Merge branch 'master' into martyav-disableantispyware-update

windows/security/identity-protection/credential-guard/credential-guard-manage.md

@@ -8,11 +8,14 @@ ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 author: dulcemontemayor
-ms.author: dansimp
+ms.author: v-tea
 manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.reviewer: 
+ms.custom: 
+- CI 120967
+- CSSTroubleshooting
 ---
 
 # Manage Windows Defender Credential Guard
@@ -154,14 +157,25 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
 
 -   You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
     -   **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
-    -   **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: 0x1, 0
-        -   The first variable: 0x1 means Windows Defender Credential Guard is configured to run. 0x0 means it's not configured to run.
-        -   The second variable: 0 means it's configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
+    -   **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0**
+        -   The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run.
+        -   The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**.
     -   **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
     -   **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
-    -   **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
+    -   **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]  
     You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
-        -   **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
+        -   **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**.  
+  - You can use Windows Powershell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated Powershell window and run the following command:
+  
+    ```powershell
+    (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
+    ```
+
+    This command generates the following output:  
+    - **0**: Windows Defender Credential Guard is disabled (not running)
+    - **1**: Windows Defender Credential Guard is enabled (running)
+    > [!NOTE]  
+    > Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running.
 
 ## Disable Windows Defender Credential Guard
 
@@ -221,7 +235,7 @@ You can also disable Windows Defender Credential Guard by using the [HVCI and Wi
 ```
 DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
 ```
-> [!IMPORTANT]
+> [!IMPORTANT]  
 > When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
 > This is a known issue.
 

windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md

@@ -74,6 +74,9 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
 |F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.  The Cloud AP provider requests a nonce from Azure Active Directory.  Azure AD returns a nonce.|
 |G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.  Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
 
+> [!IMPORTANT]
+> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time.
+
 ## Hybrid Azure AD join authentication using a Certificate
 ![Hybrid Azure AD join authentication using a Certificate](images/howitworks/auth-haadj-certtrust.png)
 
@@ -87,3 +90,5 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
 |F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.  The Cloud AP provider requests a nonce from Azure Active Directory.  Azure AD returns a nonce.|
 |G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.  Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
 
+> [!IMPORTANT]
+> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller for the first time.

windows/security/identity-protection/hello-for-business/hello-overview.md

@@ -99,7 +99,9 @@ Windows Hello for Business with a key does not support RDP. RDP does not support
 
 ## Learn more
 
-[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/itshowcase/implementing-windows-hello-for-business-at-microsoft)
+[Implementing strong user authentication with Windows Hello for Business](https://www.microsoft.com/en-us/itshowcase/implementing-strong-user-authentication-with-windows-hello-for-business)
+
+[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/en-us/itshowcase/implementing-windows-hello-for-business-at-microsoft)
 
 [Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
 

windows/security/identity-protection/smart-cards/smart-card-debugging-information.md

@@ -1,12 +1,12 @@
 ---
-title: Smart Cards Debugging Information (Windows 10)
-description: This topic explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
+title: Smart Card Troubleshooting (Windows 10)
+description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 audience: ITPro
-author: dulcemontemayor
+author: dansimp
 ms.author: dansimp
 manager: dansimp
 ms.collection: M365-identity-device-management
@@ -16,11 +16,11 @@ ms.date: 04/19/2017
 ms.reviewer: 
 ---
 
-# Smart Cards Debugging Information
+# Smart Card Troubleshooting
 
 Applies To: Windows 10, Windows Server 2016
 
-This topic explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
+This article explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
 
 Debugging and tracing smart card issues requires a variety of tools and approaches. The following sections provide guidance about tools and approaches you can use.
 
@@ -28,7 +28,7 @@ Debugging and tracing smart card issues requires a variety of tools and approach
 
 -   [Debugging and tracing using WPP](#debugging-and-tracing-using-wpp)
 
--   [Kerberos protocol, KDC and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
+-   [Kerberos protocol, KDC, and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
 
 -   [Smart Card service](#smart-card-service)
 
@@ -44,7 +44,8 @@ For a complete description of Certutil including examples that show how to use i
 
 To list certificates that are available on the smart card, type certutil -scinfo.
 
-> **Note**  Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.
+> [!NOTE]
+> Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.
 
 ### Delete certificates on the smart card
 
@@ -56,7 +57,7 @@ To delete a container, type **certutil -delkey -csp "Microsoft Base Smart Card C
 
 ## Debugging and tracing using WPP
 
-Windows software trace preprocessor (WPP) simplifies tracing the operation of the trace provider, and it provides a mechanism for the trace provider to log real-time binary messages. Logged messages can subsequently be converted to a human-readable trace of the operation of the trace provider. For more information about WPP, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
+Windows software trace preprocessor (WPP) simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
 
 ### Enable the trace
 
@@ -68,7 +69,7 @@ Using WPP, use one of the following commands to enable tracing:
 
 You can use the parameters in the following table.
 
-| **Friendly name** | **GUID**          | **Flags** |
+| Friendly name | GUID           | Flags |
 |-------------------|--------------------------------------|-----------|
 | scardsvr          | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff    |
 | winscard          | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff    |
@@ -84,13 +85,13 @@ Examples
 
 To enable tracing for the SCardSvr service:
 
--   tracelog.exe -kd -rt -start scardsvr -guid \#13038e47-ffec-425d-bc69-5707708075fe -f .\\scardsvr.etl -flags 0xffff -ft 1
+-   **tracelog.exe -kd -rt -start scardsvr -guid \#13038e47-ffec-425d-bc69-5707708075fe -f .\\scardsvr.etl -flags 0xffff -ft 1**
 
--   logman start scardsvr -ets -p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff -ft 1 -rt -o .\\scardsvr.etl -mode 0x00080000
+-   **logman start scardsvr -ets -p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff -ft 1 -rt -o .\\scardsvr.etl -mode 0x00080000**
 
 To enable tracing for scfilter.sys:
 
-tracelog.exe -kd -rt -start scfilter -guid \#eed7f3c9-62ba-400e-a001-658869df9a91 -f .\\scfilter.etl -flags 0xffff -ft 1
+ - **tracelog.exe -kd -rt -start scfilter -guid \#eed7f3c9-62ba-400e-a001-658869df9a91 -f .\\scfilter.etl -flags 0xffff -ft 1**
 
 ### Stop the trace
 
@@ -100,65 +101,66 @@ Using WPP, use one of the following commands to stop the tracing:
 
 -   **logman -stop** <*FriendlyName*> **-ets**
 
-Examples
+#### Examples
 
 To stop a trace:
 
--   tracelog.exe -stop scardsvr
+-   **tracelog.exe -stop scardsvr**
 
--   logman -stop scardsvr -ets
+-   **logman -stop scardsvr -ets**
 
 ## Kerberos protocol, KDC and NTLM debugging and tracing
 
 <!-- It's difficult to find any Kerberos content any more. If they reinstate some content that's more relevant and detailed than what's below, link to it instead. -->
 
-You can use the following resources to begin troubleshooting these protocols and the KDC:
+You can use these resources to troubleshoot these protocols and the KDC:
 
--   [Kerberos and LDAP Troubleshooting Tips](https://technet.microsoft.com/library/bb463167.aspx)
+-   [Kerberos and LDAP Troubleshooting Tips](https://technet.microsoft.com/library/bb463167.aspx).
 
--   [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit)  You can use the trace log tool in this SDK to debug Kerberos authentication failures.
+-   [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit).  You can use the trace log tool in this SDK to debug Kerberos authentication failures.
 
-To begin tracing, you can use Tracelog. Different components use different control GUIDs as explained in the following examples. For more information, see [Tracelog](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
+To begin tracing, you can use Tracelog. Different components use different control GUIDs as explained in these examples. For more information, see [Tracelog](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
 
 ### NTLM
 
 To enable tracing for NTLM authentication, run the following at the command line:
 
-tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\\ntlm.etl -flags 0x15003 -ft 1
+ - **tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\\ntlm.etl -flags 0x15003 -ft 1**
 
-To stop tracing for NTLM authentication, run the following at the command line:
+To stop tracing for NTLM authentication, run this command:
 
-tracelog -stop ntlm
+ - **tracelog -stop ntlm**
 
 ### Kerberos authentication
 
-To enable tracing for Kerberos authentication, run the following at the command line:
+To enable tracing for Kerberos authentication, run this command:
 
-tracelog.exe -kd -rt -start kerb -guid \#6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\\kerb.etl -flags 0x43 -ft 1
+ - **tracelog.exe -kd -rt -start kerb -guid \#6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\\kerb.etl -flags 0x43 -ft 1**
 
-To stop tracing for Kerberos authentication, run the following at the command line:
+To stop tracing for Kerberos authentication, run this command:
 
-tracelog.exe -stop kerb
+ - **tracelog.exe -stop kerb**
 
 ### KDC
 
 To enable tracing for the Key Distribution Center (KDC), run the following at the command line:
 
-tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1
+ - **tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1**
 
 To stop tracing for the KDC, run the following at the command line:
 
-tracelog.exe -stop kdc
+ - **tracelog.exe -stop kdc**
 
-To stop tracing from a remote computer, run the following at the command line: logman.exe -s *&lt;ComputerName&gt;*.
+To stop tracing from a remote computer, run this command: logman.exe -s *&lt;ComputerName&gt;*.
 
-> **Note**&nbsp;&nbsp;The default location for logman.exe is %systemroot%system32\\. Use the **-s** option to supply a computer name.
+> [!NOTE]
+> The default location for logman.exe is %systemroot%system32\\. Use the **-s** option to supply a computer name.
 
 ### Configure tracing with the registry
 
 You can also configure tracing by editing the Kerberos registry values shown in the following table.
 
-| **Element** | **Registry Key Setting**       |
+| Element | Registry Key Setting       |
 |-------------|----------------------------------------------------|
 | NTLM        | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1\_0<br>Value name: NtLmInfoLevel<br>Value type: DWORD<br>Value data: c0015003          |
 | Kerberos    | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos<br>Value name: LogToFile<br>Value type: DWORD<br>Value data: 00000001<br><br>HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters<br>Value name: KerbDebugLevel<br>Value type: DWORD<br>Value data: c0000043<br><br>HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters<br>Value name: LogToFile<br>Value type: DWORD<br>Value data: 00000001 |
@@ -166,7 +168,7 @@ You can also configure tracing by editing the Kerberos registry values shown in
 
 If you used Tracelog, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
 
-Otherwise, if you used the registry key settings shown in the previous table, look for the generated trace log files in the following locations:
+If you used the registry key settings shown in the previous table, look for the trace log files in the following locations:
 
 -   NTLM: %systemroot%\\tracing\\msv1\_0
 
@@ -178,7 +180,7 @@ To decode event trace files, you can use Tracefmt (tracefmt.exe). Tracefmt is a
 
 ## Smart Card service
 
-The smart card resource manager service runs in the context of a local service, and it is implemented as a shared service of the services host (svchost) process.
+The smart card resource manager service runs in the context of a local service. It's implemented as a shared service of the services host (svchost) process.
 
 **To check if Smart Card service is running**
 
@@ -202,9 +204,9 @@ The smart card resource manager service runs in the context of a local service,
 
 You can use the following command at the command prompt to check whether the service is running: **sc queryex scardsvr**.
 
-The following is example output from running this command:
+This is an example output from this command:
 
-```
+```console
 SERVICE_NAME: scardsvr
     TYPE        : 20 WIN32_SHARE_PROCESS
     STATE       : 4 RUNNING
@@ -232,13 +234,14 @@ As with any device connected to a computer, Device Manager can be used to view p
 
 4.  In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then click **Properties**.
 
-> **Note**&nbsp;&nbsp;If the smart card reader is not listed in Device Manager, in the **Action** menu, click **Scan for hardware changes**.
+> [!NOTE]
+> If the smart card reader is not listed in Device Manager, in the **Action** menu, click **Scan for hardware changes**.
 
 ## CryptoAPI 2.0 Diagnostics
 
-CryptoAPI 2.0 Diagnostics is a feature that is available in Windows operating systems that supports CryptoAPI 2.0. This feature can help you troubleshoot public key infrastructure (PKI) issues.
+CryptoAPI 2.0 Diagnostics is available in Windows versions that support CryptoAPI 2.0 and can help you troubleshoot public key infrastructure (PKI) issues.
 
