.
+
+
+1.  Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+    a.  Click **Client onboarding** on the **Navigation pane**.
+
+    b.  Select **Manually on-board local machine**, click **Download package** and save the .zip file.
+
+
+2.  Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*.
+
+2.  Open an elevated command-line prompt on the endpoint and run the script:
+
+    a.  Click **Start** and type **cmd**.
+
+    b.  Right-click **Command prompt** and select **Run as administrator**.
+
+    ![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
+
+3.  Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`*
+
+4.  Press the **Enter** key or click **OK**.
+
+See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry.
+
+## Related topics
+<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
+- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
+- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,184 @@
+---
+title: Configure Windows Defender ATP endpoint proxy and Internet connection settings
+description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service.
+keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, web proxy auto detect, wpad, netsh, winhttp, proxy server
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+
+
+# Configure endpoint proxy and Internet connectivity settings
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service.
+
+The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service.
+
+The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
+
+- Configure Web Proxy Auto Detect (WPAD) settings and configure Windows to automatically detect the proxy server
+
+- Configure the proxy server manually using Netsh
+
+## Configure Web Proxy Auto Detect (WPAD) settings and proxy server
+
+Configure WPAD in the environment and configure Windows to automatically detect the proxy server through Policy or the local Windows settings.
+
+Enable the **Automatically detect settings** option in the Windows Proxy settings so that WinHTTP can use the WPAD feature to locate a proxy server.
+
+1. Click **Start** and select **Settings**.
+
+2. Click **Network & Internet**.
+
+3. Select **Proxy**.
+
+4. Verify that the **Automatically detect settings** option is set to On.
+
+    ![Image showing the proxy settings configuration page](images/proxy-settings.png)
+
+5. If the **Use setup script** or **Manual proxy setup** options are enabled then you will need to [configure proxy settings manually by using Netsh](#configure-proxy-server-manually-using-netsh) method for WinHTTP to discover the appropriate proxy settings and connect.
+
+## Configure the proxy server manually using Netsh
+
+If **Use setup script** or **Manual proxy setup** settings are configured in the Windows Proxy setting, then endpoints will not be discovered by WinHTTP.
+Use Netsh to configure the proxy settings to enable connectivity.
+
+You can configure the endpoint by using any of these methods:
+
+- Importing the configured proxy settings to WinHTTP
+- Configuring the proxy settings manually to WinHTTP
+
+After configuring the endpoints, you'll need to verify that the correct proxy settings were applied.
+
+**Import the configured proxy settings to WinHTTP**
+
+1.  Open an elevated command-line prompt on the endpoint:
+
+    a.  Click **Start** and type **cmd**.
+
+    b.  Right-click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command and press **Enter**:
+
+ ```text
+ netsh winhttp import proxy source=ie
+ ```
+ An output showing the applied WinHTTP proxy settings is displayed.
+
+
+ **Configure the proxy settings manually to WinHTTP**
+
+ 1.  Open an elevated command-line prompt on the endpoint:
+
+    a.  Click **Start** and type **cmd**.
+
+    b.  Right-click **Command prompt** and select **Run as administrator**.
+
+ 2. Enter the following command and press **Enter**:
+
+ ```text
+ proxy [proxy-server=] ProxyServerName:PortNumber
+ ```
+    Replace *ProxyServerName* with the fully qualified domain name of the proxy server.
+
+    Replace *PortNumber* with the port number that you want to configure the proxy server with.
+
+ An output showing the applied WinHTTP proxy settings is displayed.
+
+
+**Verify that the correct proxy settings were applied**
+
+1.  Open an elevated command-line prompt on the endpoint:
+
+    a.  Click **Start** and type **cmd**.
+
+    b.  Right-click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command and press **Enter**:
+
+```
+netsh winhttp show proxy
+```
+
+For more information on how to use Netsh see, [Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP)](https://technet.microsoft.com/en-us/library/cc731131(v=ws.10).aspx)     
+
+## Enable access to Windows Defender ATP service URLs in the proxy server
+
+If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
+
+- us.vortex-win.data.microsoft.com  
+- eu.vortex-win.data.microsoft.com
+- sevillegwcus.microsoft.com
+- sevillegweus.microsoft.com
+- sevillegwweu.microsoft.com
+- sevillegwneu.microsoft.com
+- www.microsoft.com
+- crl.microsoft.com
+- \*.blob.core.windows.net
+
+If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP  sensor is connecting from system context, make sure anonymous traffic is permitted to the above listed URLs.
+
+## Verify client connectivity to Windows Defender ATP service URLs
+
+Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
+
+1. Download the connectivity verification tools to the PC where Windows Defender ATP sensor is running on:
+
+    - [Download PsTools Suite](https://technet.microsoft.com/en-us/sysinternals/bb896649)
+    - [Download PortQry Command Line Port Scanner Version 2.0 utility](https://www.microsoft.com/en-us/download/details.aspx?id=17148)
+
+2. Extract the contents of **PsTools** and **PortQry** to a directory on the computer hard drive.
+
+3.  Open an elevated command-line:
+
+    a. Click **Start** and type **cmd**.
+
+    b.  Right-click **Command prompt** and select **Run as administrator**.
+
+4. Enter the following command and press **Enter**:
+
+    ```
+    HardDrivePath\PsExec.exe -s cmd.exe
+    ```
+    Replace *HardDrivePath* with the path where the PsTools Suite was extracted to:
+    ![Image showing the command line](images/psexec-cmd.png)
+
+5. Enter the following command and press **Enter**:
+
+    ```
+    HardDrivePath\portqry.exe -n us.vortex-win.data.microsoft.com -e 443 -p tcp
+    ```
+    Replace *HardDrivePath* with the path where the PortQry utility was extracted to:
+    ![Image showing the command line](images/portqry.png)
+
+6.	Verify that the output shows that the name is **resolved** and connection status is **listening**.
+
+7. Repeat the same steps for the remaining URLs with the following arguments:
+
+    - portqry.exe -n eu.vortex-win.data.microsoft.com -e 443 -p tcp
+    - portqry.exe -n sevillegwcus.microsoft.com -e 443 -p tcp
+    - portqry.exe -n sevillegweus.microsoft.com -e 443 -p tcp
+    - portqry.exe -n sevillegwweu.microsoft.com -e 443 -p tcp
+    - portqry.exe -n sevillegwneu.microsoft.com -e 443 -p tcp
+    - portqry.exe -n www.microsoft.com -e 80 -p tcp
+    - portqry.exe -n crl.microsoft.com -e 80 -p tcp
+
+8. Verify that each URL shows that the name is **resolved** and the connection status is **listening**.
+
+If the any of the verification steps indicate a fail, then verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
+
+## Related topics
+<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
+- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
+- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

windows/keep-secure/configure-the-application-identity-service.md

@@ -46,11 +46,4 @@ Membership in the local **Administrators** group, or equivalent, is the minimum
 
 3.  Verify that the status for the Application Identity service is **Running**.
 
- 
-
- 
-
-
-
-
-
+Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic**. 

windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,94 @@
+---
+title: View the Windows Defender Advanced Threat Protection Dashboard
+description: Use the Dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts.
+keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+---
+
+# View the Windows Defender Advanced Threat Protection Dashboard
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+The **Dashboard** displays a snapshot of:
+
+- The latest active alerts on your network
+- Machines reporting
+- Top machines with active alerts
+- The overall status of Windows Defender ATP for the past 30 days
+- Machines with active malware detections
+
+You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in.
+
+From the **Dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators.
+
+It also has clickable tiles that give visual cues on the overall health status of your organization. Each tile opens a detailed view of the corresponding overview.
+
+## ATP alerts
+You can view the overall number of active ATP alerts from the last 30 days in your network from the **ATP alerts** tile. Alerts are grouped into **New** and **In progress**.
+
+![Click on each slice or severity to see a list of alerts from the past 30 days](images/atp.png)
+
+Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**).
+
+See the [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topic for more information.
+
+The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. See the [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topics for more information.
+
+## Machines at risk
+This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to its label).
+
+![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk.png)
+
+Click the name of the machine to see details about that machine. See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine) topic for more information.
+
+You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. See the [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) topic for more information.
+
+## Status
+The **Status** tile informs you if the service is active and running and the specific number of machines (endpoints) reporting to Windows Defender ATP.
+
+![The Status tile shows an overall indicator of the service and the total number of machines reporting to the service](images/status-tile.png)
+
+## Machines reporting
+The **Machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily. Hover over individual bars on the graph to see the exact number of machines reporting in each day.
+
+![The Machines reporting tile shows the number of machines reporting each day for the past 30 days](images/machines-reporting-tile.png)
+
+## Machines with active malware detections
+The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender.
+
+Active malware is defined as threats that are actively executing at the time of detection.
+
+Hover over each bar to see the number of active malware detections (as **Malware detections**) and the number of endpoints with at least one active detection (as **Machines**) over the past 30 days.
+
+![The Machines with active malware detections tile shows the number of threats and machines for each threat category](images/machines-active-threats-tile.png)
+
+The chart is sorted into five categories:
+
+- **Password stealer** - threats that attempt to steal credentials.
+- **Ransomware** - threats that prevent user access to a machine or its files and demand payment to restore access.
+- **Exploit** - threats that use software vulnerabilities to infect machines.
+- **Threat** - all other threats that don't fit into the **Password stealer**, **Ransomware**, or **Exploit** categories. This includes trojans, worms, backdoors, and viruses.
+- **Low severity** - threats with low severity, including adware and potentially unwanted software such as browser modifiers.
+
+Threats are considered "active" if there is a very high probability that the malware was executing on your network, as opposed to statically located on-disk.
+
+Clicking on any of these categories will navigate to the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine.
+
+> **Note**&nbsp;&nbsp;The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+
+### Related topics
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)

windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,73 @@
+---
+title: Windows Defender ATP data storage and privacy
+description: Learn about how Windows Defender ATP handles privacy and data that it collects.
+keywords: Windows Defender ATP data storage and privacy, storage, privacy
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+---
+
+# Windows Defender ATP data storage and privacy
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP.
+> **Note**&nbsp;&nbsp;This document covers the information specific to the Windows Defender ATP service. Other data shared and stored by Windows Defender and Windows 10 is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). See the [Windows 10 privacy FAQ for more information](http://windows.microsoft.com/en-au/windows-10/windows-privacy-faq).
+
+## What data does Windows Defender ATP collect?
+
+Microsoft will collect and store information from your configured endpoints in a database specific to the service for administration, tracking, and reporting purposes.
+
+Information collected includes code file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as GUIDs, names, and the operating system version).
+
+Microsoft stores this data in a Microsoft Azure security-specific data store, and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/).
+
+Microsoft uses this data to:
+- Proactively identify indicators of attack (IOAs) in your organization
+- Generate alerts if a possible attack was detected
+- Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network.
+
+Microsoft does not mine your data for advertising or for any other purpose other than providing you the service.
+
+## Do I have the flexibility to select where to store my data?
+
+Data for this new service is stored in Microsoft Azure datacenters in the United States and European Union based on the geolocation properties. Subject to the relevant preview program you may be able to specify your preferred geolocation when you onboard to the service. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations in which your data will reside. Microsoft will not transfer the data from the specified geolocation except in specific circumstances during the preview stage.
+
+## Is my data isolated from other customer data?
+Yes. The new cloud service provides appropriate segregation at a number of levels, such as isolation of files, configurations, and telemetry data. Aside from data access authentication, simply keeping different data appropriately segregated provides well-recognized protection.
+
+## How does Microsoft prevent malicious insider activities and abuse of high privilege roles?
+
+Microsoft developers and administrators have, by design, been given sufficient privileges to carry out their assigned duties to operate and evolve the service. Microsoft deploys combinations of preventive, detective, and reactive controls including the following mechanisms to help protect against unauthorized developer and/or administrative activity:
+
+- Tight access control to sensitive data
+- Combinations of controls that greatly enhance independent detection of malicious activity
+- Multiple levels of monitoring, logging, and reporting
+
+Additionally, Microsoft conducts background verification checks of certain operations personnel, and limits access to applications, systems, and network infrastructure in proportion to the level of background verification. Operations personnel follow a formal process when they are required to access a customer’s account or related information in the performance of their duties.
+
+## Is data shared with other customers?
+No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which don’t contain any customer specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
+
+## How long will Microsoft store my data? What is Microsoft’s data retention policy?
+Your data privacy is one of Microsoft's key commitments for the cloud. For this service, at contract termination or expiration, your data will be erased from Microsoft’s systems to make it unrecoverable after 90 days (from contract termination or expiration).
+
+## Can Microsoft help us maintain regulatory compliance?
+Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP has a roadmap for obtaining national, regional and industry-specific certifications, starting with ISO 27001. The service is designed, implemented, and maintained according to the compliance and privacy principles of ISO 27001, as well as Microsoft’s compliance standards.
+By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run, including this new Microsoft cloud service.
+
+## Is there a difference between how Microsoft handles data for the preview programs and for General Availability?
+Subject to the preview program you are in, you could be asked to choose to store your data in a datacenter either in Europe or United States. Your data will not be copied or moved outside of the datacenter you choose, except in the following specific circumstance:
+
+1.	You choose Europe as your datacenter, and
+2.	You [submit a file for deep analysis](investigate-files-windows-defender-advanced-threat-protection.md#submit-files-for-analysis).
+
+In this circumstance, the submitted file will be sent to the US deep analysis laboratory. The results of the analysis will be stored in the European datacenter, and the file and data will be deleted from the US deep analysis laboratory and datacenter.
+
+This is a temporary measure as we work to integrate our deep analysis capabilities into the European datacenter. If you have any concerns or questions about submitting files for deep analysis and you are using a European datacenter, or if you’d like to be updated as to when the European deep analysis lab is online, email [winatp@microsoft.com](mailto:winatp@microsoft.com).

windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,249 @@
+---
+title: Review events and errors on endpoints with Event Viewer
+description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service.
+keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Advanced Threat Protection service, cannot start, broken, can't start
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: iaanw
+---
+
+
+# Review events and errors on endpoints with Event Viewer
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/en-US/library/aa745633(v=bts.10).aspx) on individual endpoints.
+
+For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
+
+> **Note**&nbsp;&nbsp;It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
+
+**Open Event Viewer and find the Windows Defender ATP service event log:**
+
+1.  Click **Start**, type **Event Viewer**, and press **Enter**.
+
+2.  In the log list, under **Log Summary**, scroll until you see **Microsoft-Windows-SENSE/Operational**. Double-click the item to
+    open the log.
+
+  a.  You can also access the log by expanding **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE** and click on **Operational**.
+
+    > **Note**&nbsp;&nbsp;SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
+
+3.  Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service.
+
+<table>
+<tbody style="vertical-align:top;">
+<tr>
+<th>Event ID</th>
+<th>Message</th>
+<th>Description</th>
+<th>Action</th>
+</tr>
+<tr>
+<td>1</td>
+<td>Windows Advanced Threat Protection service started (Version ```variable```).</td>
+<td>Occurs during system start up, shut down, and during onbboarding.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>2</td>
+<td>Windows Advanced Threat Protection service shutdown.</td>
+<td>Occurs when the endpoint is shut down or offboarded.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>3</td>
+<td>Windows Advanced Threat Protection service failed to start. Failure code: ```variable```</td>
+<td>Service did not start.</td>
+<td>Review other messages to determine possible cause and troubleshooting steps.</td>
+</tr>
+<tr>
+<td>4</td>
+<td>Windows Advanced Threat Protection service contacted the server at ```variable```.</td>
+<td>variable = URL of the Windows Defender ATP processing servers.<br>
+This URL will match that seen in the Firewall or network activity.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>5</td>
+<td>Windows Advanced Threat Protection service failed to connect to the server at ```variable```.</td>
+<td>variable = URL of the Windows Defender ATP processing servers.<br>
+The service could not contact the external processing servers at that URL.</td>
+<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#configure-proxy-and-Internet-connectivity).</td>
+</tr>
+<tr>
+<td>6</td>
+<td>Windows Advanced Threat Protection service is not onboarded and no onboarding parameters were found.</td>
+<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>Onboarding must be run before starting the service.<br>
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
+</tr>
+<tr>
+<td>7</td>
+<td>Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: ```variable```</td>
+<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+<tr>
+<td>8</td>
+<td>Windows Advanced Threat Protection service failed to clean its configuration. Failure code: ```variable```</td>
+<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+<tr>
+<td>9</td>
+<td>Windows Advanced Threat Protection service failed to change its start type. Failure code: ```variable```</td>
+<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+<tr>
+<td>10</td>
+<td>Windows Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```</td>
+<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+<tr>
+<td>11</td>
+<td>Windows Advanced Threat Protection service completed.</td>
+<td>The endpoint onboarded correctly.</td>
+<td>Normal operating notification; no action required.<br>
+It may take several hours for the endpoint to appear in the portal.</td>
+</tr>
+<tr>
+<td>12</td>
+<td>Windows Advanced Threat Protection failed to apply the default configuration.</td>
+<td>Service was unable to apply configuration from the processing servers.</td>
+<td>This is a server error and should resolve after a short period.</td>
+</tr>
+<tr>
+<td>13</td>
+<td>Service machine ID calculated: ```variable```</td>
+<td>Normal operating process.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>14</td>
+<td>Service cannot calculate machine ID. Failure code: ```variable```</td>
+<td>Internal error.</td>
+<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+<tr>
+<td>15</td>
+<td>Windows Advanced Threat Protection cannot start command channel with URL: ```variable```</td>
+<td>variable = URL of the Windows Defender ATP processing servers.<br>
+The service could not contact the external processing servers at that URL.</td>
+<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).</td>
+</tr>
+<tr>
+<td>17</td>
+<td>Windows Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```</td>
+<td>An error occurred with the Windows telemetry service.</td>
+<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled)<br>
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+<tr>
+<td>18</td>
+<td>OOBE (Windows Welcome) is completed.</td>
+<td>Service will only start after any Windows updates have finished installing.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>19</td>
+<td>OOBE (Windows Welcome) has not yet completed.</td>
+<td>Service will only start after any Windows updates have finished installing.</td>
+<td>Normal operating notification; no action required.<br>
+If this error persists after a system restart, ensure all Windows updates have full installed.</td>
+</tr>
+<tr>
+<td>20</td>
+<td>Cannot wait for OOBE (Windows Welcome) to complete. Failure code: ```variable```</td>
+<td>Internal error.</td>
+<td>If this error persists after a system restart, ensure all Windows updates have full installed.</td>
+</tr>
+<tr>
+<td>25</td>
+<td>Windows Advanced Threat Protection service failed to reset health status in the registry, causing the onboarding process to fail. Failure code: ```variable```</td>
+<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+<tr>
+<td>26</td>
+<td>Windows Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```</td>
+<td>The endpoint did not onboard correctly.<br>
+It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
+<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+<tr>
+<td>27</td>
+<td>Windows Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender. Onboarding process failed. Failure code: ```variable```</td>
+<td>Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
+<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
+Ensure real-time antimalware protection is running properly.</td>
+</tr>
+<tr>
+<td>28</td>
+<td>Windows Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```</td>
+<td>An error occurred with the Windows telemetry service.</td>
+<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+<tr>
+<td>30</td>
+<td>Windows Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender. Failure code: ```variable```</td>
+<td>Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
+<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
+Ensure real-time antimalware protection is running properly.</td>
+</tr>
+<tr>
+<td>31</td>
+<td>Windows Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```</td>
+<td>An error occurred with the Windows telemetry service.</td>
+<td>[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).</td>
+</tr>
+<tr>
+<td>33</td>
+<td>Windows Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```</td>
+<td>A unique identifier is used to represent each endpoint that is reporting to the portal.<br>
+If the identifier does not persist, the same machine might appear twice in the portal.</td>
+<td>Check registry permissions on the endpoint to ensure the service can update the registry.</td>
+</tr>
+<tr>
+<td>34</td>
+<td>Windows Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```</td>
+<td>An error occurred with the Windows telemetry service.</td>
+<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+</tr>
+</tbody>
+</table>
+
+
+
+## Related topics
+<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
+- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
+- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender ATP](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,62 @@
+---
+title: Investigate Windows Defender Advanced Threat Protection alerts
+description: Use the investigation options to get details on which alerts are affecting your network, what they mean, and how to resolve them.
+keywords: investigate, investigation, machines, machine, endpoints, endpoint, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+---
+
+# Investigate Windows Defender Advanced Threat Protection alerts
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+Alerts in Windows Defender ATP indicate possible security breaches on endpoints in your organization.
+
+There are three alert severity levels, described in the following table.
+
+Alert severity | Description
+:---|:---
+High (Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints.
+Medium (Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
+Low (Yellow) | Threats associated with prevalent malware and hack-tools that do not appear to indicate an advanced threat targeting the organization.
+
+Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints.
+
+Alerts are organized in three queues, by their workflow status:
+
+- **New**
+- **In progress**
+- **Resolved**
+
+To begin investigating, click on an alert in [any of the alert queues](alerts-queue-windows-defender-advanced-threat-protection.md).
+
+Details displayed about the alert include:
+- When the alert was last observed
+- Alert description
+- Recommended actions
+- The potential scope of breach
+- The indicators that triggered the alert
+
+![A detailed view of an alert when clicked](images/alert-details.png)
+
+Alerts attributed to an adversary or actor display a colored tile with the actor name.
+
+Click on the actor's name to see a threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, tools, tactics, and processes (TTPs) as well as areas where it's active worldwide. You will also see a set of recommended actions to take.
+
+Some actor profiles include a link to download a more comprehensive threat intelligence report.
+
+### Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)

windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,50 @@
+---
+title: Investigate Windows Defender Advanced Threat Protection domains
+description: Use the investigation options to see if machines and servers have been communicating with malicious domains.
+keywords: investigate domain, domain, malicious domain, windows defender atp, alert, URL 
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+# Investigate a domain associated with a Windows Defender ATP alert
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
+
+You can see information from the following sections in the URL view:
+
+- URL details
+- URL in organization
+- Prevalence in organization
+- Communication with URL from organization
+
+The URL address details section shows attributes of the URL such as its contacts and nameservers.
+
+The **URL in organization** section provides details on the prevalence of the URL in the organization.
+
+The **Communication with URL in organization** section provides a chronological view on the events and associated alerts that were observed on the URL.
+
+**Investigate a domain:**
+
+1. Select **URL** from the **Search bar** drop-down menu.
+2. Enter the URL in the **Search** field.
+3. Click the search icon   or press **Enter**. Details about the URL are displayed. Note: search results will only be returned for URLs observed in communications from machines in the organization.
+4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the URL, the file associated with the communication and the last date observed.
+5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
+
+## Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)

windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,135 @@
+---
+title: Investigate Windows Defender Advanced Threat Protection files
+description: Use the investigation options to get details on files associated with alerts, behaviours, or events.
+keywords: investigate, investigation, file, malicious activity, attack motivation, deep analysis, deep analysis report
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+# Investigate a file associated with a Windows Defender ATP alert
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
+
+You can get information from the following sections in the file view:
+
+- File details
+- Deep analysis
+- File in organization
+- Observed in organization
+
+The file details section shows attributes of the file such as its MD5 hash or number and its prevalence worldwide.
+
+The **Deep analysis** section provides the option of submitting a file for deep analysis to gain detailed visibility on observed suspicious behaviors, and associated artifacts. For more information on submitting files for deep analysis, see the **Deep analysis** topic.
+
+The **File in organization** section provides details on the prevalence of the file and the name observed in the organization.
+
+The **Observed in organization** section provides a chronological view on the events and associated alerts that were observed on the file.
+
+You'll see a list of machines associated with the file and a description of the action taken by the file.
+
+**Investigate a file**
+
+1. Select the file you want to investigate. You can select a file from any of the following views or use the Search box:
+  - Alerts - click the file links from the **Description** or **Details** in the Alert timeline
+  - Machines view - click the file links in the **Description** or **Details** columns in the **Observed on machine** section
+  - Search box - select **File** from the drop-down menu and enter the file name
+2. View the file details.
+3. Use the search filters to define the search criteria. You can also use the timeline search box to further filter displayed search results.
+
+##Deep analysis
+Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
+
+The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
+Deep analysis currently supports extensive analysis of PE (portable executable) files (including _.exe_ and _.dll_ files).
+
+Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the File view page, under a new **Deep analysis summary** section. The summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk.
+
+Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
+
+## Submit files for analysis
+
+Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
+
+In the file's page, **Submit for deep analysis** is enabled when the file is available in the Windows Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
+
+> **Note**&nbsp;&nbsp;Only files from Windows 10 can be automatically collected.
+
+You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/en-us/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
+
+> **Note**&nbsp;&nbsp;Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP.
+
+When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications.
+
+**Submit files for deep analysis:**
+
+1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
+  - Alerts - click the file links from the **Description** or **Details** in the Alert timeline
+  - **Machines View** - click the file links from the **Description** or **Details** in the **Machine in organization** section
+  - Search box - select **File** from the drop-down menu and enter the file name
+2. In the **Deep analysis** section of the file view, click **Submit**.
+
+![You can only submit PE files in the file details seciton](images/submit-file.png)
+
+>**Note**&nbsp;&nbsp;Only portable executable (PE) files are supported, including _.exe_ and _.dll_ files
+
+A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
+
+> **Note**&nbsp;&nbsp;Depending on machine availability, sample collection time can vary. There is a 1-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.
+
+## View deep analysis report
+
+View the deep analysis report that Windows Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
+
+You can view the comprehensive report that provides details on:
+
+- Observed behaviors
+- Associated artifacts
+
+The details provided can help you investigate if there are indications of a potential attack.
+
+**View deep analysis reports:**
+
+1. Select the file you submitted for deep analysis.
+2. Click **See the report below**. Information on the analysis is displayed.
+
+![The deep analysis report shows detailed information across a number of categories](images/analysis-results.png)
+
+## Troubleshooting deep analysis
+
+If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
+
+**Troubleshoot deep analysis:**
+
+1. Ensure the file is a PE. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
+2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
+3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
+4. Verify the policy setting enables sample collection and try to submit the file again.
+
+  a. Change the following registry entry and values to change the policy on specific endpoints:
+ ```
+HKLM\SOFTWARE\Policies\Microsoft\Sense\AllowSampleCollection
+  Value = 0 - block sample collection
+  Value = 1 - allow sample collection
+```
+5. Change the organizational unit through the Group Policy. See [Configure with Group Policy](additional-configuration-windows-defender-advanced-threat-protection.md#configure-with-group-policy).
+6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
+
+> **Note**&nbsp;&nbsp;If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
+
+### Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)

windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,58 @@
+---
+title: Investigate Windows Defender Advanced Threat Protection IP address
+description: Use the investigation options to examine possible communication between machines and external IP addresses.
+keywords: investigate, investigation, IP address, alert, windows defender atp, external IP
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+# Investigate an IP address associated with a Windows Defender ATP alert
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+
+Examine possible communication between your machines and external internet protocol (IP) addresses.
+
+Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines.
+
+You can information from the following sections in the IP address view:
+
+- IP address details
+- IP in organization
+- Communication with IP from organization
+
+The IP address details section shows attributes of the IP address such as its ASN and its reverse IPs.
+
+The **IP in organization** section provides details on the prevalence of the IP address in the organization.
+
+The **Communication with IP in organization** section provides a chronological view on the events and associated alerts that were observed on the IP address.
+
+**Investigate an external IP:**
+
+1. Select **IP** from the **Search bar** drop-down menu.
+2. Enter the IP address in the **Search** field.
+3. Click the search icon or press **Enter**.
+
+Details about the IP address are displayed, including: registration details (if available), reverse IPs (for example, domains), prevalence of machines in the organization that communicated with this IP Address (during selectable time period), and the machines in the organization that were observed communicating with this IP address.
+
+> **Note**&nbsp;&nbsp;Search results will only be returned for IP addresses observed in communication with machines in the organization.
+
+Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the IP address, the file associated with the communication and the last date observed.
+
+Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
+
+## Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)

windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,152 @@
+---
+title: Investigate machines in the Windows Defender ATP Machines view
+description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines view.
+keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, active malware detections, threat category, filter, sort, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, low severity
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Investigate machines in the Windows Defender ATP Machines view
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, and the number of active malware detections. This view allows you to identify machines with the highest risk at a glance, and keep track of all the machines that are reporting telemetry in your network.
+
+Use the Machines view in these two main scenarios:
+
+- **During onboarding**
+  - During the onboarding process, the Machines view gradually gets populated with endpoints as they begin to report telemetry. Use this view to track your onboarded endpoints as they appear. Use the available features to sort and filer to see which endpoints have most recently reported telemetry, or download the complete endpoint list as a CSV file for offline analysis.
+- **Day-to-day work**
+  - The **Machines view** enables you to identify machines that are most at risk in a glance. High-risk machines are those with the greatest number and highest-severity alerts. By sorting the machines by risk, you'll be able to identify the most vulnerable machines and take action on them.
+
+The Machines view contains the following columns:
+
+- **Machine name** - the name or GUID of the machine
+- **Domain** - the domain the machine belongs to
+- **Last seen** - when the machine last reported telemetry
+- **Internal IP** - the local internal Internet Protocol (IP) address of the machine
+- **Active Alerts** - the number of alerts reported by the machine by severity
+- **Active malware detections** - the number of active malware detections reported by the machine
+
+> **Note**&nbsp;&nbsp;The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+
+Click any column header to sort the view in ascending or descending order.
+
+![Screenshot of the Machines view on the portal](images/machines-view.png)
+
+You can sort the **Machines view** by **Machine name**, **Last seen**, **IP**, **Active Alerts**, and **Active malware detections**. Scroll down the **Machines view** to see additional machines.
+
+The view contains two filters: time and threat category.
+
+You can filter the view by the following time periods:
+
+- 1 day
+- 3 days
+- 7 days
+- 30 days
+- 6 months
+
+> **Note**&nbsp;&nbsp;When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported telemetry within the last 24-hour period.
+
+The threat category filter lets you filter the view by the following categories:
+
+- Password stealer
+- Ransomware
+- Exploit
+- Threat
+- Low severity
+
+See the [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#investigate-machines-with-active-malware-detections) topic for a description of each category.
+
+You can also download a full list of all the machines in your organization, in CSV format. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) to download the entire list as a CSV file.
+
+ **Note**: Exporting the list depends on the number of machines in your organization. It can take a significant amount of time to download, depending on how large your organization is.
+Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
+
+## Investigate a machine
+Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach.
+
+You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:
+
+- The [Machines view](#Investigate-machines-in-the-Windows-Defender-ATP-Machines-view)
+- The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- The [Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- Any individual alert
+- Any individual file details view
+- Any IP address or domain details view
+
+When you investigate a specific machine, you'll see:
+
+- **Machine details**, **Machine IP Addresses**, and **Machine Reporting**
+- **Alerts related to this machine**
+- **Machine timeline**
+
+The machine details, IP, and reporting sections display some attributes of the machine such as its name, domain, OS, IP address, and how long it's been reporting telemetry to the Windows Defender ATP service.
+
+The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date that the alert was detected, a short description of the alert, the alert's severity, the alert's threat category, and the alert's status in the queue.
+
+The **Machine timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine.
+
+You'll see an aggregated view of alerts, a short description of the alert, details on the action taken, and which user ran the action. This helps you see significant activities or behaviors that occurred on a machine within your network in relation to a specific time frame. Several icons are used to identify various detections and their current state. For more information, see [Windows Defender ATP icons](portal-overview-windows-defender-advanced-threat-protection.md#windows-defender-atp-icons).
+
+This feature also enables you to selectively drill down into a behavior or event that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period.
+
+![The timeline shows an interactive history of the alerts seen on a machine](images/timeline.png)
+
+Use the search bar to look for specific alerts or files associated with the machine.
+
+You can also filter by:
+
+- Signed or unsigned files
+- Detections mode: displays Windows ATP Alerts and detections
+- Behaviors mode: displays "detections" and selected events of interest
+- Verbose mode: displays "behaviors" (including "detections"), and all reported events
+- Logged on users, System, Network, or Local service
+
+Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the events of the current day.
+
+Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that date and older.
+
+The slider is helpful when you're investigating a particular alert on a machine. You can navigate from the **Alerts view** and click on the machine associated with the alert to jump to the specific date when the alert was observed, enabling you to investigate the events that took place around the alert.
+
+From the **Machine view**, you can also navigate to the file, IP, or URL view and the timeline associated with an alert is retained, helping you view the investigation from different angles and retain the context of the event time line.
+
+From the list of events that are displayed in the timeline, you can examine the behaviors or events in to help identify indicators of interests such as files and IP addresses to help determine the scope of a breach. You can then use the information to respond to events and keep your system secure.
+
+Windows Defender ATP monitors and captures questionable behavior on Windows 10 machines and displays the process tree flow in the **Machine timeline**. This gives you better context of the behavior which can contribute to understanding the correlation between events, files, and IP addresses in relation to the machine.
+
+![The process tree shows you a hierarchical history of processes and events on the machine](images/machine-investigation.png)
+
+**Investigate a machine:**
+
+1. Select the machine that you want to investigate. You can select or search a machine from any of the following views:
+  - **Dashboard** - click the machine name from the **Top machines with active alerts** section
+  - **Alerts queue** - click the machine name beside the machine icon
+  - **Machines view** - click the heading of the machine name
+  - **Search box** - select **Machine** from the drop-down menu and enter the machine name
+2. Information about the specific machine is displayed.
+
+
+**Use the machine timeline**
+
+1. Use the sort and filter feature to narrow down the search results.
+2. Use the timeline search box to filter specific indicators that appear in the machine timeline.
+3. Click the expand icon ![The expand icon looks like a plus symbol](images/expand.png) in the timeline row or click anywhere on the row to see additional information about the alert, behavior, or event.
+
+
+### Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)

windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,141 @@
+---
+title: Manage Windows Defender Advanced Threat Protection alerts
+description: Change the status of alerts, create suppression rules to hide alerts, submit comments, and review change history for individual alerts with the Manage Alert menu.
+keywords: manage alerts, manage, alerts, status, new, in progress, resolved, resolve alerts, suppress, supression, rules, context, history, comments, changes
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+---
+
+# Manage Windows Defender Advanced Threat Protection alerts
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+Windows Defender ATP notifies you of detected, possible attacks or breaches through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu.
+
+See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-windows-defender-advanced-threat-protection-alerts) topic for more details on how to investigate alerts.
+
+Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the top of the alert to access the Manage Alert menu and manage alerts.
+
+![The manage alert menu lets you change the status of an alert, create suppression rules, or enter comments](images/manage-alert-menu.png)
+
+The **Manage alert** icon appears on the alert's heading in the **New**, **In Progress**, or **Resolved** queues, and on the details page for individual alerts.
+
+You can use the **Manage Alert** menu to:
+
+- Change the status of an alert
+- Resolve an alert
+- Suppress alerts so they won't show up in the **Alerts queue** from this point onwards
+- View the history and comments of an alert
+
+## Change the status of an alert
+
+You can categorize alerts (as **New**, **In Progress**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to alerts.
+
+For example, a team leader can review all **New** alerts, and decide to assign them to the **In Progress** queue for further analysis.
+
+Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a machine that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert.
+
+**Change an alert's status:**
+
+1. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the heading of the alert.
+2. Choose the new status for the alert (the current status is highlighted in bold and appears on the alert).
+
+## Resolve an alert
+
+You can resolve an alert by changing the status of the alert to **Resolved**. This causes the **Resolve conclusion** window to appear, where you can indicate why the alert was resolved and enter any additional comments.
+
+![You can resolve an alert as valid, valid - allowed, or false alarm](images/resolve-alert.png)
+
+The comments and change of status are recorded in the [Comments and history window](#view-history-and-comments).
+
+![The comments window will display a history of status changes](images/comments.png)
+
+
+## Suppress alerts
+
+Windows Defender ATP lets you create suppression rules so you can limit the alerts you see in the **Alerts queue**.
+
+Suppression rules can be created from an existing alert.
+
+When a suppression rule is created, it will take effect from this point onwards. It will not affect existing alerts already in the queue, but new alerts triggered after the rule is created will not be displayed.
+
+There are two contexts for a suppression rule that you can choose from:
+
+- **Suppress alert on this machine**
+- **Suppress alert in my organization**
+
+The context of the rule lets you tailor the queue to ensure that only alerts you are interested in will appear. You can use the examples in the following table to help you choose the context for a suppression rule:
+
+**Context** | **Definition** |**Example scenarios**
+---|---|---
+**Suppress alert on this machine** | Alerts with the same alert title and on that specific machine only will be suppressed. <br /><br />All other alerts on that machine will not be suppressed. | <ul><li>A security researcher is investigating a malicious script that has been used to attack other machines in your organization.</li><li>A developer regularly creates PowerShell scripts for their team.</li></ul>
+**Suppress alert in my organization** | Alerts with the same alert title on any machine will be suppressed. | <ul><li>A benign administrative tool is used by everyone in your organization.</li></ul>
+
+
+**Suppress an alert and create a suppression rule:**
+
+1. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the heading of an existing alert.
+2. Choose the context for suppressing the alert.
+
+> **Note**&nbsp;&nbsp;You cannot create a custom or blank suppression rule. You must start from an existing alert.
+
+**See the list of suppression rules:**
+
+1. Click the settings icon ![The settings icon looks like a cogwheel or gear](images/settings.png) on the main menu bar at the top of the Windows Defender ATP screen.
+2. Click **Suppression rules**.
+
+  ![Click the settings icon and then Suppression rules to create and modify rules](images/suppression-rules.png)
+
+> **Note**&nbsp;&nbsp;You can also click **See rules** in the confirmation window that appears when you suppress an alert.
+
+The list of suppression rules shows all the rules that users in your organization have created.
+Each rule shows:
+
+- (1) The title of the alert that is suppressed
+- (2) Whether the alert was suppressed for a single machine (clicking the machine name will allow you to investigate the machine) or the entire organization
+- (3) The date when the alert was suppressed
+- (4) An option to delete the suppression rule, which will cause alerts with this title to be displayed in the queue from this point onwards.
+
+![Suppression rules show the rule name or title, the context, the date, and an icon to delete the rule](images/rules-legend.png)
+
+## View the history and comments of an alert
+You can use the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) to see a list of previous changes and comments made to the alert and to add new comments. You can also use the menu to open multiple alerts in different tabs so you can compare several alerts at the same time.
+
+Whenever a change or comment is made to an alert, it is recorded in the **Comments and history** window.
+
+**See the history of an alert and its comments:**
+
+1. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the heading of the alert.
+2. Click **Comments and history** to view related comments and history on the alert.
+
+Comments are indicated by a message box icon (![The comments icon looks like a speech bubble](images/comments-icon.png)) and include the username of the commenter and the time the comment was made.