-CryptoAPI 2.0 Diagnostics logs events in the Windows event log, which contain detailed information about certificate chain validation, certificate store operations, and signature verification. This information makes it easier to identify the causes of issues and reduces the time required for diagnosis.
+CryptoAPI 2.0 Diagnostics logs events in the Windows event log. The logs contain detailed information about certificate chain validation, certificate store operations, and signature verification. This information makes it easier to identify the causes of issues and reduces the time required for diagnosis.
 
 For more information about CryptoAPI 2.0 Diagnostics, see [Troubleshooting an Enterprise PKI](https://technet.microsoft.com/library/cc771463.aspx).
 

windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md

@@ -35,7 +35,7 @@ The Create command sets up new virtual smart cards on the user’s system. It re
 | Parameter | Description |
 |-----------|-------------|
 | /name | Required. Indicates the name of the new virtual smart card. |
-| /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN.<br>**DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708.<br>**PROMPT**&nbsp;&nbsp;Prompts the user to enter a value for the administrator key.<br>**RANDOM**&nbsp;&nbsp;Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key must be entered as 48 hexadecimal characters. |
+| /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN.<br>**DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708.<br>**PROMPT**&nbsp;&nbsp;Prompts the user to enter a value for the administrator key.<br>**RANDOM**&nbsp;&nbsp;Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key is set as 48 hexadecimal characters. |
 | /PIN | Indicates desired user PIN value.<br>**DEFAULT**&nbsp;&nbsp;Specifies the default PIN of 12345678.<br>**PROMPT**&nbsp;&nbsp;Prompts the user to enter a PIN at the command line. The PIN must be a minimum of eight characters, and it can contain numerals, characters, and special characters. |
 | /PUK | Indicates the desired PIN Unlock Key (PUK) value. The PUK value must be a minimum of eight characters, and it can contain numerals, characters, and special characters. If the parameter is omitted, the card is created without a PUK.<br>**DEFAULT**&nbsp;&nbsp;Specifies the default PUK of 12345678.<br>**PROMPT**&nbsp;&nbsp;Prompts the user to enter a PUK at the command line. |
 | /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Endpoint Configuration Manager. |

windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md

@@ -16,38 +16,38 @@ ms.author: dansimp
 
 This topic explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The scenario is:
 
-- You connect to a network using Wi-Fi or VPN. 
-- You want to use the credentials that you use for the WiFi or VPN authentication to also authenticate requests to access a domain resource you are connecting to, without being prompted for your domain credentials separately. 
+- You connect to a network using Wi-Fi or VPN.
+- You want to use the credentials that you use for the WiFi or VPN authentication to also authenticate requests to access a domain resource you are connecting to, without being prompted for your domain credentials separately.
 
 For example, you want to connect to a corporate network and access an internal website that requires Windows integrated authentication.
 
-At a high level, the way this works is that the credentials that are used for the connection authentication are put in Credential Manager as the default credentials for the logon session. 
-Credential Manager is a place where credentials in the OS are can be stored for specific domain resources based on the targetname of the resource. 
-For VPN, the VPN stack saves its credential as the session default. 
-For WiFi, EAP does it. 
+At a high level, the way this works is that the credentials that are used for the connection authentication are put in Credential Manager as the default credentials for the logon session.
+Credential Manager is a place where credentials in the OS are can be stored for specific domain resources based on the targetname of the resource.
+For VPN, the VPN stack saves its credential as the session default.
+For WiFi, EAP does it.
 
-The credentials are put in Credential Manager as a "\*Session" credential. 
-A "\*Session" credential implies that it is valid for the current user session. 
-The credentials are also cleaned up when the WiFi or VPN connection is disconnected. 
+The credentials are put in Credential Manager as a "\*Session" credential.
+A "\*Session" credential implies that it is valid for the current user session.
+The credentials are also cleaned up when the WiFi or VPN connection is disconnected.
 
-When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it. 
-For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations). 
+When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it.
+For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations).
 
-The local security authority will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability. 
-If the app is not UWP, it does not matter. 
-But if it is a UWP app, it will look at the device capability for Enterprise Authentication. 
+The local security authority will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability.
+If the app is not UWP, it does not matter.
+But if it is a UWP app, it will look at the device capability for Enterprise Authentication.
 If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released.
-This behavior helps prevent credentials from being misused by untrusted third parties.  
+This behavior helps prevent credentials from being misused by untrusted third parties.
 
 ## Intranet zone
 
-For the Intranet zone, by default it only allows single-label names, such as Http://finance. 
-If the resource that needs to be accessed has multiple domain labels, then the workaround is to use the [Registry CSP](https://msdn.microsoft.com/library/windows/hardware/dn904964.aspx). 
+For the Intranet zone, by default it only allows single-label names, such as Http://finance.
+If the resource that needs to be accessed has multiple domain labels, then the workaround is to use the [Registry CSP](https://msdn.microsoft.com/library/windows/hardware/dn904964.aspx).
 
 ### Setting the ZoneMap
 
-The ZoneMap is controlled using a registry that can be set through MDM. 
-By default, single-label names such as http://finance are already in the intranet zone. 
+The ZoneMap is controlled using a registry that can be set through MDM.
+By default, single-label names such as http://finance are already in the intranet zone.
 For multi-label names, such as http://finance.net, the ZoneMap needs to be updated.
 
 ## MDM Policy
@@ -56,9 +56,9 @@ OMA URI example:
 
 ./Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/`<domain name>`/* as an Integer Value of 1 for each of the domains that you want to SSO into from your device. This adds the specified domains to the Intranet Zone of the Edge browser.
 
-## Credential requirements 
+## Credential requirements
 
-For VPN, the following types of credentials will be added to credential manager after authentication: 
+For VPN, the following types of credentials will be added to credential manager after authentication:
 
 - Username and password
 - Certificate-based authentication:
@@ -67,7 +67,7 @@ For VPN, the following types of credentials will be added to credential manager
     - Smart Card Certificate
     - Windows Hello for Business Certificate
 
-The username should also include a domain that can be reached over the connection (VPN or WiFi). 
+The username should also include a domain that can be reached over the connection (VPN or WiFi).
 
 ## User certificate templates
 
@@ -82,17 +82,17 @@ If the credentials are certificate-based, then the elements in the following tab
 
 ## NDES server configuration
 
-The NDES server is required to be configured so that incoming SCEP requests can be mapped to the correct template to be used. 
-For more information, see [Configure certificate infrastructure for SCEP](https://docs.microsoft.com/intune/deploy-use/Configure-certificate-infrastructure-for-scep). 
+The NDES server is required to be configured so that incoming SCEP requests can be mapped to the correct template to be used.
+For more information, see [Configure certificate infrastructure for SCEP](https://docs.microsoft.com/mem/intune/protect/certificates-scep-configure).
 
 ## Active Directory requirements
 
-You need IP connectivity to a DNS server and domain controller over the network interface so that authentication can succeed as well. 
+You need IP connectivity to a DNS server and domain controller over the network interface so that authentication can succeed as well.
 
 The domain controllers will need to have appropriate KDC certificates for the client to trust them as domain controllers, and since phones are not domain-joined, the root CA of the KDC’s certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store.
 
-The domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication. 
-This is because Windows 10 Mobile requires strict KDC validation to be enabled. 
-This requires that all authenticating domain controllers run Windows Server 2016, or you'll need to enable strict KDC validation on domain controllers that run previous versions of Windows Server. 
-For more information, see [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382). 
+The domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication.
+This is because Windows 10 Mobile requires strict KDC validation to be enabled.
+This requires that all authenticating domain controllers run Windows Server 2016, or you'll need to enable strict KDC validation on domain controllers that run previous versions of Windows Server.
+For more information, see [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382).
 

windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md

@@ -115,6 +115,12 @@ Please check the driver instance for the device you are testing. Some drivers ma
 
 If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](https://docs.microsoft.com/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers).
 
+### My system's Kernel DMA Protection is off. Can DMA-remapping for a specific device be turned on?
+
+Yes. DMA remapping for a specific device can be turned on independent from Kernel DMA Protection. For example, if the driver opts in and VT-d (Virtualization Technology for Directed I/O) is turned on, then DMA remapping will be enabled for the devices driver even if Kernel DMA Protection is turned off.
+
+Kernel DMA Protection is a policy that allows or blocks devices to perform DMA, based on their remapping state and capabilities.
+
 ### Do Microsoft drivers support DMA-remapping?
 In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA Remapping.
 

windows/security/information-protection/tpm/tpm-recommendations.md

@@ -112,7 +112,7 @@ The following table defines which Windows features require TPM support.
  Windows Features | TPM Required | Supports TPM 1.2  | Supports TPM 2.0  | Details  |
 -|-|-|-|-
  Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot
- BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required, but [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support
+ BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support
  Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
  Windows Defender Application Control (Device Guard) | No | Yes | Yes
  Windows Defender System Guard | Yes | No | Yes

windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md

@@ -41,7 +41,7 @@ This policy setting configured which TPM authorization values are stored in the
 |--------------|---------------|---------|-----------------|-----------------|------------------|
 | OwnerAuthAdmin | StorageOwnerAuth | Create SRK | No      | Yes             | Yes              |
 | OwnerAuthEndorsement | EndorsementAuth | Create or use EK (1.2 only: Create AIK) | No  | Yes  | Yes   |
-| OwnerAuthFull | LockoutAuth  | Reset/change Dictionary Attack Protection | No | No | No   |
+| OwnerAuthFull | LockoutAuth  | Reset/change Dictionary Attack Protection | No | No | Yes   |
 
 There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**.
 

windows/security/threat-protection/TOC.md

@@ -26,6 +26,12 @@
 #### [Prepare for your migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md)
 #### [Set up Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md)
 #### [Onboard to Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md)
+### [Manage Microsoft Defender ATP post migration]()
+#### [Overview](microsoft-defender-atp/manage-atp-post-migration.md)
+#### [Intune (recommended)](microsoft-defender-atp/manage-atp-post-migration-intune.md)
+#### [Configuration Manager](microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md)
+#### [Group Policy Objects](microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md)
+#### [PowerShell, WMI, and MPCmdRun.exe](microsoft-defender-atp/manage-atp-post-migration-other-tools.md)
 
 ## [Security administration]()
 ### [Threat & Vulnerability Management]()
@@ -109,7 +115,7 @@
 #### [Configure next-generation protection]()
 ##### [Configure Microsoft Defender Antivirus features](microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md)
    
-##### [Utilize Microsoft cloud-delivered protection](microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
+##### [Use Microsoft cloud-delivered protection](microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
 ###### [Enable cloud-delivered protection](microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md)
 ###### [Specify the cloud-delivered protection level](microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md)
 ###### [Configure and validate network connections](microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md)
@@ -127,6 +133,15 @@
 ##### [Antivirus compatibility]()
 ###### [Compatibility charts](microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
 ###### [Use limited periodic antivirus scanning](microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md)
+
+##### [Manage next-generation protection in your business]()
+###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
+###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next-generation protection](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
+###### [Use Group Policy settings to manage next-generation protection](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
+###### [Use PowerShell cmdlets to manage next-generation protection](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
+###### [Use Windows Management Instrumentation (WMI) to manage next-generation protection](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
+###### [Use the mpcmdrun.exe command line tool to manage next-generation protection](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
+###### [Handle false positives/negatives in Microsoft Defender Antivirus](microsoft-defender-antivirus/antivirus-false-positives-negatives.md)
    
 ##### [Deploy, manage updates, and report on antivirus]()
 ###### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md)
@@ -153,7 +168,7 @@
 ####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
 ####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
 ####### [Configure antivirus exclusions Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
-   
+####### [Common mistakes when defining exclusions](microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md)
 ###### [Configure scanning antivirus options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
 ###### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
 ###### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
@@ -163,14 +178,6 @@
    
 ##### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
    
-##### [Manage antivirus in your business]()
-###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
-###### [Use Group Policy settings to configure and manage antivirus](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
-###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
-###### [Use PowerShell cmdlets to configure and manage antivirus](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
-###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
-###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
-   
 ##### [Manage scans and remediation]()
 ###### [Management overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
    
@@ -190,16 +197,6 @@
 ###### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md)
 ###### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
    
-##### [Manage next-generation protection in your business]()
-###### [Handle false positives/negatives in Microsoft Defender Antivirus](microsoft-defender-antivirus/antivirus-false-positives-negatives.md)
-###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
-###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
-###### [Use Group Policy settings to manage next generation protection](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
-###### [Use PowerShell cmdlets to manage next generation protection](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
-###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
-###### [Use the mpcmdrun.exe command line tool to manage next generation protection](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
-
-
 #### [Better together: Microsoft Defender Antivirus and Microsoft Defender ATP](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md)
 #### [Better together: Microsoft Defender Antivirus and Office 365](microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md)
 