+
+**Add a new comment:**
+
+1. Type your comment into the field.
+2. Click **Post Comment**.
+
+The comment will appear instantly.
+
+You will also be prompted to enter a comment if you change the status of an alert to **Resolved**.
+
+Changes are indicated by a clock icon (![The changes icon looks like an analog clock face](images/changes-icon.png)), and are automatically recorded when:
+
+- The alert is created
+- The status of the alert is changed
+
+### Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)

windows/keep-secure/microsoft-passport-errors-during-pin-creation.md

@@ -33,7 +33,7 @@ When a user encounters an error when creating the work PIN, advise the user to t
 
 1.  Try to create the PIN again. Some errors are transient and resolve themselves.
 
-2.  Log out, log in, and try to create the PIN again.
+2.  Sign out, sign in, and try to create the PIN again.
 
 3.  Reboot the device and then try to create the PIN again.
 
@@ -44,11 +44,7 @@ When a user encounters an error when creating the work PIN, advise the user to t
 If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
 
 <table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
+
 <thead>
 <tr class="header">
 <th align="left">Hex</th>
@@ -57,20 +53,13 @@ If the error occurs again, check the error code against the following table to s
 </tr>
 </thead>
 <tbody>
-<tr class="odd">
-<td align="left">0x801C03ED</td>
-<td align="left"><p>Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed</p>
-<p>-or-</p>
-<p>Token was not found in the Authorization header</p>
-<p>-or-</p>
-<p>Failed to read one or more objects</p></td>
-<td align="left">Unjoin the device from Azure Active Directory (Azure AD) and rejoin</td>
-</tr>
+
 <tr class="even">
 <td align="left">0x801C044D</td>
 <td align="left">Authorization token does not contain device ID</td>
 <td align="left">Unjoin the device from Azure AD and rejoin</td>
 </tr>
+
 <tr class="odd">
 <td align="left">0x80090036</td>
 <td align="left">User cancelled an interactive dialog</td>
@@ -95,6 +84,10 @@ If the error occurs again, check the error code against the following table to s
 <td align="left">0x80090005</td>
 <td align="left">NTE_BAD_DATA</td>
 <td align="left">Unjoin the device from Azure AD and rejoin</td>
+</tr><tr class="even">
+<td align="left">0x80090029</td>
+<td align="left">TPM is not set up.</td>
+<td align="left">Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. </td>
 </tr>
 <tr class="even">
 <td align="left">0x80090031</td>
@@ -124,17 +117,17 @@ If the error occurs again, check the error code against the following table to s
 <tr class="odd">
 <td align="left">0x801C0010</td>
 <td align="left">The AIK certificate is not valid or trusted</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left">Sign out and then sign in again.</td>
 </tr>
 <tr class="even">
 <td align="left">0x801C0011</td>
 <td align="left">The attestation statement of the transport key is invalid</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left">Sign out and then sign in again.</td>
 </tr>
 <tr class="odd">
 <td align="left">0x801C0012</td>
 <td align="left">Discovery request is not in a valid format</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left">Sign out and then sign in again.</td>
 </tr>
 <tr class="even">
 <td align="left">0x801C0015</td>
@@ -159,7 +152,7 @@ If the error occurs again, check the error code against the following table to s
 <tr class="even">
 <td align="left">0x801C03E9</td>
 <td align="left">Server response message is invalid</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left">Sign out and then sign in again.</td>
 </tr>
 <tr class="odd">
 <td align="left">0x801C03EA</td>
@@ -169,37 +162,42 @@ If the error occurs again, check the error code against the following table to s
 <tr class="even">
 <td align="left">0x801C03EB</td>
 <td align="left">Server response http status is not valid</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left">Sign out and then sign in again.</td>
 </tr>
 <tr class="odd">
 <td align="left">0x801C03EC</td>
 <td align="left">Unhandled exception from server.</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left">sign out and then sign in again.</td>
 </tr>
 <tr class="even">
 <td align="left">0x801C03ED</td>
-<td align="left">The request sent to the server was invalid.</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left"><p>Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed</p>
+<p>-or-</p>
+<p>Token was not found in the Authorization header</p>
+<p>-or-</p>
+<p>Failed to read one or more objects</p>
+<p>-or-</p><p>The request sent to the server was invalid.</p></td>
+<td align="left">Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.</td>
 </tr>
 <tr class="odd">
 <td align="left">0x801C03EE</td>
 <td align="left">Attestation failed</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left">Sign out and then sign in again.</td>
 </tr>
 <tr class="even">
 <td align="left">0x801C03EF</td>
 <td align="left">The AIK certificate is no longer valid</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left">Sign out and then sign in again.</td>
 </tr>
 <tr class="odd">
 <td align="left">​0x801C044D</td>
 <td align="left">Unable to obtain user token</td>
-<td align="left">Log out and then log in again. Check network and credentials.</td>
+<td align="left">Sign out and then sign in again. Check network and credentials.</td>
 </tr>
 <tr class="even">
 <td align="left">0x801C044E</td>
 <td align="left">Failed to receive user creds input</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left">Sign out and then sign in again.</td>
 </tr>
 </tbody>
 </table>
@@ -214,6 +212,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
 | Hex         | Cause                                                                                                 |
 |-------------|-------------------------------------------------------------------------------------------------------|
 | 0x80072f0c  | Unknown                                                                                               |
+| 0x80070057 | Invalid parameter or argument is passed |
 | 0x80090027  | Caller provided wrong parameter. If third-party code receives this error they must change their code. |
 | 0x8009002D  | NTE\_INTERNAL\_ERROR                                                                                  |
 | 0x80090020  | NTE\_FAIL                                                                                             |

windows/keep-secure/microsoft-passport-guide.md

@@ -4,6 +4,7 @@ description: This guide describes the new Windows Hello and Microsoft Passport t
 ms.assetid: 11EA7826-DA6B-4E5C-99FB-142CC6BD9E84
 keywords: ["security", "credential", "password", "authentication"]
 ms.prod: W10
+ms.pagetype: security
 ms.mktglfcycl: plan
 ms.sitesec: library
 author: challum
@@ -405,7 +406,7 @@ Table 1. Deployment requirements for Microsoft Passport
 
  
 
-Note that the current release of Windows 10 supports the Azure AD–only scenarios. Microsoft provides the forward-looking guidance in Table 1 to help organizations prepare their environments for planned future releases of Microsoft Passport for Work capabilities.
+Note that the current release of Windows 10 supports the Azure AD–only (RTM) and hybrid scenarios (RTM + November Update). Microsoft provides the forward-looking guidance in Table 1 to help organizations prepare their environments for planned future releases of Microsoft Passport for Work capabilities.
 
 **Select policy settings**
 
@@ -465,17 +466,19 @@ In the Windows 10 initial release, Microsoft supports the following Microsoft P
 
 -   Microsoft Passport for Work support for organizations that have cloud-only Azure AD deployments
 
--   Group Policy settings to control Microsoft Passport PIN length and complexity
+-   Group Policy and MDM settings to control Microsoft Passport PIN length and complexity
+
+In the November 2015 release, Microsoft supports the following Microsoft Passport and Windows Hello features:
+
+- Key-based Microsoft Passport for Work credentials for on-premises Azure AD deployments and hybrid on-premises/Azure AD deployments
+
+- Microsoft Passport for Work certificates issued by a trusted PKI, including smart card and virtual smart card certificates
 
 In future releases of Windows 10, we plan to add support for additional features:
 
--   Additional biometric identifier types, including iris recognition
-
--   Key-based Microsoft Passport for Work credentials for on-premises Azure AD deployments and hybrid on-premises/Azure AD deployments
-
--   Microsoft Passport for Work certificates issued by a trusted PKI, including smart card and virtual smart card certificates
-
--   TPM attestation to protect keys so that a malicious user or program can’t create keys in software (because those keys won’t be TPM attested and can thus be identified as fake)
+- Key-based and certificate-based Microsoft Passport for Work credentials for on-premises AD deployments
+ 
+- TPM attestation to protect keys so that a malicious user or program can’t create keys in software (because those keys won’t be TPM attested and can thus be identified as fake)
 
 In the longer term, Microsoft will continue to improve on and expand the features of both Microsoft Passport and Windows Hello to cover additional customer requirements for manageability and security. We also are working with the FIDO Alliance and a variety of third parties to encourage adoption of Microsoft Passport by both web and LOB application developers.
 

windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,56 @@
+---
+title: Minimum requirements for Windows Defender Advanced Threat Protection
+description: Minimum network and data storage configuration, endpoint hardware and software requirements, and deployment channel requirements for Windows Defender ATP.
+keywords: minimum requirements, Windows Defender Advanced Threat Protection minimum requirements, network and data storage, endpoint, endpoint configuration, deployment channel
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: iaanw
+---
+
+# Minimum requirements for Windows Defender ATP
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+There are some minimum requirements for onboarding your network and endpoints.
+
+## Minimum requirements
+
+### Network and data storage and configuration requirements
+<!---Your organization must use Azure Active Directory (AAD) to manage users. AAD is used during service onboarding to manage user-based access to the [Windows Defender ATP portal](https://securitycenter.windows.com/).--->
+
+<!--If you’d like help with using AAD to set up user access, contact the [Windows Defender ATP Yammer group](https://www.yammer.com/wsscengineering/\#/threads/inGroup?type=in\_group&feedId=7108776&view=all) or email [winatp@microsoft.com](mailto:winatp@microsoft.com).-->
+
+When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in either a European or United States datacenter.
+
+> **Notes**&nbsp;&nbsp;
+-   You cannot change your data storage location after the first-time setup.
+-   Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data.
+
+### Endpoint hardware and software requirements
+Endpoints on your network must be running Windows 10 Insider Preview Build 14332 or later. The hardware requirements for Windows Defender ATP on endpoints is the same as those for Windows 10 Insider Preview Build 14332 or later.
+
+> **Note**&nbsp;&nbsp;Endpoints that are running Windows Server and mobile versions of Windows are not supported.
+
+Internet connectivity on endpoints is also required. See [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)  for additional proxy configuration settings.
+
+Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10, but if it has been disabled you can turn it on by following the instructions in the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section.
+
+### Deployment channel operating system requirements
+
+You can choose to onboard endpoints with a scheduled Group Policy (GP) or System Center Configuration Manager (SCCM) update (using a configuration package that you download from the portal or during the service onboarding wizard), or by manually running a script to modify the registry.
+
+The following describes the minimum operating system or software version
+required for each deployment channel.
+
+Deployment channel | Minimum server requirements
+:---|:---
+Group Policy settings | Windows Server 2008 R2
+System Center Configuration Manager | SCCM 2012
+Manual (script) | No minimum requirements

windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,65 @@
+---
+title: Monitor Windows Defender ATP onboarding
+description: Monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports.
+keywords: monitor onboarding, monitor Windows Defender ATP onboarding, monitor Windows Defender Advanced Threat Protection onboarding
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Monitor Windows Defender Advanced Threat Protection onboarding
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14322 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+You can monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports.
+
+You might need to monitor the onboarding if the package did not configure the registry correctly, or the reporting client did not start or execute correctly.
+
+Monitoring can be done directly on the portal, or by using System Center Configuration Manager (SCCM).
+
+## Monitor with the portal
+
+1.  Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/).
+
+2.  Click **Machines view**.
+
+3.  Verify that endpoints are appearing.
+
+
+> **Note**&nbsp;&nbsp;It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
+
+## Monitor with System Center Configuration Manager
+
+Monitoring with SCCM consists of two parts:
+
+1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network.
+
+2. Checking that the endpoints are compliant with the Windows Defender ATP service (this ensures the endpoint can complete the onboarding process and can continue to report data to the service).
+
+**To confirm the configuration package has been correctly deployed:**
+
+1. In the SCCM console, click **Monitoring** at the bottom of the navigation pane.
+
+2. Click **Overview** and then **Deployments**.
+
+3. Click on the deployment with the package name.
+
+4. Review the status indicators under **Completion Statistics** and **Content Status**.
+
+If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to  troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information.
+
+![SCCM showing successful deployment with no errors](images/sccm-deployment.png)
+
+## Related topics
+<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
+- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,40 @@
+---
+title: Onboard endpoints and set up the Windows Defender ATP user access
+description: Set up user access in Azure Active Directory and use Group Policy, SCCM, or do manual registry changes to onboard endpoints to the service.
+keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: iaanw
+---
+
+# Onboard and set up Windows Defender Advanced Threat Protection
+
+**Applies to:**
+
+- Windows 10 TAP program
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+You need to onboard to Windows Defender ATP before you can use the service.
+
+<!--There are two stages to onboarding:
+
+1.  Set up user access in AAD and use a wizard to create a dedicated
+    cloud instance for your network (known as “service onboarding”).
+
+2.  Add endpoints to the service with System Center Configuration Manager, scheduled GP updates, or manual
+    registry changes.-->
+
+<!--[Service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md) | Learn about managing user access to the Windows Defender ATP portal by assigning users to the Windows Defender ATP service application in Azure Active Directory (AAD).-->
+
+## In this section
+Topic | Description
+:---|:---
+[Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn how you can use the configuration package to configure endpoints in your enterprise.
+[Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
+[Additional configuration settings] (additional-configuration-windows-defender-advanced-threat-protection.md) | Learn how to configure settings for sample sharing used in the deep analysis feature.
+[Monitor onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) | Learn how you can monitor the onboarding to ensure your endpoints are correctly configured and are sending telemetry reports.
+[Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding.

windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,68 @@
+---
+title: Windows Defender Advanced Threat Protection portal overview
+description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches.
+keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, client onboarding, advanced attacks
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: DulceMV
+---
+
+# Windows Defender Advanced Threat Protection portal overview
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+
+Enterprise security teams can use the Windows Defender ATP portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
+
+You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to:
+- View, sort, and triage alerts from your endpoints
+- Search for more information on observed indicators such as files and IP Addresses
+- Change Windows Defender ATP settings, including time zone and alert suppression rules
+
+## Windows Defender ATP portal
+When you open the portal, you’ll see the main areas of the application:
+- (1) Settings
+- (2) Navigation pane
+- (3) Main portal
+- (4) Search bar
+
+
+ ![Windows Defender Advanced Threat Protection portal](images/portal-image.png)
+
+> **Note**&nbsp;&nbsp;Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+
+You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
+
+Area | Description
+:---|:---
+(1) Settings | Provides access to configuration settings such as time zone, alert suppression rules, and license information.
+(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Client onboarding**.
+**Dashboard**	| Provides clickable tiles that open detailed information on various alerts that have been detected in your organization.
+**Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts.
+**Machines view**| Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
+**Preferences setup**|	Shows the settings you selected <!--during [service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md),-->and lets you update your industry preferences and retention policy period.
+**Client onboarding**|	Allows you to download the onboarding configuration package.
+(3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines view.
+(4) Search | Search for machines, files, external IP Addresses, or domains across endpoints. The drop-down combo box allows you to select the entity type.
+
+## Windows Defender ATP icons
+The following table provides information on the icons used all throughout the portal:
+
+Icon | Description
+:---|:---
+![Alert icon](images/alert-icon.png)| Alert – Indication of an activity correlated with advanced attacks.
+![Detection icon](images/detection-icon.png)| Detection – Indication of a malware threat detection.
+![Active threat icon](images/active-threat-icon.png)| Active threat – Threats actively executing at the time of detection.
+![Remediated icon](images/remediated-icon.png)| Remediated – Threat removed from the machine
+![Not remediated icon](images/not-remediated-icon.png)| Not remediated – Threat not removed from the machine.
+
+
+### Related topic
+[Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)

windows/keep-secure/security-technologies.md

@@ -10,60 +10,19 @@ author: brianlic-msft
 
 # Security technologies
 
-
 Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile.
 
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[AppLocker](applocker-overview.md)</p></td>
-<td align="left"><p>This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[BitLocker](bitlocker-overview.md)</p></td>
-<td align="left"><p>This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Encrypted Hard Drive](encrypted-hard-drive.md)</p></td>
-<td align="left"><p>Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Security auditing](security-auditing-overview.md)</p></td>
-<td align="left"><p>Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Security policy settings](security-policy-settings.md)</p></td>
-<td align="left"><p>This reference topic describes the common scenarios, architecture, and processes for security settings.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Trusted Platform Module](trusted-platform-module-overview.md)</p></td>
-<td align="left"><p>This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[User Account Control](user-account-control-overview.md)</p></td>
-<td align="left"><p>User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Windows Defender in Windows 10](windows-defender-in-windows-10.md)</p></td>
-<td align="left"><p>This topic provides an overview of Windows Defender, including a list of system requirements and new features.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
+| Topic | Description |
+|-|-|
+| [AppLocker](applocker-overview.md)| This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.|
+| [BitLocker](bitlocker-overview.md)| This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.|
+| [Encrypted Hard Drive](encrypted-hard-drive.md) | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.|
+| [Security auditing](security-auditing-overview.md)| Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.|
+| [Security policy settings](security-policy-settings.md)| This reference topic describes the common scenarios, architecture, and processes for security settings.|
+| [Trusted Platform Module](trusted-platform-module-overview.md)| This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.|
+| [User Account Control](user-account-control-overview.md)| User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
+| [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)| Windows Defender Advanced Threat Protection (Windows Defender ATP) is an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
+| [Windows Defender in Windows 10](windows-defender-in-windows-10.md)| This topic provides an overview of Windows Defender, including a list of system requirements and new features.|
 
  
 

windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,120 @@
+---
+title: Windows Defender ATP service onboarding
+description: Assign users to the Windows Defender ATP service application in Azure Active Directory to grant access to the portal.
+keywords: service onboarding, Windows Defender Advanced Threat Protection service onboarding, manage users,
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Windows Defender ATP service onboarding
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Azure Active Directory
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+You have to assign users to the Windows Defender ATP Service application in Azure Active Directory (AAD) before they can access the portal.
+
+**Manage user access to the Windows Defender ATP portal**:
+
+1.  When you first go to the [Windows Defender ATP portal](https://securitycenter.windows.com/) and your directory does not
+    have users assigned to the Windows ATP Service application, you will
+    be directed to open the [Microsoft Azure Dashboard](https://portal.azure.com) to manage user access.
+
+    > **Note**&nbsp;&nbsp;In AAD, a directory is essentially a tenant. See the [Azure AD documentation](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx) for more information on how tenants work with AAD.
+
+2.  Ensure you have logged in to Microsoft Azure with an account that
+    has permissions to assign users to an application in AAD. You might
+    need to sign out of Microsoft Azure and then sign back in again if
+    you used a different account to sign in to the Windows Defender ATP
+    portal:
+
+    a.  On the top menu, click the signed-in user’s name.
+
+    b.  Click **Sign out**.
+
+    ![Azure sign out](images/azure-signout.png)
+
+    c.	Go the [Microsoft Azure Dashboard](https://portal.azure.com) again where you will be asked to sign in.
+
+    d.	Sign in with the correct user name and password for an account that has permissions to assign users in AAD.
+
+3. On the **Microsoft Azure Dashboard**, click **Browse** in the navigation pane and then click **Active Directory** to open the [Azure Management Portal](https://manage.windowsazure.com/).
+
+    ![Azure Active Directory menu](images/azure-browse.png)
+
+4. You might need to open the **Directory** section of the [Azure Management Portal](https://manage.windowsazure.com/) so you can access your directory. There are two ways you can do this:
+
+    a.  Click the arrow icon above the list of directories to see the full list of directories in the main area of the portal.
+
+    ![Azure organization menu](images/azure-org-directory.png)
+
+    b. Scroll down in the navigation pane and click **Active Directory**.
+
+    ![Azure active directory](images/azure-active-directory.png)
+
+5. Click the directory that contains the Windows Defender ATP application. In the following example, the directory is
+    called **Contoso**.
+
+     ![Azure active directory list](images/azure-active-directory-list.png)
+
+    > **Note**&nbsp;&nbsp;You can also access your directory by going straight to the [Azure Management Portal](https://manage.windowsazure.com/), clicking Active Directory and then finding your directory in the list.
+
+6. Click **Applications** from the top menu bar.
+
+    ![Example organization in Azure Active Directory](images/contoso.png)
+
+7. Click the **Windows ATP Service** application. The dashboard for the application is shown.
+
+    ![Example selected organization in Azure Active Directory](images/contoso-application.png)
+
+    > **Note**&nbsp;&nbsp;The application might have a slightly different name than the one shown here. It might be called **Windows Defender ATP Service**.
+
+8. Click **Users** from the top menu bar. A list of users that are in the directory is displayed.
+
+    ![Example windows atp service users](images/windows-atp-service.png)
+
+    ![Example user assignment to the windows atp service](images/assign-users.png)
+
+    > **Note**&nbsp;&nbsp;If you do not normally work with AAD, you might not see any users in the directory, or we might have created a test tenant specifically for a single user’s account. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section for instructions on adding users to a directory.
+
+9. Select the user you want manage.
+
+10. Click **Assign**.
+
+11. Confirm that you want to enable access for the user from the notification bar. If you click **Yes**, the user is given access to the Windows Defender ATP portal.  One or more progress bars will appear that indicates the user is being assigned a role, and you will see confirmation messages. You don’t need to do anything with the messages, they will go away after a short period of time.
+
+    ![Confirmation page to enable access to users](images/confirm-user-access.png)
+
+12. To remove the user's access, click **Remove**.
+
+13. Select the **Disable access to this app for the selected users** checkbox, and then click **Complete** ![Complete icon](images/check-icon.png). One or more progress bars will appear, followed by confirmation messages. The messages will disappear after a short period.
+
+    ![Remove menu](images/remove-menu.png)
+
+14. To remove the access for all users, click **Manage access**. If you click **Complete** ![Complete icon](images/check-icon.png), you will not see the Windows ATP Service in the list of applications in your directory.
+
+    > **Note**&nbsp;&nbsp;If you want to give access to users again, see the Manage access for all users in Azure Active Directory topic in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
+
+15. You can continue assigning roles for other users in your organization now, or you can return to the Windows Defender ATP portal to complete the service onboarding wizard.
+
+    > **Note**&nbsp;&nbsp;You need to assign roles for every user in your organization that requires access to the Windows Defender ATP portal. You can assign roles at any time by going to the Azure Management Portal, clicking **Active Directory**, and then finding your directory in the list and following the steps above.
+
+When you have finished assigning roles, return to the [Windows Defender ATP portal](https://securitycenter.windows.com) and refresh the
+page.
+
+Follow the steps in the onboarding wizard to complete the onboarding process.
+
+At the end of the wizard, you can download the Group Policy configuration package which you will use to configure endpoints on your network. You can also download the package from the **Client onboarding** menu on the portal after you have completed the onboarding wizard.
+
+## Related topics
+- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
+- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

windows/keep-secure/settings-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,57 @@
+---
+title: Windows Defender Advanced Threat Protection settings
+description: Use the menu to configure the time zone, suppression rules, and view license information.
+keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license, suppression rules
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: DulceMV
+---
+
+# Windows Defender Advanced Threat Protection settings
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+Use the **Settings** menu ![Settings icon](images/settings.png) to configure the time zone, suppression rules, and view license information.
+
+## Time zone settings
+The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks.
+
+Cyberforensic investigations often rely on time stamps to piece together the sequence of events. It’s important that your system reflects the correct time zone settings.
+
+Windows Defender ATP can display either Coordinated Universal Time (UTC) or local time.
+
+Your current time zone setting is shown in the Windows Defender ATP menu. You can change the displayed time zone in the **Settings** menu ![Settings icon](images/settings.png).
+
+### UTC time zone
+Windows Defender ATP uses UTC time by default.
+
+Setting the Windows Defender ATP time zone to UTC will display all system timestamps (alerts, events, and others) in UTC for all users. Choosing this setting means that all users will see the same timestamps in Windows Defender ATP, regardless of their regional settings. This can help security analysts working in different locations across the globe to use the same time stamps while investigating events.
+
+### Local time zone
+You can choose to have Windows Defender ATP use local time zone settings. All alerts and events will be displayed using your local time zone.
+
+The local time zone is taken from your machine’s regional settings. If you change your regional settings, the Windows Defender ATP time zone will also change. Choosing this setting means that the timestamps displayed in Windows Defender ATP will be aligned to local time for all Windows Defender ATP users. Analysts located in different global locations will now see the Windows Defender ATP alerts according to their regional settings.
+
+Choosing to use local time can be useful if the analysts are located in a single location. In this case it might be easier to correlate events to local time, for example – when a local user clicked on a suspicious email link.
+
+### Set the time zone
+The Windows Defender ATP time zone is set by default to UTC.
+Setting the time zone also changes the times for all Windows Defender ATP views.
+To set the time zone:
+
+1.	Click the **Settings** menu ![Settings icon](images/settings.png).
+2.	Select the **Timezone:UTC** indicator.
+3.	The time zone indicator changes to **Timezone:Local**. Click it again to change back to **Timezone:UTC**.
+
+## Suppression rules
+The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. See [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts).
+
+## License
+Click the license link in the **Settings** menu to view the license agreement information for Windows Defender ATP.

windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,369 @@
+---
+title: Troubleshoot Windows Defender ATP onboarding issues
+description: Troubleshoot issues that might arise during the onboarding of endpoints or to the Windows Defender ATP service.
+keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, telemetry and diagnostics
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: iaanw
+---
+
+# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+You might need to troubleshoot the Windows Defender Advanced Threat Protection onboarding process if you encounter issues.
+This page provides detailed steps for troubleshooting endpoints that aren't reporting correctly, and common error codes encountered during onboarding. <!--and steps for resolving problems with Azure Active Directory (AAD).-->
+
+## Endpoints are not reporting to the service correctly
+
+If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after 20 minutes, it might indicate an endpoint onboarding or connectivity problem.
+
+Go through the following verification topics to address this issue:
+
+- [Ensure the endpoint is onboarded successfully](#Ensure-that-the-endpoint-is-onboarded-successfully)
+- [Ensure the Windows Defender ATP service is enabled](#Ensure-that-the-Windows-Defender-ATP-service-is-enabled)
+- [Ensure the telemetry and diagnostics service is enabled](#Ensure-that-telemetry-and-diagnostics-service-is-enabled)
+- [Ensure the endpoint has an Internet connection](#Ensure-that-the-Windows-Defender-ATP-endpoint-has-internet-connection)
+
+
+### Ensure the endpoint is onboarded successfully
+If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service was successfully onboarded onto the endpoint.
+
+**Check the onboarding state in Registry**:
+
+1. Click **Start**, type **Run**, and press **Enter**
+
+2. From the **Run** dialog box, type **regedit** and press **Enter**.
+
+4. In the **Registry Editor** navigate to the Status key under:
+
+   ```text
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection
+```
+
+5. Check the **OnboardingState** value is set to **1**.
+
+  ![Image of OnboardingState status in Registry Editor](images/onboardingstate.png)
+
+If the **OnboardingState** value is not set to **1**, you can use Event Viewer to review errors on the endpoint.
+
+**Use Event Viewer to identify and adress onboarding errors**:   
+
+1. Click **Start**, type **Event Viewer**, and press **Enter**.
+
+2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**.
+
+    > **Note**&nbsp;&nbsp;SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
+
+3. Select **Operational** to load the log.
+
+4. In the **Action** pane, click **Filter Current log**.
+
+5. On the **Filter** tab, under **Event level:** select **Critical**, **Warning**, and **Error**, and click **OK**.
+
+  ![Image of Event Viewer log filter](images/filter-log.png)
+
+6. Events which can indicate issues will appear in the **Operational** pane. You can attempt to troubleshoot them based on the solutions in the following table:
+
+Event ID | Message | Resolution steps
+:---|:---|:---
+5 | Windows Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
+6 | Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
+7 |  Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then [run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
+15 | Windows Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
+
+
+### Ensure the Windows Defender ATP service is enabled
+If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service is set to automatically start and is running on the endpoint.
+
+You can use the SC command line program for checking and managing the startup type and running state of the service.
+
+**Check the Windows Defender ATP service startup type from the command line:**
+
+1.  Open an elevated command-line prompt on the endpoint:
+
+  a.  Click **Start**, type **cmd**, and press **Enter**.
+
+  b.  Right-click **Command prompt** and select **Run as administrator**.
+
+2.  Enter the following command, and press **Enter**:
+
+    ```text
+    sc qc sense
+    ```
+
+If the the service is running, then the result should look like the following screenshot:
+
+  ![Result of the sq query sense command](images/sc-query-sense-autostart.png)
+
+If the service **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
+
+**Change the Windows Defender ATP service startup type from the command line:**
+
+1.  Open an elevated command-line prompt on the endpoint:
+
+  a.  Click **Start**, type **cmd**, and press **Enter**.
+
+  b.  Right-click **Command prompt** and select **Run as administrator**.
+
+2.  Enter the following command, and press **Enter**:
+
+    ```text
+    sc config sense start=auto
+    ```
+
+3.  A success message is displayed. Verify the change by entering the following command and press **Enter**:
+
+    ```text
+    sc qc sense
+    ```
+
+**Check the Windows Defender ATP service is running from the command line:**
+
+1.  Open an elevated command-line prompt on the endpoint:
+
+  a.  Click **Start**, type **cmd**, and press **Enter**.
+
+  b.  Right-click **Command prompt** and select **Run as administrator**.
+
+2.  Enter the following command, and press **Enter**:
+
+    ```text
+    sc query sense
+    ```
+
+If the service is running, the result should look like the following screenshot:
+
+![Result of the sc query sense command](images/sc-query-sense-running.png)
+
+If the service **STATE** is not set to **RUNNING**, then you'll need to start it.
+
+**Start the Windows Defender ATP service from the command line:**
+
+1.  Open an elevated command-line prompt on the endpoint:
+
+  a.  Click **Start**, type **cmd**, and press **Enter**.
+
+  b.  Right-click **Command prompt** and select **Run as administrator**.
+
+2.  Enter the following command, and press **Enter**:
+
+    ```text
+    sc start sense
+    ```
+
+3.  A success message is displayed. Verify the change by entering the following command and press **Enter**:
+
+    ```text
+    sc qc sense
+    ```
+
+### Ensure the telemetry and diagnostics service is enabled
+If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. The service may have been disabled by other programs or user configuration changes.
+
+
+First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
+
+### Ensure the service is set to start
+
+**Use the command line to check the Windows 10 telemetry and diagnostics service startup type**:
+
+1.  Open an elevated command-line prompt on the endpoint:
+
+  a.  Click **Start**, type **cmd**, and press **Enter**.
+
+  b.  Right-click **Command prompt** and select **Run as administrator**.
+
+2.  Enter the following command, and press **Enter**:
+
+    ```text
+    sc qc diagtrack
+    ```
+
+If the service is enabled, then the result should look like the following screenshot:
+
+![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
+
+If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
+
+
+
+**Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:**
+
+1.  Open an elevated command-line prompt on the endpoint:
+
+  a.  Click **Start**, type **cmd**, and press **Enter**.
+
+  b.  Right-click **Command prompt** and select **Run as administrator**.
+
+2.  Enter the following command, and press **Enter**:
+
+    ```text
+    sc config diagtrack start=auto
+    ```
+
+3.  A success message is displayed. Verify the change by entering the following command, and press **Enter**:
+
+    ```text
+    sc qc diagtrack
+    ```
+
+**Use the Windows Services console to check the Windows 10 telemetry and diagnostics service startup type**:
+
+1.  Open the services console:
+
+  a. Click **Start** and type **services**.
+
+  b. Press **Enter** to open the console.
+
+2.  Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
+
+3.  Check the **Startup type** column - the service should be set as **Automatic**.
+
+If the startup type is not set to **Automatic**, you'll need to change it so the service starts when the endpoint does.
+
+
+**Use the Windows Services console to set the Windows 10 telemetry and diagnostics service to automatically start:**
+
+1.  Open the services console:
+
+  a. Click **Start** and type **services**.
+
+  b. Press **Enter** to open the console.
+
+2.  Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
+
+3.  Right-click on the entry and click **Properties**.
+
+4.  On the **General** tab, change the **Startup type:** to **Automatic**, as shown in the following image. Click OK.
+
+    ![Select Automatic to change the startup type in the Properties dialog box for the service](images/windefatp-utc-console-autostart.png)
+
+### Ensure the service is running
+
+**Use the command line to check the Windows 10 telemetry and diagnostics service is running**:
+
+1.  Open an elevated command-line prompt on the endpoint:
+
+  a.  **Click **Start** and type **cmd**.**
+
+  b.  Right-click **Command prompt** and select **Run as administrator**.
+
+2.  Enter the following command, and press **Enter**:
+
+    ```text
+    sc query diagtrack
+    ```
+
+If the service is running, the result should look like the following screenshot:
+
+![Result of the sc query command for sc query diagtrack](images/windefatp-sc-query-diagtrack.png)
+
+If the service **STATE** is not set to **RUNNING**, then you'll need to start it.
+
+
+**Use the command line to start the Windows 10 telemetry and diagnostics service:**
+
+1.  Open an elevated command-line prompt on the endpoint:
+
+  a.  **Click **Start** and type **cmd**.**
+
+  b.  Right-click **Command prompt** and select **Run as administrator**.
+
+2.  Enter the following command, and press **Enter**:
+
+    ```text
+    sc start diagtrack
+    ```
+
+3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
+
+    ```text
+    sc query diagtrack
+    ```
+
+**Use the Windows Services console to check the Windows 10 telemetry and diagnostics service is running**:
+
+1.  Open the services console:
+
+  a. Click **Start** and type **services**.
+
+  b. Press **Enter** to open the console.
+
+2.  Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
+
+3.  Check the **Status** column - the service should be marked as **Running**.
+
+If the service is not running, you'll need to start it.
+
+
+**Use the Windows Services console to start the Windows 10 telemetry and diagnostics service:**
+
+1.  Open the services console:
+
+  a. Click **Start** and type **services**.
+
+  b. Press **Enter** to open the console.
+
+2.  Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
+
+3.  Right-click on the entry and click **Start**, as shown in the following image.
+
+![Select Start to start the service](images/windef-utc-console-start.png)
+
+
+### Ensure the endpoint has an Internet connection
+
+The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service.
+
+WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment.
+
+To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic.
+
+If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.    
+
+<!--
+
+## There are no users in the Azure Active Directory
+If you don't see any users in the [Azure Management Portal](https://manage.windowsazure.com/) during the service onboarding stage, you might need to add users to the directory first.
+
+1.  Go to the Azure Management Portal and select the directory you want to manage.
+
+2.  Click **Users** from the top menu bar.
+
+    ![Example Azure Management Portal organization](images/contoso-users.png)
+
+3.  Click **Add user** from the menu bar at the bottom.
+
+    ![Add user menu](images/add-user.png)
+
+4.  Select the type of user and enter their details. There might be multiple steps in the **Add user** dialog box depending on the type of user. When you're done, click **Complete** ![Check icon](images/check-icon.png) or **OK**.
+
+5.  Continue to add users. They will now appear in the **Users** section of the **Windows ATP Service** application. You must assign the user a role before they can access the [Windows Defender ATP portal](https://securitycenter.windows.com/).
+
+## The Windows Defender ATP app doesn't appear in the Azure Management Portal
+If you remove access for all users to the Windows ATP Service application (by clicking Manage access), you will not see the application in the list of applications in your directory in the [Azure Management Portal](https://manage.windowsazure.com/).
+
+Log in to the application in the Azure Management Portal again:
+
+1.  Sign in to the [Windows Defender ATP portal](https://securitycenter.windows.com/) with the user account you want to give access to.
+
+2.  Confirm that you have signed in with the correct details, and click **Accept**.
+
+3.  Go to the [Azure Management Portal](https://manage.windowsazure.com/) and navigate to your directory. You will see the **Windows ATP Service** application in the **Applications** section again.
+
+-->
+
+## Related topics
+<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
+- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
+- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)

windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,63 @@
+---
+title: Troubleshoot Windows Defender Advanced Threat Protection
+description: Find solutions and work arounds to known issues such as server errors when trying to access the service.
+keywords: troubleshoot Windows Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, whitelist, event viewer
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+# Troubleshoot Windows Defender Advanced Threat Protection
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
+
+### Server error - Access is denied due to invalid credentials
+If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings.
+Configure your browser to allow cookies.
+
+### No data is shown on the portal
+If no data is displayed on the Dashboard portal even if no errors were encountered in the portal logs or in the browser console, you'll need to whitelist the threat intelligence, data access, and detonation endpoints that also use this protocol.
+
+Depending on your region, add the following endpoints to the whitelist:
+
+U.S. region:
+
+- daasmon-cus-prd.cloudapp.net			
+- daasmon-eus-prd.cloudapp.net			
+- dataaccess-cus-prd.cloudapp.net			
+- dataaccess-eus-prd.cloudapp.net			
+- onboardingservice-prd.trafficmanager.net			
+- sevillefeedback-prd.trafficmanager.net			
+- sevillesettings-prd.trafficmanager.net			
+- threatintel-cus-prd.cloudapp.net			
+- threatintel-eus-prd.cloudapp.net			
+
+
+
+EU region:
+
+- dataaccess-neu-prd.cloudapp.net
+- dataaccess-weu-prd.cloudapp.net
+- onboardingservice-prd.trafficmanager.net
+- sevillefeedback-prd.trafficmanager.net
+- sevillesettings-prd.trafficmanager.net
+- threatintel-neu-prd.cloudapp.net
+- threatintel-weu-prd.cloudapp.net
+
+
+### Windows Defender ATP service shows event or error logs in the Event Viewer
+
+See the topic [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Windows Defender ATP service. The topic also contains troubleshooting steps for event errors.
+
+
+### Related topic
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+- [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)