@@ -302,8 +299,8 @@
 ##### [Take response actions on a device]()
 ###### [Response actions on devices](microsoft-defender-atp/respond-machine-alerts.md)
 ###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
-###### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
-###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
+###### [Start an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
+###### [Start a Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
 ###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-devices)
 ###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-devices)
 ###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
@@ -320,9 +317,6 @@
 ###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
 ###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
 ###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
-###### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
-###### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
-###### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
 
 #### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
 ##### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
@@ -422,7 +416,7 @@
 #### [Ensure your devices are configured properly](microsoft-defender-atp/configure-machines.md)
 #### [Monitor and increase device onboarding](microsoft-defender-atp/configure-machines-onboarding.md)
 #### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md)
-#### [Optimize ASR rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md)
+#### [Optimize attack surface reduction rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md)
 
 ### [Configure portal settings]()
 #### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
@@ -570,7 +564,7 @@
 ###### [Vulnerability]()
 ####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md)
 ####### [List vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md)
-####### [List vulnerabilities by Machine and Software](microsoft-defender-atp/get-all-vulnerabilities-by-machines.md)
+####### [List vulnerabilities by machine and software](microsoft-defender-atp/get-all-vulnerabilities-by-machines.md)
 ####### [Get vulnerability by Id](microsoft-defender-atp/get-vulnerability-by-id.md)
 ####### [List machines by vulnerability](microsoft-defender-atp/get-machines-by-vulnerability.md)
 
@@ -601,6 +595,7 @@
 ##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
 ##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
 ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
+##### [Fetch alerts from customer tenant](microsoft-defender-atp/fetch-alerts-mssp.md)
 ##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
 
 #### [Partners & APIs]()
@@ -615,7 +610,12 @@
 ###### [Using device groups](microsoft-defender-atp/machine-groups.md)
 ###### [Create and manage device tags](microsoft-defender-atp/machine-tags.md)
 
-#### [Configure managed security service provider (MSSP) integration](microsoft-defender-atp/configure-mssp-support.md)
+#### [Managed security service provider (MSSP) integration]()
+##### [Configure managed security service provider integration](microsoft-defender-atp/configure-mssp-support.md)
+##### [Grant MSSP access to the portal](microsoft-defender-atp/grant-mssp-access.md)
+##### [Access the MSSP customer portal](microsoft-defender-atp/access-mssp-portal.md)
+##### [Configure alert notifications](microsoft-defender-atp/configure-mssp-notifications.md)
+##### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
 
 ### [Partner integration scenarios]()
 #### [Technical partner opportunities](microsoft-defender-atp/partner-integration.md)
@@ -816,7 +816,7 @@
 ####### [Event 4765 S: SID History was added to an account.](auditing/event-4765.md)
 ####### [Event 4766 F: An attempt to add SID History to an account failed.](auditing/event-4766.md)
 ####### [Event 4767 S: A user account was unlocked.](auditing/event-4767.md)
-####### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](auditing/event-4780.md)
+####### [Event 4780 S: The ACL was set on accounts that are members of administrators groups.](auditing/event-4780.md)
 ####### [Event 4781 S: The name of an account was changed.](auditing/event-4781.md)
 ####### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](auditing/event-4794.md)
 ####### [Event 4798 S: A user's local group membership was enumerated.](auditing/event-4798.md)
@@ -842,6 +842,8 @@
 ####### [Event 4689 S: A process has exited.](auditing/event-4689.md)
 ###### [Audit RPC Events](auditing/audit-rpc-events.md)
 ####### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing/event-5712.md)
+###### [Audit Token Right Adjusted](auditing/audit-token-right-adjusted.md)
+####### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md)
 ###### [Audit Detailed Directory Service Replication](auditing/audit-detailed-directory-service-replication.md)
 ####### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing/event-4928.md)
 ####### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing/event-4929.md)
@@ -1207,7 +1209,7 @@
 ###### [System cryptography: Force strong key protection for user keys stored on the computer](security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)
 ###### [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)
 ###### [System objects: Require case insensitivity for non-Windows subsystems](security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md)
-###### [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md)
+###### [System objects: Strengthen default permissions of internal system objects (Symbolic Links)](security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md)
 ###### [System settings: Optional subsystems](security-policy-settings/system-settings-optional-subsystems.md)
 ###### [System settings: Use certificate rules on Windows executables for Software Restriction Policies](security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)
 ###### [User Account Control: Admin Approval Mode for the Built-in Administrator account](security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)

windows/security/threat-protection/auditing/basic-audit-object-access.md

@@ -28,7 +28,8 @@ If you define this policy setting, you can specify whether to audit successes, a
 
 To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
 
-> **Note:**  You can set a SACL on a file system object using the **Security** tab in that object's **Properties** dialog box.
+> [!NOTE]
+> You can set a SACL on a file system object using the **Security** tab in that object's **Properties** dialog box.
 
 **Default:** No auditing.
 
@@ -41,10 +42,10 @@ You can configure this security setting by opening the appropriate policy under
 |----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 |         560          |                                                                                                 Access was granted to an already existing object.                                                                                                  |
 |         562          |                                                                                                         A handle to an object was closed.                                                                                                          |
-|         563          |                                An attempt was made to open an object with the intent to delete it.<br>\*\*Note: \*\*  This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().                                |
+|         563          |                                An attempt was made to open an object with the intent to delete it.<br>**Note:**  This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().                                |
 |         564          |                                                                                                          A protected object was deleted.                                                                                                           |
 |         565          |                                                                                               Access was granted to an already existing object type.                                                                                               |
-|         567          | A permission associated with a handle was used.<br>\*\*Note: \*\*  A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
+|         567          | A permission associated with a handle was used.<br>**Note:**  A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
 |         568          |                                                                                     An attempt was made to create a hard link to a file that is being audited.                                                                                     |
 |         569          |                                                                                The resource manager in Authorization Manager attempted to create a client context.                                                                                 |
 |         570          |                                                           A client attempted to access an object.<br>**Note:**  An event will be generated for every attempted operation on the object.                                                            |

windows/security/threat-protection/auditing/event-4771.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: dansimp
-ms.date: 04/19/2017
+ms.date: 07/23/2020
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
@@ -226,6 +226,6 @@ For 4771(F): Kerberos pre-authentication failed.
 | **Pre-Authentication Type** | Value is **not 15** when account must use a smart card for authentication. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types).                                        |
 | **Pre-Authentication Type** | Value is **not 2** when only standard password authentication is in use in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types).                      |
 | **Pre-Authentication Type** | Value is **not 138** when Kerberos Armoring is enabled for all Kerberos communications in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types).       |
-| **Result Code**             | **0x10** (KDC has no support for PADATA type (pre-authentication data)). This error can help you to more quickly identify smart-card related problems with Kerberos authentication.                                          |
-| **Result Code**             | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This can be an indicator of brute-force attack on the account password, especially for highly critical accounts. |
+| **Failure Code**             | **0x10** (KDC has no support for PADATA type (pre-authentication data)). This error can help you to more quickly identify smart-card related problems with Kerberos authentication.                                          |
+| **Failure Code**             | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This can be an indicator of brute-force attack on the account password, especially for highly critical accounts. |
 

windows/security/threat-protection/intelligence/TOC.md

@@ -34,6 +34,8 @@
 
 ## [Submit files for analysis](submission-guide.md)
 
+## [Troubleshoot malware submission](portal-submission-troubleshooting.md)
+
 ## [Safety Scanner download](safety-scanner-download.md)
 
 ## [Industry collaboration programs](cybersecurity-industry-partners.md)

windows/security/threat-protection/intelligence/developer-faq.md

@@ -31,20 +31,20 @@ Submit the file in question as a software developer. Wait until your submission
 
 If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
 
-We encourage all software vendors and developers to read about how Microsoft identifies malware and unwanted software. 
+We encourage all software vendors and developers to read about [how Microsoft identifies malware and Potentially Unwanted Applications (PUA)](criteria.md).
 
 ## Why is Microsoft asking for a copy of my program?
 
-This can help us with our analysis. Participants of the Microsoft Active Protection Service (MAPS) may occasionally receive these requests. The requests will stop once our systems have received and processed the file.
+This can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file.
 
 ## Why does Microsoft classify my installer as a software bundler?
 
-It contains instructions to offer a program classified as unwanted software. You can review the criteria we use to check applications for behaviors that are considered unwanted.
+It contains instructions to offer a program classified as unwanted software. You can review the [criteria](criteria.md) we use to check applications for behaviors that are considered unwanted.
 
-## Why is the Windows Firewall blocking my program?
+## Why is the Windows Defender Firewall blocking my program?
 
-This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. You can find out more about Windows Firewall from the Microsoft Developer Network.
+This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security).
 
-## Why does the Windows Defender SmartScreen say my program is not commonly downloaded?
+## Why does the Microsoft Defender SmartScreen say my program is not commonly downloaded?
 
-This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. You can find out more from the [SmartScreen website.](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)
+This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)

windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md

@@ -0,0 +1,89 @@
+---
+title: Troubleshoot MSI portal errors caused by admin block
+description: Troubleshoot MSI portal errors
+ms.reviewer: 
+keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn’t detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn’t detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI, security intelligence
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: dansimp
+author: dansimp
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
+search.appverid: met150
+---
+
+# Troubleshooting malware submission errors caused by administrator block
+In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this.
+
+## Review your settings
+Open your Azure [Enterprise application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). Under **Enterprise Applications** >  **Users can consent to apps accessing company data on their behalf**, check whether Yes or No is selected.
+
+- If this is set to **No**,  an AAD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with AAD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent,  users need to request for these permissions to be added to their AAD admin. Go to the following section for more information.
+
+- It this is set to **Yes**, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign-in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If this is set to **No** you'll need to request an AAD admin enable it. 
+  
+## Implement Required Enterprise Application permissions 
+This process requires a global or application admin in the tenant.
+ 1. Open [Enterprise Application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). 
+ 2. Click **Grant admin consent for organization**.
+ 3. If you're able to do so, Review the API permissions required for this application. This should be exactly the same as in the following image. Provide consent for the tenant.
+
+   ![grant consent image](images/msi-grant-admin-consent.jpg)
+
+  4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.
+  
+## Option 1 Approve enterprise application permissions by user request
+> [!Note]
+> This is currently a preview feature.
+
+Azure Active Directory admins will need to allow for users to request admin consent to apps. Verify the setting is configured to **Yes** in [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/).
+
+![Enterprise applications user settings](images/msi-enterprise-app-user-setting.jpg)
+
+More information is available in [Configure Admin consent workflow](https://docs.microsoft.com/azure/active-directory/manage-apps/configure-admin-consent-workflow).
+
+Once this setting is verified, users can go through the enterprise customer sign-in at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission), and submit a request for admin consent, including justification.
+
+![Contoso sign in flow](images/msi-contoso-approval-required.png)
+
+Admin will be able to review and approve the application permissions [Azure admin consent requests](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AccessRequests/menuId/).
+
+After providing consent, all users in the tenant will be able to use the application.
+  
+## Option 2 Provide admin consent by authenticating the application as an admin 
+This process requires that global admins go through the Enterprise customer sign-in flow at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission).
+
+![Consent sign in flow](images/msi-microsoft-permission-required.jpg)
+
+Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and click **Accept**.
+
+All users in the tenant will now be able to use this application.
+
+## Option 3: Delete and re-add app permissions
+If neither of these options resolve the issue, try the following steps (as an admin):
+
+1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b)
+and click **delete**.
+
+   ![Delete app permissions](images/msi-properties.png)
+
+2. Capture TenantID from [Properties](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties).
+
+3. Replace {tenant-id} with the specific tenant that needs to grant consent to this application in the URL below. Copy this URL into browser. The rest of the parameters are already completed. 
+``https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent?client_id=f0cf43e5-8a9b-451c-b2d5-7285c785684d&state=12345&redirect_uri=https%3a%2f%2fwww.microsoft.com%2fwdsi%2ffilesubmission&scope=openid+profile+email+offline_access``
+
+   ![Permissions needed](images/msi-microsoft-permission-requested-your-organization.png)
+
+4. Review the permissions required by the application, and then click **Accept**. 
+
+5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051).
+
+   ![Review that permissions are applied](images/msi-permissions.jpg)
+   
+6. Sign in to [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission) as an enterprise user with a non-admin account to see if you have access.
+
+ If the warning is not resolved after following these troubleshooting steps, call Microsoft support.

windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md

@@ -25,6 +25,9 @@ manager: dansimp
 
 This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV.
 
+> [!NOTE]
+> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices).
+
 On at least two devices that are experiencing the same issue, obtain the .cab diagnostic file by taking the following steps:
 
 1. Open an administrator-level version of the command prompt as follows:

windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md

@@ -0,0 +1,156 @@
+---
+title: Common mistakes to avoid when defining exclusions
+description: Avoid common mistakes when defining exclusions for Microsoft Defender Antivirus scans.
+keywords: exclusions, files, extension, file type, folder name, file name, scans
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.reviewer: 
+manager: dansimp
+---
+
+# Common mistakes to avoid when defining exclusions
+You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable. 
+
+This topic describes some common mistake that you should avoid when defining exclusions. 
+
+Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions).
+
+## Excluding certain trusted items
+There are certain files, file types, folders, or processes that you should not exclude from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning.
+
+**Do not add exclusions for the following folder locations:**
+
+- %systemdrive%
+- C:
+- C:\
+- C:\*
+- %ProgramFiles%\Java
+- C:\Program Files\Java
+- %ProgramFiles%\Contoso\
+- C:\Program Files\Contoso\
+- %ProgramFiles(x86)%\Contoso\
+- C:\Program Files (x86)\Contoso\
+- C:\Temp
+- C:\Temp\
+- C:\Temp\*
+- C:\Users\
+- C:\Users\*
+- C:\Users\<UserProfileName>\AppData\Local\Temp\
+- C:\Users\<UserProfileName>\AppData\LocalLow\Temp\
+- C:\Users\<UserProfileName>\AppData\Roaming\Temp\
+- %Windir%\Prefetch
+- C:\Windows\Prefetch
+- C:\Windows\Prefetch\
+- C:\Windows\Prefetch\*
+- %Windir%\System32\Spool
+- C:\Windows\System32\Spool
+- C:\Windows\System32\CatRoot2
+- %Windir%\Temp
+- C:\Windows\Temp
+- C:\Windows\Temp\
+- C:\Windows\Temp\*
+
+**Do not add exclusions for the following file extensions:**  
+- .7zip
+- .bat
+- .bin
+- .cab
+- .cmd
+- .com
+- .cpl
+- .dll
+- .exe
+- .fla
+- .gif
+- .gz
+- .hta
+- .inf
+- .java
+- .jar
+- .job
+- .jpeg
+- .jpg
+- .js
+- .ko
+- .ko.gz
+- .msi
+- .ocx
+- .png
+- .ps1
+- .py
+- .rar
+- .reg
+- .scr
+- .sys
+- .tar
+- .tmp
+- .url
+- .vbe
+- .vbs
+- .wsf
+- .zip
+
+>[!NOTE]
+> You can chose to exclude file types, such as .gif, .jpg, .jpeg, .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
+
+**Do not add exclusions for the following processes:**  
+- AcroRd32.exe
+- bitsadmin.exe
+- excel.exe
+- iexplore.exe
+- java.exe
+- outlook.exe
+- psexec.exe
+- powerpnt.exe
+- powershell.exe
+- schtasks.exe
+- svchost.exe
+- wmic.exe
+- winword.exe
+- wuauclt.exe
+- addinprocess.exe
+- addinprocess32.exe
+- addinutil.exe
+- bash.exe
+- bginfo.exe[1]
+- cdb.exe
+- csi.exe
+- dbghost.exe
+- dbgsvc.exe
+- dnx.exe
+- fsi.exe
+- fsiAnyCpu.exe
+- kd.exe
+- ntkd.exe
+- lxssmanager.dll
+- msbuild.exe[2]
+- mshta.exe
+- ntsd.exe
+- rcsi.exe
+- system.management.automation.dll
+- windbg.exe
+
+## Using just the file name in the exclusion list
+A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude **Filename.exe** from scanning, use the complete path to the file, such as **C:\program files\contoso\Filename.exe**.
+
+## Using a single exclusion list for multiple server workloads
+Do not use a single exclusion list to define exclusions for multiple server workloads. Split the exclusions for different application or service workloads into multiple exclusion lists. For example, the exclusion list for your IIS Server workload must be different from the exclusion list for your SQL Server workload.
+
+## Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists
+Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables.
+See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists.
+
+## Related topics
+
+- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)

windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md

@@ -25,13 +25,26 @@ manager: dansimp
 
 You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
 
->[!WARNING]
->Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
+## Configure and validate exclusions
+
+To configure and validate exclusions, see the following:
 
 - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
 
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from scans that have been opened by a specific process.
 
+## Recommendations for defining exclusions
+
+Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
+
+The following is a list of recommendations that you should keep in mind when defining exclusions:  
+
+- Exclusions are technically a protection gap—always consider additional mitigations when defining exclusions. Additional mitigations could be as simple as making sure the excluded location has the appropriate access-control lists (ACLs), audit policy, is processed by an up-to-date software, etc.
+- Review the exclusions periodically. Re-check and re-enforce the mitigations as part of the review process.
+- Ideally, avoid defining proactive exclusions. For instance, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues—mostly around performance, or sometimes around application compatibility that exclusions could mitigate.
+- Audit the exclusion list changes. The security admin should preserve enough context around why a certain exclusion was added. You should be able to provide answer with specific reasoning as to why a certain path was excluded.
+
 ## Related articles
 
-[Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md)
+- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)

windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md

@@ -30,9 +30,9 @@ manager: dansimp
 You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
 
 > [!NOTE]
-> Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.
+> Automatic exclusions apply only to Windows Server 2016 and above. These exclusions are not visible in the Windows Security app and in PowerShell.
 
-This article  describes how to configure exclusion lists for the files and folders.
+This article  describes how to configure exclusion lists for the files and folders. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
 
 Exclusion | Examples | Exclusion list
 ---|---|---
@@ -199,9 +199,9 @@ The following table describes how the wildcards can be used and provides some ex
 
 <a id="review"></a>
 
-### System environmental variables
+### System environment variables
 
-The following table lists and describes the system account environmental variables. 
+The following table lists and describes the system account environment variables. 
 
 <table border="0" cellspacing="0" cellpadding="20">
 <thead>
@@ -569,3 +569,4 @@ You can also copy the string into a blank text file and attempt to save it with
 - [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
 - [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
+- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)

windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md

@@ -114,9 +114,6 @@ You will also see a detection under **Quarantined threats** in the **Scan histor
 
    The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-microsoft-defender-antivirus.md).
 
->[!IMPORTANT]
->You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity.
-
 ## Related articles
 
 - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md

@@ -22,7 +22,7 @@ manager: dansimp
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. 
+You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
 
 This topic describes how to configure exclusion lists for the following:
 
@@ -194,5 +194,6 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
 - [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
 - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
 - [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
+- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
 - [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
 - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md

@@ -54,9 +54,9 @@ Threats | Specify threats upon which default action should not be taken when det
 
 > [!IMPORTANT]
 > Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
-> </p>
+>
 > If you are certain Microsoft Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Microsoft Defender Antivirus](restore-quarantined-files-microsoft-defender-antivirus.md).
-> </p>
+> 
 > To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md).
 
 Also see [Configure remediation-required scheduled full Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md#remed) for more remediation-related settings.

windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md

@@ -18,10 +18,6 @@ ms.custom: nextgen
 
 # Configure Microsoft Defender Antivirus exclusions on Windows Server
 
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
 Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
 
 > [!NOTE]
@@ -43,7 +39,7 @@ In addition to server role-defined automatic exclusions, you can add or remove c
 
 ## Opt out of automatic exclusions
 
-In Windows Server 2016 and 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. 
+In Windows Server 2016 and 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
 
 > [!WARNING]
 > Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles.
@@ -401,11 +397,8 @@ This section lists the folder exclusions that are delivered automatically when y
 ## Related articles
 
 - [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
-
 - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-
+- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
 - [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-
 - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md

@@ -7,7 +7,6 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
@@ -27,7 +26,7 @@ manager: dansimp
 Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
 - If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode.
 - If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.)
-- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/shadow-protection) (currently in private preview) enabled, then Microsoft Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
+- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) (currently in private preview) enabled, then Microsoft Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
 
 ## Antivirus and Microsoft Defender ATP
 
@@ -97,3 +96,5 @@ If you uninstall the other product, and choose to use Microsoft Defender Antivir
 - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
 - [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md)
 - [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md)
+- [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
+- [Configure Endpoint Protection on a standalone client](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure-standalone-client)

windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md

@@ -12,7 +12,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 12/10/2018
+ms.date: 07/22/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -71,7 +71,7 @@ Scheduled scans will run at the day and time you specify. You can use Group Poli
 >[!NOTE]
 >If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus will run a full scan at the next scheduled time.
 
-**Use Group Policy to schedule scans:**
+### Use Group Policy to schedule scans
 
 Location | Setting | Description | Default setting (if not configured)
 ---|---|---|---
@@ -80,7 +80,7 @@ Scan | Specify the day of the week to run a scheduled scan | Specify the day (or
 Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am
 Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours. <br>In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled
 
-**Use PowerShell cmdlets to schedule scans:**
+### Use PowerShell cmdlets to schedule scans
 
 Use the following cmdlets:
 
@@ -94,7 +94,7 @@ Set-MpPreference -RandomizeScheduleTaskTimes
 
 See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
 
-**Use Windows Management Instruction (WMI) to schedule scans:**
+### Use Windows Management Instruction (WMI) to schedule scans
 
 Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
 
@@ -113,13 +113,16 @@ See the following for more information and allowed parameters:
 
 You can set the scheduled scan to only occur when the endpoint is turned on but not in use with Group Policy, PowerShell, or WMI.
 
-**Use Group Policy to schedule scans**
+> [!NOTE]
+> These scans will not honor the CPU throttling configuration and take full advantage of the resources available to complete the scan as fast as possible.
+
+### Use Group Policy to schedule scans
 
 Location | Setting | Description | Default setting (if not configured)
 ---|---|---|---
 Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled
 
-**Use PowerShell cmdlets:**
+### Use PowerShell cmdlets
 
 Use the following cmdlets:
 
@@ -129,7 +132,7 @@ Set-MpPreference -ScanOnlyIfIdleEnabled
 
 See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
 
-**Use Windows Management Instruction (WMI):**
+### Use Windows Management Instruction (WMI)
 
 Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
 
@@ -146,15 +149,14 @@ See the following for more information and allowed parameters:
 
 Some threats may require a full scan to complete their removal and remediation. You can schedule when these scans should occur with Group Policy, PowerShell, or WMI.
 
-
-**Use Group Policy to schedule remediation-required scans**
+### Use Group Policy to schedule remediation-required scans
 
 Location | Setting | Description | Default setting (if not configured)
 ---|---|---|---
 Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never
 Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
 
-**Use PowerShell cmdlets:**
+### Use PowerShell cmdlets
 
 Use the following cmdlets:
 
@@ -165,7 +167,7 @@ Set-MpPreference -RemediationScheduleTime
 
 See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
 
-**Use Windows Management Instruction (WMI):**
+### Use Windows Management Instruction (WMI)
 
 Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
 
@@ -185,14 +187,14 @@ See the following for more information and allowed parameters:
 You can enable a daily quick scan that can be run in addition to your other scheduled scans with Group Policy, PowerShell, or WMI.
 
 
-**Use Group Policy to schedule daily scans:**
+### Use Group Policy to schedule daily scans
 
 Location | Setting | Description | Default setting (if not configured)
 ---|---|---|---
 Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never
 Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
 
-**Use PowerShell cmdlets to schedule daily scans:**
+### Use PowerShell cmdlets to schedule daily scans
 
 Use the following cmdlets:
 
@@ -202,7 +204,7 @@ Set-MpPreference -ScanScheduleQuickTime
 
 See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
 
-**Use Windows Management Instruction (WMI) to schedule daily scans:**
+### Use Windows Management Instruction (WMI) to schedule daily scans
 
 Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
 
@@ -219,16 +221,12 @@ See the following for more information and allowed parameters:
 
 You can force a scan to occur after every [protection update](manage-protection-updates-microsoft-defender-antivirus.md) with Group Policy.
 
-**Use Group Policy to schedule scans after protection updates**
+### Use Group Policy to schedule scans after protection updates
 
 Location | Setting | Description | Default setting (if not configured)
 ---|---|---|---
 Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled
 
-
-
-
-
 ## Related topics
 
 

windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md

@@ -12,7 +12,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 02/24/2020
+ms.date: 07/23/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -59,3 +59,4 @@ Omit the `-online` parameter to get locally cached help.
 