windows/keep-secure/use-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,45 @@
+---
+title: Use the Windows Defender Advanced Threat Protection portal
+description: Learn about the features on Windows Defender ATP portal, including how alerts work, and suggestions on how to investigate possible breaches and attacks.
+keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Use the Windows Defender Advanced Threat Protection portal
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+A typical security breach investigation requires a member of a security operations team to:
+
+1. View an alert on the **Dashboard** or **Alerts queue**
+2. Review the indicators of compromise (IOC) or indications of attack (IOAs)
+3. Review a timeline of alerts, behaviors, and events from the machine
+4. Manage alerts, understand the threat or potential breach, collect information to support taking action, and resolve the alert
+
+![Flowchart describing the four stages of investigation](images/overview.png)
+
+Security operation teams can use Windows Defender ATP portal to carry out this end-to-end process without having to leave the portal.
+
+Teams can monitor the overall status of enterprise endpoints from the **Dashboard**, gain insight on the various alerts, their category, when they were observed, and how long they’ve been in the network at a glance.
+
+### In this section
+
+Topic | Description
+:---|:---
+[View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP  **Dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
+[View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) | You can sort and filter alerts across your network, and drill down on individual alert queues such as new, in progress, or resolved queues.
+[Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization.
+[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
+[Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
+[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external internet protocol (IP) addresses.
+[Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
+[Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert.

windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md

@@ -0,0 +1,195 @@
+---
+title: User Account Control Group Policy and registry key settings (Windows 10)
+description: Here's a list of UAC  Group Policy and registry key settings that your organization can use to manage UAC.
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+---
+
+# User Account Control Group Policy and registry key settings
+
+**Applies to**
+
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+## Group Policy settings
+There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings).
+
+
+| Group Policy setting | Registry key | Default |
+| - | - | - | - |
+| [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | FilterAdministratorToken | Disabled |
+| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle | Disabled |
+| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | ConsentPromptBehaviorAdmin | Prompt for consent for non-Windows binaries |
+| [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | ConsentPromptBehaviorUser | Prompt for credentials on the secure desktop |
+| [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | EnableInstallerDetection | Enabled (default for home)<br />Disabled (default for enterprise) |
+| [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | ValidateAdminCodeSignatures | Disabled |
+| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | EnableSecureUIAPaths | Enabled |
+| [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | EnableLUA | Enabled |
+| [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | PromptOnSecureDesktop | Enabled |
+| [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | EnableVirtualization | Enabled |
+
+### User Account Control: Admin Approval Mode for the built-in Administrator account
+
+The **User Account Control: Admin Approval Mode for the built-in Administrator account** policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
+
+The options are:
+
+-   **Enabled.** The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
+-   **Disabled.** (Default) The built-in Administrator account runs all applications with full administrative privilege.
+
+
+### User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
+
+The **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
+
+The options are:
+
+-   **Enabled.** UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
+-   **Disabled.** (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting.
+
+UIA programs are designed to interact with Windows and application programs on behalf of a user. This policy setting allows UIA programs to bypass the secure desktop to increase usability in certain cases; however, allowing elevation requests to appear on the interactive desktop instead of the secure desktop can increase your security risk.
+
+UIA programs must be digitally signed because they must be able to respond to prompts regarding security issues, such as the UAC elevation prompt. By default, UIA programs are run only from the following protected paths:
+
+-   ...\\Program Files, including subfolders
+-   ...\\Program Files (x86), including subfolders for 64-bit versions of Windows
+-   ...\\Windows\\System32
+
+The **User Account Control: Only elevate UIAccess applications that are installed in secure locations** policy setting disables the requirement to be run from a protected path.
+
+While this policy setting applies to any UIA program, it is primarily used in certain remote assistance scenarios, including the Windows Remote Assistance program in Windows 7.
+
+If a user requests remote assistance from an administrator and the remote assistance session is established, any elevation prompts appear on the interactive user's secure desktop and the administrator's remote session is paused. To avoid pausing the remote administrator's session during elevation requests, the user may select the **Allow IT Expert to respond to User Account Control prompts** check box when setting up the remote assistance session. However, selecting this check box requires that the interactive user respond to an elevation prompt on the secure desktop. If the interactive user is a standard user, the user does not have the required credentials to allow elevation.
+
+If you enable this policy setting, requests for elevation are automatically sent to the interactive desktop (not the secure desktop) and also appear on the remote administrator's view of the desktop during a remote assistance session. This allows the remote administrator to provide the appropriate credentials for elevation.
+
+This policy setting does not change the behavior of the UAC elevation prompt for administrators.
+
+If you plan to enable this policy setting, you should also review the effect of the **User Account Control: Behavior of the elevation prompt for standard users** policy setting. If it is configured as **Automatically deny elevation requests**, elevation requests are not presented to the user.
+
+
+### User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
+
+The **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting controls the behavior of the elevation prompt for administrators.
+
+The options are:
+
+-   **Elevate without prompting.** Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
+
+    **Note** Use this option only in the most constrained environments.
+
+-   **Prompt for credentials on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+-   **Prompt for consent on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
+-   **Prompt for credentials.** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+-   **Prompt for consent.** When an operation requires elevation of privilege, the user is prompted to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
+-   **Prompt for consent for non-Windows binaries.** (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
+
+
+### User Account Control: Behavior of the elevation prompt for standard users
+
+The **User Account Control: Behavior of the elevation prompt for standard users** policy setting controls the behavior of the elevation prompt for standard users.
+
+The options are:
+
+-   **Automatically deny elevation requests.** When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
+-   **Prompt for credentials on the secure desktop.** (Default) When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+-   **Prompt for credentials.** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+### User Account Control: Detect application installations and prompt for elevation
+
+The **User Account Control: Detect application installations and prompt for elevation** policy setting controls the behavior of application installation detection for the computer.
+
+The options are:
+
+-   **Enabled.** (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+-   **Disabled.** (Default for enterprise) Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
+
+### User Account Control: Only elevate executables that are signed and validated
+
+The **User Account Control: Only elevate executables that are signed and validated** policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
+
+The options are:
+
+-   **Enabled.** Enforces the PKI certification path validation for a given executable file before it is permitted to run.
+-   **Disabled.** (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
+
+### User Account Control: Only elevate UIAccess applications that are installed in secure locations
+
+The **User Account Control: Only elevate UIAccess applications that are installed in secure locations** policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
+
+-   ...\\Program Files, including subfolders
+-   ...\\Windows\\system32
+-   ...\\Program Files (x86), including subfolders for 64-bit versions of Windows
+
+**Note** Windows enforces a PKI signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
+
+The options are:
+
+-   **Enabled.** (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
+-   **Disabled.** An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
+
+### User Account Control: Run all administrators in Admin Approval Mode
+
+The **User Account Control: Run all administrators Admin Approval Mode** policy setting controls the behavior of all UAC policy settings for the computer. If you change this policy setting, you must restart your computer.
+
+The options are:
+
+-   **Enabled.** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the **Administrators** group to run in Admin Approval Mode.
+-   **Disabled.** Admin Approval Mode and all related UAC policy settings are disabled.
+
+**Note** If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+
+### User Account Control: Switch to the secure desktop when prompting for elevation
+
+The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
+
+The options are:
+
+-   **Enabled.** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
+-   **Disabled.** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
+
+When this policy setting is enabled, it overrides the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting. The following table describes the behavior of the elevation prompt for each of the administrator policy settings when the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is enabled or disabled.
+
+| Administrator policy setting | Enabled | Disabled |
+| - | - | - |
+| **Prompt for credentials on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
+| **Prompt for consent on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
+| **Prompt for credentials** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
+| **Prompt for consent** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
+| **Prompt for consent for non-Windows binaries** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
+
+When this policy setting is enabled, it overrides the **User Account Control: Behavior of the elevation prompt for standard users** policy setting. The following table describes the behavior of the elevation prompt for each of the standard user policy settings when the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is enabled or disabled.
+
+| Standard policy setting | Enabled | Disabled |
+| - | - | - |
+| **Automatically deny elevation requests** | No prompt. The request is automatically denied. | No prompt. The request is automatically denied. |
+| **Prompt for credentials on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
+| **Prompt for credentials** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
+
+### User Account Control: Virtualize file and registry write failures to per-user locations
+
+The **User Account Control: Virtualize file and registry write failures to per-user locations** policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software.
+
+The options are:
+
+-   **Enabled.** (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
+-   **Disabled.** Applications that write data to protected locations fail.
+
+## Registry key settings
+
+The registry keys are found in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**. For information about each of the registry keys, see the associated Group Policy description.
+
+| Registry key | Group Policy setting | Registry setting |
+| - | - | - |
+| FilterAdministratorToken | [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | 0 (Default) = Disabled<br />1 = Enabled |
+| EnableUIADesktopToggle | [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to prompt-for-elevation-without-using-the-secure-desktop) | 0 (Default) = Disabled<br />1 = Enabled |
+| ConsentPromptBehaviorAdmin | [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | 0 = Elevate without prompting<br />1 = Prompt for credentials on the secure desktop<br />2 = Prompt for consent on the secure desktop<br />3 = Prompt for credentials<br />4 = Prompt for consent<br />5 (Default) = Prompt for consent for non-Windows binaries<br /> |
+| ConsentPromptBehaviorUser | [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | 0 = Automatically deny elevation requests<br />1 = Prompt for credentials on the secure desktop<br />3 (Default) = Prompt for credentials |
+| EnableInstallerDetection | [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | 1 = Enabled (default for home)<br />0 = Disabled (default for enterprise) |
+| ValidateAdminCodeSignatures | [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | 0 (Default) = Disabled<br/>1 = Enabled |
+| EnableSecureUIAPaths | [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | 0 = Disabled<br />1 (Default) = Enabled |
+| EnableLUA | [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | 0 = Disabled<br />1 (Default) = Enabled |
+| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control:-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled<br />1 (Default) = Enabled |
+| EnableVirtualization | [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | 0 = Disabled<br />1 (Default) = Enabled |

windows/keep-secure/user-account-control-overview.md

@@ -10,57 +10,34 @@ author: brianlic-msft
 
 # User Account Control
 
-
 **Applies to**
 
--   Windows 10
+- Windows 10
+- Windows Server 2016 Technical Preview
 
 User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
 
-## <a href="" id="bkmk-over"></a>
-
-
 UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way.
 
 Other apps, especially those that were not specifically designed with security settings in mind, often require additional permissions to run successfully. These types of apps are referred to as legacy apps. Additionally, actions such as installing new software and making configuration changes to the Windows Firewall, require more permissions than what is available to a standard user account.
 
 When an app needs to run with more than standard user rights, UAC can restore additional user groups to the token. This enables the user to have explicit control of apps that are making system level changes to their computer or device.
 
-## <a href="" id="bkmk-app"></a>Practical applications
-
+## Practical applications
 
 Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.
 
-## <a href="" id="bkmk-new"></a>New and changed functionality
-
+## New and changed functionality
 
 To find out what's new in UAC for Windows 10, see [User Account Control](../whats-new/user-account-control.md).
 
 ## In this section
 
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[How User Account Control works](how-user-account-control-works.md)</p></td>
-<td align="left"><p>User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[User Account Control security policy settings](user-account-control-security-policy-settings.md)</p></td>
-<td align="left"><p>You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.</p></td>
-</tr>
-</tbody>
-</table>
+| Topic | Description |
+| - | - |
+| [How User Account Control works](how-user-account-control-works.md) | User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. |
+| [User Account Control security policy settings](user-account-control-security-policy-settings.md) | You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. |
+| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Here's a list of UAC  Group Policy and registry key settings that your organization can use to manage UAC. |
 
  
 

windows/keep-secure/windows-defender-advanced-threat-protection.md

@@ -0,0 +1,86 @@
+---
+title: Windows Defender Advanced Threat Protection - Windows Defender
+description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats.
+keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, endpoint behavioral sensor, cloud security, analytics, threat intelligence
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Windows Defender Advanced Threat Protection
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
+
+Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
+
+-   **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
+    collect and process behavioral signals from the operating system
+    (for example, process, registry, file, and network communications)
+    and sends this telemetry to your private, isolated, cloud instance of Windows Defender ATP.
+
+
+-   **Cloud security analytics**: Leveraging big-data, machine-learning, and
+    unique Microsoft optics across the Windows ecosystem (such as the
+    [Microsoft Malicious Software Removal Tool](https://www.microsoft.com/en-au/download/malicious-software-removal-tool-details.aspx),
+    enterprise cloud products (such as Office 365), and online assets
+    (such as Bing and SmartScreen URL reputation), behavioral signals
+    are translated into insights, detections, and recommended responses
+    to advanced threats.
+
+-   **Threat intelligence**: Generated by Microsoft hunters, security teams,
+    and augmented by threat intelligence provided by partners, threat
+    intelligence enables Windows Defender ATP to identify attacker
+    tools, techniques, and procedures, and generate alerts when these
+    are observed in collected telemetry.
+
+The following diagram shows these Windows Defender ATP service
+components:
+
+![Windows Defender ATP service components](images/components.png)
+
+Endpoint investigation capabilities in this service let you drill down
+into security alerts and understand the scope and nature of a potential
+breach. You can submit files for deep analysis and receive the results
+without leaving the [Windows Defender ATP portal](https://securitycenter.windows.com).
+
+Windows Defender ATP works with existing Windows security technologies
+on endpoints, such as Windows Defender, AppLocker, and Device Guard. It
+can also work side-by-side with third-party security solutions and
+antimalware products.
+
+Windows Defender ATP leverages Microsoft technology and expertise to
+detect sophisticated cyber-attacks, providing:
+
+- Behavior-based, cloud-powered, advanced attack detection
+
+    Finds the attacks that made it past all other defenses (post breach detection),provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on endpoints.
+
+- Rich timeline for forensic investigation and mitigation
+
+    Easily investigate the scope of breach or suspected behaviors on any machine through a rich machine timeline. File, URLs, and network connection inventory across the network. Gain additional insight using deep collection and analysis (“detonation”) for any file or URLs.
+
+- Built in unique threat intelligence knowledge base
+
+    Unparalleled threat optics provides actor details and intent context for every threat intel-based detection – combining first and third-party intelligence sources.
+
+## In this section
+
+Topic | Description
+:---|:---
+[Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) | This overview topic for IT professionals provides information on the minimum requirements to use Windows Defender ATP such as network and data storage configuration, and endpoint hardware ans software requirements, and deployment channels.
+[Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) | You'll need to onboard and configure the Windows Defender ATP service and the endpoints in your network before you can use the service. Learn about how you can assign users to the Windows Defender ATP service in Azure Active Directory (AAD) and using a configuration package to configure endpoints.
+[Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)| Learn about how Windows Defender ATP collects and handles information and where data is stored.
+[Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the main features of the service and how it leverages Microsoft technology to protect enterprise endpoints from sophisticated cyber attacks.
+[Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) | Learn about the capabilities of Windows Defender ATP to help you investigate alerts that might be indicators of possible breaches in your enterprise.
+[Windows Defender Advanced Threat Protection settings](settings-windows-defender-advanced-threat-protection.md) | Learn about setting the time zone and configuring the suppression rules to configure the service to your requirements.  
+[Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP.
+[Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required.