 - [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
 - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus Cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps)

windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md

@@ -95,7 +95,7 @@ Microsoft Defender Application Guard accesses files from a VHD mounted on the ho
 
 ### Why do the Network Isolation policies in Group Policy and CSP look different?
 
-There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatary network isolation policies to deploy WDAG are different between CSP and GP.
+There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
 
 Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources"
 Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
@@ -107,3 +107,55 @@ Windows Defender Application Guard accesses files from a VHD mounted on the host
 
 If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. 
 
+### Why am I getting the error message ("ERROR_VIRTUAL_DISK_LIMITATION")?
+
+Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. 
+
+### Why am I getting the error message ("ERR_NAME_NOT_RESOLVED") after not being able to reach PAC file?
+
+This is a known issue. To mitigate this you need to create two firewall rules.
+For guidance on how to create a firewall rule by using group policy, see:
+- [Create an inbound icmp rule](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule)
+- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
+
+First rule (DHCP Server):
+1. Program path: %SystemRoot%\System32\svchost.exe
+2. Local Service: Sid:  S-1-5-80-2009329905-444645132-2728249442-922493431-93864177  (Internet Connection Service (SharedAccess))
+3. Protocol UDP
+4. Port 67
+
+Second rule (DHCP Client)
+This is the same as the first rule, but scoped to local port 68.
+In the Microsoft Defender Firewall user interface go through the following steps:
+1.	Right click on inbound rules, create a new rule.
+2.	Choose **custom rule**.
+3.	Program path: **%SystemRoot%\System32\svchost.exe**.
+4.	Protocol Type: UDP, Specific ports: 67, Remote port: any.
+5.	Any IP addresses.
+6.	Allow the connection.
+7.	All profiles.
+8.	The new rule should show up in the user interface. Right click on the **rule** > **properties**.
+9.	In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
+
+### Why can I not launch Application Guard when Exploit Guard is enabled?
+
+There is a known issue where if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to Windows Security-> App and Browser control -> Exploit Protection Setting -> switch CFG to the “use default".
+
+
+### How can I have ICS in enabled state yet still use Application Guard?
+
+This is a two step process.
+
+Step 1:
+
+Enable Internet Connection sharing by changing the Group Policy setting “Prohibit use of Internet Connection Sharing on your DNS domain network” which is part of the MS Security baseline from Enabled to Disabled.
+ 
+Step 2:
+ 
+1. Disable IpNat.sys from ICS load
+System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1
+2. Configure ICS (SharedAccess) to enabled
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3
+3. Disabling IPNAT (Optional)
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4
+4. Reboot.

windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md

@@ -0,0 +1,56 @@
+---
+title: Access the Microsoft Defender Security Center MSSP customer portal
+description: Access the Microsoft Defender Security Center MSSP customer portal
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Access the Microsoft Defender Security Center MSSP customer portal
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+
+
+
+
+>[!NOTE] 
+>These set of steps are directed towards the MSSP. 
+
+By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
+ 
+
+MSSPs however, will need to use a tenant-specific URL in the following format:  `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal. 
+
+In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
+
+
+Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL:
+
+1. As an MSSP, login to Azure AD with your credentials. 
+
+2. Switch directory to the MSSP customer's tenant.
+
+3.  Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field. 
+
+4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://securitycenter.windows.com?tid=customer_tenant_id`.
+
+
+## Related topics
+- [Grant MSSP access to the portal](grant-mssp-access.md)
+- [Configure alert notifications](configure-mssp-notifications.md)
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)

windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md

@@ -28,7 +28,7 @@ Adds or remove tag to a specific [Machine](machine.md).
 
 ## Limitations
 
-1. You can post on machines last seen in the past 30 days.
+1. You can post on machines last seen according to your configured retention period.
 
 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
@@ -50,7 +50,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
 
 ## HTTP request
 
-```
+```http
 POST https://api.securitycenter.windows.com/api/machines/{id}/tags
 ```
 
@@ -83,12 +83,13 @@ Here is an example of a request that adds machine tag.
 
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 
-```
+```http
 POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
 Content-type: application/json
 {
   "Value" : "test Tag 2",
   "Action": "Add"
 }
+```
 
-- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
+- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.

windows/security/threat-protection/microsoft-defender-atp/advanced-features.md

@@ -175,12 +175,19 @@ When you enable Intune integration, Intune will automatically create a classic C
 >[!NOTE]
 > The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints.
 
+
 ## Preview features
 
 Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
 
 You'll have access to upcoming features, which you can provide feedback on to help improve the overall experience before features are generally available.
 
+## Share endpoint alerts with Microsoft Compliance Center
+
+Forwards endpoint security alerts and their triage status to Microsoft Compliance Center, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data.
+
+After configuring the [Security policy violation indicators](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-settings.md#indicators) in the insider risk management settings, Microsoft Defender ATP alerts will be shared with insider risk management for applicable users.
+
 ## Enable advanced features
 
 1. In the navigation pane, select **Preferences setup** > **Advanced features**.

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md

@@ -43,6 +43,7 @@ For information on other tables in the advanced hunting schema, see [the advance
 | `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
 | `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
 | `RemoteIP` | string | IP address that was being connected to |
+| `AttackTechniques` | string | MITRE ATT&CK techniques associated with the activity that triggered the alert |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
 | `Table` | string | Table that contains the details of the event |
 

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md

@@ -27,6 +27,10 @@ ms.topic: article
 
 The `DeviceLogonEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
 
+> [!NOTE]
+> Collection of DeviceLogonEvents is not supported on Windows 7 or Windows Server 2008 R2.
+> We recommend upgrading to Windows 10 or Windows Server 2019 for optimal visibility into user logon activity.
+
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 
 | Column name | Data type | Description |
@@ -68,4 +72,4 @@ For information on other tables in the advanced hunting schema, see [the advance
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)

windows/security/threat-protection/microsoft-defender-atp/alerts.md

@@ -49,9 +49,9 @@ lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that
 firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that device.
 lastUpdateTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was last updated.
 resolvedTime | Nullable DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
-incidentId | Nullable Long | The [Incident](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) ID of the Alert.
-investigationId | Nullable Long | The [Investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) ID related to the Alert.
-investigationState | Nullable Enum | The current state of the [Investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
+incidentId | Nullable Long | The [Incident](view-incidents-queue.md) ID of the Alert.
+investigationId | Nullable Long | The [Investigation](automated-investigations.md) ID related to the Alert.
+investigationState | Nullable Enum | The current state of the [Investigation](automated-investigations.md). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
 assignedTo | String | Owner of the alert.
 severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
 status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
@@ -61,6 +61,8 @@ category| String | Category of the alert.
 detectionSource | String | Detection source.
 threatFamilyName | String | Threat family.
 machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
+computerDnsName | String | [machine](machine.md) fully qualified name.
+aadTenantId | String | The Azure Active Directory ID.
 comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time.
 
 ### Response example for getting single alert:

windows/security/threat-protection/microsoft-defender-atp/android-configure.md

@@ -29,8 +29,8 @@ Directory enables enforcing Device compliance and Conditional Access policies
 based on device risk levels. Microsoft Defender ATP is a Mobile Threat Defense
 (MTD) solution that you can deploy to leverage this capability via Intune.
 
-For more information on how to setup Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and
-Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android).
+For more information about how to set up Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and
+Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
 
 
 ## Configure custom indicators  
@@ -43,7 +43,10 @@ Microsoft Defender ATP for Android enables admins to configure custom indicators
 ## Configure web protection
 Microsoft Defender ATP for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center.
 
-For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android).
+>[!NOTE]
+> Microsoft Defender ATP for Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. 
+For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-manage-android).
+
 
 ## Related topics
 - [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)

windows/security/threat-protection/microsoft-defender-atp/android-intune.md

@@ -26,7 +26,7 @@ ms.topic: conceptual
 
 This topic describes deploying Microsoft Defender ATP for Android on Intune
 Company Portal enrolled devices. For more information about Intune device enrollment, see  [Enroll your
-device](https://microsoft.sharepoint.com/teams/WDATPIndia/Shared%20Documents/General/PM%20Docs/External%20Documentation/aka.ms/enrollAndroid).
+device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal).
 
 
 > [!NOTE]
@@ -45,7 +45,7 @@ This topic describes how to deploy Microsoft Defender ATP for Android on Intune
 Download the onboarding package from Microsoft Defender Security Center.
 
 1. In [Microsoft Defender Security
-Center](https://microsoft.sharepoint.com/teams/WDATPIndia/Shared%20Documents/General/PM%20Docs/External%20Documentation/securitycenter.microsoft.com), go to **Settings** \> **Machine Management** \> **Onboarding**.
+Center](https://securitycenter.microsoft.com), go to **Settings** \> **Machine Management** \> **Onboarding**.
 
 2. In the first drop-down, select **Android** as the Operating system.
 
@@ -136,7 +136,7 @@ Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) .
 As Microsoft Defender ATP for Android is deployed via managed Google Play,
 updates to the app are automatic via Google Play.
 
-Currently only Work Profile enrolled devices are supported for deployment.
+Currently only Personal devices with Work Profile enrolled  are supported for deployment. 
 
 
 >[!NOTE]
@@ -283,7 +283,7 @@ and then your onboarding should be successful.
 
 4. At this stage the device is successfully onboarded onto Microsoft Defender
 ATP for Android. You can verify this on the [Microsoft Defender Security
-Center](https://microsoft.sharepoint.com/teams/WDATPIndia/Shared%20Documents/General/PM%20Docs/External%20Documentation/securitycenter.microsoft.com)
+Center](https://securitycenter.microsoft.com)
 by navigating to the **Devices** page.
 
     ![Image of Microsoft Defender ATP portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png)

windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md

@@ -123,7 +123,7 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a
 
 
 ## Power BI dashboard samples in GitHub
-For more information see the [Power BI report templates](https://github.com/microsoft/MDATP-PowerBI-Templates).
+For more information see the [Power BI report templates](https://github.com/microsoft/MicrosoftDefenderATP-PowerBI).
 
 ## Sample reports
 View the Microsoft Defender ATP Power BI report samples. For more information, see [Browse code samples](https://docs.microsoft.com/samples/browse/?products=mdatp).

windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md

@@ -7,7 +7,6 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 author: martyav
@@ -51,7 +50,7 @@ ASR currently supports all of the rules below:
 * [Block all Office applications from creating child processes](attack-surface-reduction.md#block-all-office-applications-from-creating-child-processes)
 * [Block Office applications from creating executable content](attack-surface-reduction.md#block-office-applications-from-creating-executable-content)
 * [Block Office applications from injecting code into other processes](attack-surface-reduction.md#block-office-applications-from-injecting-code-into-other-processes)
-* [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction.md##block-javascript-or-vbscript-from-launching-downloaded-executable-content)
+* [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction.md#block-javascript-or-vbscript-from-launching-downloaded-executable-content)
 * [Block execution of potentially obfuscated scripts](attack-surface-reduction.md#block-execution-of-potentially-obfuscated-scripts)
 * [Block Win32 API calls from Office macro](attack-surface-reduction.md#block-win32-api-calls-from-office-macros)
 * [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware)

windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md

@@ -31,7 +31,7 @@ Attack surface reduction rules target software behaviors that are often abused b
 - Running obfuscated or otherwise suspicious scripts
 - Performing behaviors that apps don't usually initiate during normal day-to-day work
 
-These behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe.
+Such behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe.
 
 Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
 
@@ -96,7 +96,7 @@ The following sections describe each of the 15 attack surface reduction rules. T
 |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Not supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
@@ -113,7 +113,7 @@ The following sections describe each of the 15 attack surface reduction rules. T
 This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:
 
 - Executable files (such as .exe, .dll, or .scr)
-- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+- Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file)
 
 This rule was introduced in: 
 - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
@@ -191,9 +191,6 @@ This rule prevents scripts from launching potentially malicious downloaded conte
 
 Although not common, line-of-business applications sometimes use scripts to download and launch installers.
 
-> [!IMPORTANT]
-> File and folder exclusions don't apply to this attack surface reduction rule.
-
 This rule was introduced in:  
 - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
@@ -330,7 +327,7 @@ GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c`
 With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:
 
 * Executable files (such as .exe, .dll, or .scr)
-* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+* Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file)
 
 This rule was introduced in: 
 - [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
@@ -346,7 +343,7 @@ GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`
 
 ### Block Office communication application from creating child processes
 
-This rule prevents Outlook from creating child processes, while till allowing legitimate Outlook functions.
+This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.
 
 This protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
 
@@ -385,13 +382,16 @@ GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
 
 This rule prevents malware from abusing WMI to attain persistence on a device.
 
+> [!IMPORTANT]
+> File and folder exclusions don't apply to this attack surface reduction rule.
+
 Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
 
 This rule was introduced in: 
 - [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
 - [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909)
 
-Intune name: Block persistence through WMI event subscription
+Intune name: Not yet available
 
 Configuration Manager name: Not yet available
 

windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md

@@ -158,4 +158,7 @@ When you click on the pending actions link, you'll be taken to the Action center
 
 ## Next steps
 
-[View and approve remediation actions](manage-auto-investigation.md)
+- [View and approve remediation actions](manage-auto-investigation.md)
+
+- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
+ 

windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md

@@ -82,10 +82,12 @@ The default device group is configured for semi-automatic remediation. This mean
 
 When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.
 
-## Next step
+## Next steps
 
 - [Learn about the automated investigations dashboard](manage-auto-investigation.md)
 
+- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
+
 ## Related articles
 
 - [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)

windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md

@@ -39,19 +39,28 @@ The following OS versions are supported:
 >[!NOTE]
 >A patch must be deployed before device onboarding in order to configure Microsoft Defender ATP to the correct environment.
 
-The following OS versions are not supported:
+The following OS versions are supported via Azure Security Center:
 - Windows Server 2008 R2 SP1
 - Windows Server 2012 R2
 - Windows Server 2016
+
+The following OS versions are not supported:
+- Windows Server 2008 R2 SP1 (standalone, not via ASC)
+- Windows Server 2012 R2 (standalone, not via ASC)
+- Windows Server 2016 (standalone, not via ASC)
 - Windows Server, version 1803
 - Windows 7 SP1 Enterprise
 - Windows 7 SP1 Pro
 - Windows 8 Pro
 - Windows 8.1 Enterprise
 - macOS
+- Linux
 
 The initial release of Microsoft Defender ATP will not have immediate parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government (GCC High) customers, there are some capabilities not yet available that we'd like to highlight. These are the known gaps as of August 2019:
 
+## Threat Analytics
+Not currently available.
+
 ## Threat & Vulnerability Management
 Not currently available.
 

windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md

@@ -33,7 +33,7 @@ ms.date: 04/16/2020
 Microsoft Defender ATP supports non-persistent VDI session onboarding. 
 
 >[!Note]
->To onboard non-persistent VDI sessions, VDI machines must be on Windows 10.
+>To onboard non-persistent VDI sessions, VDI devices must be on Windows 10.
 >
 >While other Windows versions might work, only Windows 10 is supported.
 

windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md

@@ -23,8 +23,7 @@ ms.topic: conceptual
 
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
+- [Microsoft 365 Endpoint data loss prevention (DLP)](/microsoft-365/compliance/endpoint-dlp-learn-about)
 
 Devices in your organization must be configured so that the Microsoft Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization.
 

windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md

@@ -0,0 +1,46 @@
+---
+title: Configure alert notifications that are sent to MSSPs 
+description: Configure alert notifications that are sent to MSSPs
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Configure alert notifications that are sent to MSSPs 
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+
+
+>[!NOTE]
+>This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to configure this on behalf of the MSSP customer.
+
+After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
+
+ 
+For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
+ 
+
+These check boxes must be checked:
+- **Include organization name** - The customer name will be added to email notifications
+- **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
+
+
+## Related topics
+- [Grant MSSP access to the portal](grant-mssp-access.md)
+- [Access the MSSP customer portal](access-mssp-portal.md)
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)

windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md

@@ -1,8 +1,6 @@
 ---
 title: Configure managed security service provider support
-
 description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP 
- 
 keywords: managed security service provider, mssp, configure, integration
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -17,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 09/03/2018
 ---
 
 # Configure managed security service provider integration
@@ -67,249 +64,11 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.
 This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
 
 
-## Grant the MSSP access to the portal
 
 
->[!NOTE] 
-> These set of steps are directed towards the MSSP customer. <br>
-> Access to the portal can only be done by the MSSP customer.
-
-As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Microsoft Defender Security Center. 
- 
-
-Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality. 
-
-You'll need to take the following 2 steps:
-- Add MSSP user to your tenant as a guest user
-
-- Grant MSSP user access to Microsoft Defender Security Center
- 
-
-### Add MSSP user to your tenant as a guest user
-Add a user who is a member of the MSSP tenant to your tenant as a guest user.
-
-To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator).
- 
-### Grant MSSP user access to Microsoft Defender Security Center
-Grant the guest user access and permissions to your Microsoft Defender Security Center tenant.
-
-Granting access to guest user is done the same way as granting access to a user who is a member of your tenant. 
-
-If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions.md).
-
-If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Microsoft Defender ATP, see [Manage portal access using RBAC](rbac.md).
- 
-
->[!NOTE]
->There is no difference between the Member user and Guest user roles from RBAC perspective.
-
-It is recommended that groups are created for MSSPs to make authorization access more manageable.
-
-As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups. 
-
- 
-## Access the Microsoft Defender Security Center MSSP customer portal
-
->[!NOTE] 
->These set of steps are directed towards the MSSP. 
-
-By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
- 
-
-MSSPs however, will need to use a tenant-specific URL in the following format:  `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal. 
-
-In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
-
-
-Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL:
-
-1. As an MSSP, login to Azure AD with your credentials. 
-
-2. Switch directory to the MSSP customer's tenant.
-
-3.  Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field. 
-
-4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://securitycenter.windows.com?tid=customer_tenant_id`.
-
-## Configure alert notifications that are sent to MSSPs 
-
->[!NOTE]
->This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to configure this on behalf of the MSSP customer.
-
-After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
-
- 
-For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
- 
-
-These check boxes must be checked:
-- **Include organization name** - The customer name will be added to email notifications
-- **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
-
-
-## Fetch alerts from MSSP customer's tenant into the SIEM system
-
->[!NOTE]
->This action is taken by the MSSP.
-
-
-To fetch alerts into your SIEM system you'll need to take the following steps:
-
-Step 1: Create a third-party application
-
-Step 2: Get access and refresh tokens from your customer's tenant
- 
-Step 3: allow your application on Microsoft Defender Security Center
- 
-
-
-
-### Step 1: Create an application in Azure Active Directory (Azure AD)
- 
-You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant.
- 
-
-1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
-
-2. Select **Azure Active Directory** > **App registrations**.
-
- 
-3. Click **New registration**.
- 
-
-4. Specify the following values:
-
-    - Name: \<Tenant_name\> SIEM MSSP Connector (replace Tenant_name with the tenant display name)
- 
-    - Supported account types: Account in this organizational directory only 
-    - Redirect URI: Select Web and type `https://<domain_name>/SiemMsspConnector`(replace <domain_name> with the tenant name)
-
-5. Click **Register**. The application is displayed in the list of applications you own.
-
-6. Select the application, then click **Overview**.
-
-7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step.
-
-8. Select **Certificate & secrets** in the new application panel.
-
-9. Click **New client secret**.
-
-
-    - Description: Enter a description for the key.
-    - Expires: Select **In 1 year**
-
- 
-10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step.
- 
-
-### Step 2: Get access and refresh tokens from your customer's tenant
-This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.
-
-After providing your credentials, you'll need to grant consent to the application so that the application is provisioned in the customer's tenant.
-
-
-1. Create a new folder and name it: `MsspTokensAcquisition`.
-
-2. Download the [LoginBrowser.psm1 module](https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL/blob/master/Authorization%20Code%20Grant%20Flow/LoginBrowser.psm1) and save it in the `MsspTokensAcquisition` folder.
-
-    >[!NOTE]
-    >In line 30, replace `authorzationUrl` with `authorizationUrl`.
-
-3. Create a file with the following content and save it with the name `MsspTokensAcquisition.ps1` in the folder:
-    ```
-    param (
-        [Parameter(Mandatory=$true)][string]$clientId,
-        [Parameter(Mandatory=$true)][string]$secret,
-        [Parameter(Mandatory=$true)][string]$tenantId
-    )
-    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-
-    # Load our Login Browser Function
-    Import-Module .\LoginBrowser.psm1
-
-    # Configuration parameters
-    $login = "https://login.microsoftonline.com"
-    $redirectUri = "https://SiemMsspConnector"
-    $resourceId = "https://graph.windows.net"
-
-    Write-Host 'Prompt the user for his credentials, to get an authorization code'
-    $authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id={2}&redirect_uri={3}&resource={4}" -f
-                        $login, $tenantId, $clientId, $redirectUri, $resourceId)
-    Write-Host "authorzationUrl: $authorizationUrl"
-
-    # Fake a proper endpoint for the Redirect URI
-    $code = LoginBrowser $authorizationUrl $redirectUri
-
-    # Acquire token using the authorization code
-
-    $Body = @{
-        grant_type = 'authorization_code'
-        client_id = $clientId
-        code = $code
-        redirect_uri = $redirectUri
-        resource = $resourceId
-        client_secret = $secret
-    }
-
-    $tokenEndpoint = "$login/$tenantId/oauth2/token?"
-    $Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body
-    $token = $Response.access_token
-    $refreshToken= $Response.refresh_token
-
-    Write-Host " -----------------------------------  TOKEN ---------------------------------- "
-    Write-Host $token
-
-    Write-Host " -----------------------------------  REFRESH TOKEN ---------------------------------- "
-    Write-Host $refreshToken 
-    ```
-4. Open an elevated PowerShell command prompt in the `MsspTokensAcquisition` folder.
-
-5. Run the following command: 
-   `Set-ExecutionPolicy -ExecutionPolicy Bypass`
-
-6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId <client_id> -secret <app_key> -tenantId <customer_tenant_id>`
- 
-    - Replace \<client_id\> with the **Application (client) ID** you got from the previous step.
-    - Replace \<app_key\> with the **Client Secret** you created from the previous step.
-    - Replace \<customer_tenant_id\> with your customer's **Tenant ID**. 
- 
-
-7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
-
-8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector. 
-
- 
-### Step 3: Allow your application on Microsoft Defender Security Center
-You'll need to allow the application you created in Microsoft Defender Security Center.
- 
-
-You'll need to have **Manage portal system settings** permission to allow the application. Otherwise, you'll need to request your customer to allow the application for you.
-
-1. Go to `https://securitycenter.windows.com?tid=<customer_tenant_id>` (replace \<customer_tenant_id\> with the customer's tenant ID.
-
-2. Click **Settings** > **SIEM**. 
-
-3. Select the **MSSP** tab.
-
-4. Enter the **Application ID** from the first step and your **Tenant ID**.
-
-5. Click **Authorize application**. 
-
- 
-You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
- 
-
-- In the ArcSight configuration file / Splunk Authentication Properties file – you will have to write your application key manually by settings the secret value.
-- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
-
-## Fetch alerts from MSSP customer's tenant using APIs
- 
-For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md).
-
 ## Related topics
-- [Use basic permissions to access the portal](basic-permissions.md)
-- [Manage portal access using RBAC](rbac.md) 
-- [Pull alerts to your SIEM tools](configure-siem.md)
-- [Pull alerts using REST API](pull-alerts-using-rest-api.md)
- 
+- [Grant MSSP access to the portal](grant-mssp-access.md)
+- [Access the MSSP customer portal](access-mssp-portal.md)
+- [Configure alert notifications](configure-mssp-notifications.md)
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
 

windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md

@@ -1,6 +1,6 @@
 ---
-title: Onboard servers to the Microsoft Defender ATP service
-description: Onboard servers so that they can send sensor data to the Microsoft Defender ATP sensor.
+title: Onboard Windows servers to the Microsoft Defender ATP service
+description: Onboard Windows servers so that they can send sensor data to the Microsoft Defender ATP sensor.
 keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, device management, configure Windows ATP servers, onboard Microsoft Defender Advanced Threat Protection servers
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Onboard servers to the Microsoft Defender ATP service
+# Onboard Windows servers to the Microsoft Defender ATP service
 
 **Applies to:**
 
@@ -34,7 +34,7 @@ ms.topic: article
 
 Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console.
 
-The service supports the onboarding of the following servers:
+The service supports the onboarding of the following Windows servers:
 - Windows Server 2008 R2 SP1
 - Windows Server 2012 R2
 - Windows Server 2016
@@ -44,38 +44,41 @@ The service supports the onboarding of the following servers:
 
 For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
 
+For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines).
 
-## Windows Server 2008 R2 SP1,  Windows Server 2012 R2, and Windows Server 2016
 
-There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP:
+## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016
 
-- **Option 1**: Onboard through Microsoft Defender Security Center
-- **Option 2**: Onboard through Azure Security Center
+You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 to Microsoft Defender ATP by using any of the following options:
+
+- **Option 1**: [Onboard through Microsoft Defender Security Center](#option-1-onboard-windows-servers-through-microsoft-defender-security-center)
+- **Option 2**: [Onboard through Azure Security Center](#option-2-onboard-windows-servers-through-azure-security-center)
+- **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later (only for Windows Server 2012 R2 and Windows Server 2016)](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later)
 
 > [!NOTE]
-> Microsoft defender ATP standalone server license is required, per node, in order to onboard the server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a server through Azure Security Center (Option 2),  see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services).
+> Microsoft defender ATP standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services).
 
 
-### Option 1: Onboard servers through Microsoft Defender Security Center
-You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center.
+### Option 1: Onboard Windows servers through Microsoft Defender Security Center
+Perform the following steps to onboard Windows servers through Microsoft Defender Security Center:
 
  - For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix:
-    - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
+    - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
 
  - In addition, for Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
-    - Install the [February monthly update rollup](https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598)
+    - Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
     - Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
 
- - For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
+ - For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
 
     > [!NOTE]
     > This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
 
- - Turn on server monitoring from Microsoft Defender Security Center.
+ - [Turn on server monitoring from Microsoft Defender Security Center](#turn-on-server-monitoring-from-the-microsoft-defender-security-center-portal).
 
  - If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support.
 
-    Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
+    Otherwise, [install and configure MMA to report sensor data to Microsoft Defender ATP](#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp). For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
 
 > [!TIP]
 > After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
@@ -94,7 +97,7 @@ The following steps are required to enable this integration:
 
 1. In the navigation pane, select **Settings** > **Device management** > **Onboarding**.
 
-2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system.
+2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system.
 
 3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
 
@@ -104,52 +107,50 @@ The following steps are required to enable this integration:
 
 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
 
-2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
+2. Using the Workspace ID and Workspace key obtained in the previous procedure, choose any of the following installation methods to install the agent on the Windows server:
     - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup) <br>
     On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
     - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script).
 
 3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md).
 
-Once completed, you should see onboarded servers in the portal within an hour.
+Once completed, you should see onboarded Windows servers in the portal within an hour.
 
 <span id="server-proxy"/>
 
-### Configure server proxy and Internet connectivity settings
+### Configure Windows server proxy and Internet connectivity settings
 
 - Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the <a href="https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway" data-raw-source="[OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway)">OMS Gateway</a>.
 - If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
 
+### Option 2: Onboard Windows servers through Azure Security Center
+1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Device management** > **Onboarding**.
 
-
-### Option 2: Onboard servers through Azure Security Center
-1. In the navigation pane, select **Settings** > **Device management** > **Onboarding**.
-
-2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system.
+2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system.
 
 3. Click **Onboard Servers in Azure Security Center**.
 
 4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
 
+### Option 3: Onboard Windows servers through Microsoft Endpoint Configuration Manager version 2002 and later
+You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection).
 
 ## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition
-To onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition, refer to the supported methods and versions below.
+You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods:
+
+- [Local script](configure-endpoints-script.md) 
+- [Group Policy](configure-endpoints-gp.md)
+- [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md#onboard-windows-10-devices-using-microsoft-endpoint-configuration-manager-current-branch)
+- [System Center Configuration Manager 2012 / 2012 R2  1511 / 1602](configure-endpoints-sccm.md#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
+- [VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md)
 
 > [!NOTE]
-> The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
+> - The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
+> - A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune.
 
-Supported tools include:
-- Local script
-- Group Policy
-- Microsoft Endpoint Configuration Manager
-- System Center Configuration Manager 2012 / 2012 R2  1511 / 1602
-- VDI onboarding scripts for non-persistent devices
+Support for Windows Server, provide deeper insight into activities happening on the Windows server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
 
-For more information, see  [Onboard Windows 10 devices](configure-endpoints.md).
-
-Support for Windows Server, provide deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
-
-1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 devices](configure-endpoints.md).
+1. Configure Microsoft Defender ATP onboarding settings on the Windows server. For more information, see [Onboard Windows 10 devices](configure-endpoints.md).
 
 2. If you're running a third-party antimalware solution, you'll need to apply the following Microsoft Defender AV passive mode settings. Verify that it was configured correctly:
 
@@ -174,10 +175,11 @@ Support for Windows Server, provide deeper insight into activities happening on
    ```sc.exe query Windefend```
 
     If the result is 'The specified service does not exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
-
+    
+    For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus).
 
 ## Integration with Azure Security Center
-Microsoft Defender ATP can integrate with Azure Security Center to provide a comprehensive server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.
+Microsoft Defender ATP can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.
 
 The following capabilities are included in this integration:
 - Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
@@ -185,31 +187,33 @@ The following capabilities are included in this integration:
     > [!NOTE]
     > Automated onboarding is only applicable for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016.
 
-- Servers monitored by  Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers.  In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console.
+- Windows servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers.  In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console.
 - Server investigation -  Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach.
 
 > [!IMPORTANT]
-> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created (in the US for US users, in the EU for European and UK users).
+> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created (in the US for US users, in the EU for European and UK users).<br>
+Data collected by Microsoft Defender ATP is stored in the geo-location of the tenant as identified during provisioning.
 > - If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
-> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created and the Microsoft Defender ATP data is stored in Europe by default. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.
+> - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. <br>
+Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.
 
 
-## Offboard servers
+## Offboard Windows servers
 You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices.
 
-For other server versions, you have two options to offboard servers from the service:
+For other Windows server versions, you have two options to offboard Windows servers from the service:
 - Uninstall the MMA agent
 - Remove the Microsoft Defender ATP workspace configuration
 
 > [!NOTE]
-> Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months.
+> Offboarding causes the Windows server to stop sending sensor data to the portal but data from the Windows server, including reference to any alerts it has had will be retained for up to 6 months.
 
-### Uninstall servers by uninstalling the MMA agent
-To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Microsoft Defender ATP.
+### Uninstall Windows servers by uninstalling the MMA agent
+To offboard the Windows server, you can uninstall the MMA agent from the Windows server or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the Windows server will no longer send sensor data to Microsoft Defender ATP.
 For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent).
 
 ### Remove the Microsoft Defender ATP workspace configuration
-To offboard the server, you can use either of the following methods:
+To offboard the Windows server, you can use either of the following methods:
 
 - Remove the Microsoft Defender ATP workspace configuration from the MMA agent
 - Run a PowerShell command to remove the configuration
@@ -230,7 +234,7 @@ To offboard the server, you can use either of the following methods:
 
    1. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system and get your Workspace ID:
 
-      ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png)
+      ![Image of Windows server onboarding](images/atp-server-offboarding-workspaceid.png)
 
 2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
 
@@ -242,7 +246,6 @@ To offboard the server, you can use either of the following methods:
     # Reload the configuration and apply changes
     $AgentCfg.ReloadConfiguration()
     ```
-
 ## Related topics
 - [Onboard Windows 10 devices](configure-endpoints.md)
 - [Onboard non-Windows devices](configure-endpoints-non-windows.md)

windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md

@@ -12,7 +12,10 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance  
+ms.collection: 
+- M365-security-compliance
+- m365solution-endpointprotect
+- m365solution-overview  
 ms.topic: article
 ---
 

windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md

@@ -29,7 +29,7 @@ ms.collection:
 When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. 
 
 > [!NOTE]
-> EDR in block mode is currently in preview. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
+> EDR in block mode is currently in private preview. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
 
 ## What happens when something is detected?
 
@@ -66,7 +66,7 @@ The following image shows an instance of unwanted software that was detected and
 |Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. <br/> In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
 
 > [!IMPORTANT]
-> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features. 
+> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your exclusions are defined. 
 
 
 ## Frequently asked questions 

windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md

@@ -60,19 +60,21 @@ For more information about disabling local list merging, see [Prevent or allow u
 ## Intune
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-1. Click **Device configuration** > **Profiles** > **Create profile**.
-1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
-   ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
-1. Click **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**.
-1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.
 
-   ![Enable controlled folder access in Intune](../images/enable-cfa-intune.png)
+2. Click **Device configuration** > **Profiles** > **Create profile**.
+
+3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. <br/> ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png) <br/>
+
+4. Click **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**.
+
+5. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.<br/> ![Enable controlled folder access in Intune](../images/enable-cfa-intune.png)<br/>
 
    > [!NOTE]
    > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
 
-1. Click **OK** to save each open blade and click **Create**.
-1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
+6. Click **OK** to save each open blade and click **Create**.
+
+7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
 
 ## MDM
 
@@ -81,12 +83,17 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
 ## Microsoft Endpoint Configuration Manager
 
 1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+
 2. Click **Home** > **Create Exploit Guard Policy**.
+
 3. Enter a name and a description, click **Controlled folder access**, and click **Next**.
+
 4. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
    > [!NOTE]
    > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
+
 5. Review the settings and click **Next** to create the policy.
+
 6. After the policy is created, click **Close**.
 
 ## Group Policy

windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md

@@ -108,13 +108,18 @@ The result will be that DEP will be enabled for *test.exe*. DEP will not be enab
 ## Intune
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
+
 2. Click **Device configuration** > **Profiles** > **Create profile**.
-3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
-   ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
+
+3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.<br/>
+   ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)<br/>
+
 4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.  
-5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:  
-   ![Enable network protection in Intune](../images/enable-ep-intune.png)
+
+5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:<br/>![Enable network protection in Intune](../images/enable-ep-intune.png)<br/>
+
 6. Click **OK** to save each open blade and click **Create**.
+
 7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
 
 ## MDM
@@ -124,19 +129,26 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
 ## Microsoft Endpoint Configuration Manager
 
 1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-1. Click **Home** > **Create Exploit Guard Policy**.
-1. Enter a name and a description, click **Exploit protection**, and click **Next**.
-1. Browse to the location of the exploit protection XML file and click **Next**.
-1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+
+2. Click **Home** > **Create Exploit Guard Policy**.
+
+3. Enter a name and a description, click **Exploit protection**, and click **Next**.
+
+4. Browse to the location of the exploit protection XML file and click **Next**.
+
+5. Review the settings and click **Next** to create the policy.
+
+6. After the policy is created, click **Close**.
 
 ## Group Policy
 
 1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-2. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
-3. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
+
+4. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
 
 ## PowerShell
 

windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md

@@ -12,7 +12,9 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: 
+- M365-security-compliance 
+- m365solution-evalutatemtp
 ms.topic: article
 ---
 

windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md

@@ -29,98 +29,172 @@ Not all properties are filterable.
 
 ## Properties that supports $filter:
 
-- [Alert](alerts.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category.
-- [Machine](machine.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId.
-- [MachineAction](machineaction.md): Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc.
+- [Alert](alerts.md): ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category```.
+- [Machine](machine.md): ```ComputerDnsName```, ```LastSeen```, ```HealthStatus```, ```OsPlatform```, ```RiskScore``` and ```RbacGroupId```.
+- [MachineAction](machineaction.md): ```Status```, ```MachineId```, ```Type```, ```Requestor``` and ```CreationDateTimeUtc```.
+- [Indicator](ti-indicator.md): ```indicatorValue```, ```indicatorType```, ```creationTimeDateTimeUtc```, ```createdBy```, ```severity ``` and ```action ```.
 
 ### Example 1
 
-Get all the devices with the tag 'ExampleTag'
+Get 10 latest Alerts with related Evidence
 
 ```
-HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag')
+HTTP GET  https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
 ```
 
 **Response:**
 
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
 {
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
     "value": [
-        {
-            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-			"computerDnsName": "mymachine1.contoso.com",
-			"firstSeen": "2018-08-02T14:55:03.7791856Z",
-			"lastSeen": "2018-08-02T14:55:03.7791856Z",
-			"osPlatform": "Windows10",
-			"version": "1709",
-			"osProcessor": "x64",
-			"lastIpAddress": "172.17.230.209",
-			"lastExternalIpAddress": "167.220.196.71",
-			"osBuild": 18209,
-			"healthStatus": "Active",
-			"rbacGroupId": 140,
-			"rbacGroupName": "The-A-Team",
-			"riskScore": "Low",
-			"exposureLevel": "Medium",
-			"isAadJoined": true,
-			"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-			"machineTags": [ "test tag 1", "ExampleTag" ]
-        },
-        ...
-    ]
+		{
+			"id": "da637306396589640224_1753239473",
+			"incidentId": 875832,
+			"investigationId": 478434,
+			"assignedTo": null,
+			"severity": "Low",
+			"status": "New",
+			"classification": null,
+			"determination": null,
+			"investigationState": "PendingApproval",
+			"detectionSource": "WindowsDefenderAv",
+			"category": "UnwantedSoftware",
+			"threatFamilyName": "InstallCore",
+			"title": "An active 'InstallCore' unwanted software was detected",
+			"description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
+			"alertCreationTime": "2020-07-18T03:27:38.9483995Z",
+			"firstEventTime": "2020-07-18T03:25:39.6124549Z",
+			"lastEventTime": "2020-07-18T03:26:18.4362304Z",
+			"lastUpdateTime": "2020-07-18T03:28:19.76Z",
+			"resolvedTime": null,
+			"machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
+			"computerDnsName": "temp2.redmond.corp.microsoft.com",
+			"rbacGroupName": "Ring0",
+			"aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
+			"relatedUser": {
+				"userName": "temp2",
+				"domainName": "REDMOND"
+			},
+			"comments": [],
+			"evidence": [
+				{
+					"entityType": "File",
+					"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
+					"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
+					"fileName": "Your File Is Ready To Download_1911150169.exe",
+					"filePath": "C:\\Users\\temp2\\Downloads",
+					"processId": null,
+					"processCommandLine": null,
+					"processCreationTime": null,
+					"parentProcessId": null,
+					"parentProcessCreationTime": null,
+					"ipAddress": null,
+					"url": null,
+					"accountName": null,
+					"domainName": null,
+					"userSid": null,
+					"aadUserId": null,
+					"userPrincipalName": null
+				},
+				{
+					"entityType": "Process",
+					"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
+					"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
+					"fileName": "Your File Is Ready To Download_1911150169.exe",
+					"filePath": "C:\\Users\\temp2\\Downloads",
+					"processId": 24348,
+					"processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
+					"processCreationTime": "2020-07-18T03:25:38.5269993Z",
+					"parentProcessId": 16840,
+					"parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
+					"ipAddress": null,
+					"url": null,
+					"accountName": null,
+					"domainName": null,
+					"userSid": null,
+					"aadUserId": null,
+					"userPrincipalName": null
+				},
+				{
+					"entityType": "User",
+					"sha1": null,
+					"sha256": null,
+					"fileName": null,
+					"filePath": null,
+					"processId": null,
+					"processCommandLine": null,
+					"processCreationTime": null,
+					"parentProcessId": null,
+					"parentProcessCreationTime": null,
+					"ipAddress": null,
+					"url": null,
+					"accountName": "temp2",
+					"domainName": "REDMOND",
+					"userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
+					"aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
+					"userPrincipalName": "temp2@microsoft.com"
+				}
+			]
+		},
+		...
+	]
 }
 ```
 
 ### Example 2
 
-Get all the alerts that created after 2018-10-20 00:00:00
+Get all the alerts last updated after 2019-10-20 00:00:00
 
 ```
-HTTP GET  https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime+gt+2018-11-22T00:00:00Z
+HTTP GET  https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z
 ```
 
 **Response:**
 
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
     "value": [
         {
-            "id": "da637084217856368682_-292920499",
-			"incidentId": 66860,
-			"investigationId": 4416234,
-			"investigationState": "Running",
-			"assignedTo": "secop@contoso.com",
-			"severity": "Low",
-			"status": "New",
-			"classification": "TruePositive",
-			"determination": null,
-			"detectionSource": "WindowsDefenderAtp",
-			"category": "CommandAndControl",
-			"threatFamilyName": null,
-			"title": "Network connection to a risky host",
-			"description": "A network connection was made to a risky host which has exhibited malicious activity.",
-			"alertCreationTime": "2019-11-03T23:49:45.3823185Z",
-			"firstEventTime": "2019-11-03T23:47:16.2288822Z",
-			"lastEventTime": "2019-11-03T23:47:51.2966758Z",
-			"lastUpdateTime": "2019-11-03T23:55:52.6Z",
-			"resolvedTime": null,
-			"machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
+            "id": "da637308392288907382_-880718168",
+            "incidentId": 7587,
+            "investigationId": 723156,
+            "assignedTo": "secop123@contoso.com",
+            "severity": "Low",
+            "status": "New",
+            "classification": "TruePositive",
+            "determination": null,
+            "investigationState": "Queued",
+            "detectionSource": "WindowsDefenderAv",
+            "category": "SuspiciousActivity",
+            "threatFamilyName": "Meterpreter",
+            "title": "Suspicious 'Meterpreter' behavior was detected",
+            "description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.",
+            "alertCreationTime": "2020-07-20T10:53:48.7657932Z",
+            "firstEventTime": "2020-07-20T10:52:17.6654369Z",
+            "lastEventTime": "2020-07-20T10:52:18.1362905Z",
+            "lastUpdateTime": "2020-07-20T10:53:50.19Z",
+            "resolvedTime": null,
+            "machineId": "12ee6dd8c833c8a052ea231ec1b19adaf497b625",
+            "computerDnsName": "temp123.middleeast.corp.microsoft.com",
+            "rbacGroupName": "MiddleEast",
+            "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+            "relatedUser": {
+                "userName": "temp123",
+                "domainName": "MIDDLEEAST"
+            },
 			"comments": [
 				{
 					"comment": "test comment for docs",
-					"createdBy": "secop@contoso.com",
-					"createdTime": "2019-11-05T14:08:37.8404534Z"
+					"createdBy": "secop123@contoso.com",
+					"createdTime": "2020-07-21T01:00:37.8404534Z"
 				}
-		  ]
-        },
-        ...
-    ]
+			],
+            "evidence": []
+		}
+		...
+	]
 }
 ```
 
@@ -134,9 +208,7 @@ HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=riskScore+
 
 **Response:**
 
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
@@ -175,9 +247,7 @@ HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=healthStat
 
 **Response:**
 
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
@@ -216,9 +286,7 @@ HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=lastSeen g
 
 **Response:**
 
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
@@ -257,10 +325,8 @@ HTTP GET  https://api.securitycenter.windows.com/api/machineactions?$filter=requ
 
 **Response:**
 
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
+```json
+json{
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
     "value": [
         {
@@ -291,10 +357,7 @@ HTTP GET  https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415
 
 **Response:**
 
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-
+```json
 4
 ```
 

windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md

@@ -0,0 +1,196 @@
+---
+title: Fetch alerts from MSSP customer tenant
+description: Learn how to fetch alerts from a customer tenant
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Fetch alerts from MSSP customer tenant
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+
+
+>[!NOTE]
+>This action is taken by the MSSP.
+
+
+There are two ways you can fetch alerts:
+- Using the SIEM method
+- Using APIs
+
+## Fetch alerts into your SIEM
+
+To fetch alerts into your SIEM system you'll need to take the following steps:
+
+Step 1: Create a third-party application
+
+Step 2: Get access and refresh tokens from your customer's tenant
+ 
+Step 3: allow your application on Microsoft Defender Security Center
+ 
+
+
+
+### Step 1: Create an application in Azure Active Directory (Azure AD)
+ 
+You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant.
+ 
+
+1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
+
+2. Select **Azure Active Directory** > **App registrations**.
+
+ 
+3. Click **New registration**.
+ 
+
+4. Specify the following values:
+
+    - Name: \<Tenant_name\> SIEM MSSP Connector (replace Tenant_name with the tenant display name)
+ 
+    - Supported account types: Account in this organizational directory only 
+    - Redirect URI: Select Web and type `https://<domain_name>/SiemMsspConnector`(replace <domain_name> with the tenant name)
+
+5. Click **Register**. The application is displayed in the list of applications you own.
+
+6. Select the application, then click **Overview**.
+
+7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step.
+
+8. Select **Certificate & secrets** in the new application panel.
+
+9. Click **New client secret**.
+
+
+    - Description: Enter a description for the key.
+    - Expires: Select **In 1 year**
+
+ 
+10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step.
+ 
+
+### Step 2: Get access and refresh tokens from your customer's tenant
+This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.
+
+After providing your credentials, you'll need to grant consent to the application so that the application is provisioned in the customer's tenant.
+
+
+1. Create a new folder and name it: `MsspTokensAcquisition`.
+
+2. Download the [LoginBrowser.psm1 module](https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL/blob/master/Authorization%20Code%20Grant%20Flow/LoginBrowser.psm1) and save it in the `MsspTokensAcquisition` folder.
+
+    >[!NOTE]
+    >In line 30, replace `authorzationUrl` with `authorizationUrl`.
+
+3. Create a file with the following content and save it with the name `MsspTokensAcquisition.ps1` in the folder:
+    ```
+    param (
+        [Parameter(Mandatory=$true)][string]$clientId,
+        [Parameter(Mandatory=$true)][string]$secret,
+        [Parameter(Mandatory=$true)][string]$tenantId
+    )
+    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+
+    # Load our Login Browser Function
+    Import-Module .\LoginBrowser.psm1
+
+    # Configuration parameters
+    $login = "https://login.microsoftonline.com"
+    $redirectUri = "https://SiemMsspConnector"
+    $resourceId = "https://graph.windows.net"
+
+    Write-Host 'Prompt the user for his credentials, to get an authorization code'
+    $authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id={2}&redirect_uri={3}&resource={4}" -f
+                        $login, $tenantId, $clientId, $redirectUri, $resourceId)
+    Write-Host "authorzationUrl: $authorizationUrl"
+
+    # Fake a proper endpoint for the Redirect URI
+    $code = LoginBrowser $authorizationUrl $redirectUri
+
+    # Acquire token using the authorization code
+
+    $Body = @{
+        grant_type = 'authorization_code'
+        client_id = $clientId
+        code = $code
+        redirect_uri = $redirectUri
+        resource = $resourceId
+        client_secret = $secret
+    }
+
+    $tokenEndpoint = "$login/$tenantId/oauth2/token?"
+    $Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body
+    $token = $Response.access_token
+    $refreshToken= $Response.refresh_token
+
+    Write-Host " -----------------------------------  TOKEN ---------------------------------- "
+    Write-Host $token
+
+    Write-Host " -----------------------------------  REFRESH TOKEN ---------------------------------- "
+    Write-Host $refreshToken 
+    ```
+4. Open an elevated PowerShell command prompt in the `MsspTokensAcquisition` folder.
+
+5. Run the following command: 
+   `Set-ExecutionPolicy -ExecutionPolicy Bypass`
+
+6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId <client_id> -secret <app_key> -tenantId <customer_tenant_id>`
+ 
+    - Replace \<client_id\> with the **Application (client) ID** you got from the previous step.
+    - Replace \<app_key\> with the **Client Secret** you created from the previous step.
+    - Replace \<customer_tenant_id\> with your customer's **Tenant ID**. 
+ 
+
+7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
+
+8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector. 
+
+ 
+### Step 3: Allow your application on Microsoft Defender Security Center
+You'll need to allow the application you created in Microsoft Defender Security Center.
+ 
+
+You'll need to have **Manage portal system settings** permission to allow the application. Otherwise, you'll need to request your customer to allow the application for you.
+
+1. Go to `https://securitycenter.windows.com?tid=<customer_tenant_id>` (replace \<customer_tenant_id\> with the customer's tenant ID.
+
+2. Click **Settings** > **SIEM**. 
+
+3. Select the **MSSP** tab.
+
+4. Enter the **Application ID** from the first step and your **Tenant ID**.
+
+5. Click **Authorize application**. 
+
+ 
+You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
+ 
+
+- In the ArcSight configuration file / Splunk Authentication Properties file – you will have to write your application key manually by settings the secret value.
+- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
+
+## Fetch alerts from MSSP customer's tenant using APIs
+ 
+For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md).
+
+
+## Related topics
+- [Grant MSSP access to the portal](grant-mssp-access.md)
+- [Access the MSSP customer portal](access-mssp-portal.md)
+- [Configure alert notifications](configure-mssp-notifications.md)

windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md

@@ -28,7 +28,7 @@ Retrieves specific [Alert](alerts.md) by its ID.
 
 
 ## Limitations
-1. You can get alerts last updated in the past 30 days.
+1. You can get alerts last updated according to your configured retention period.
 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
 

windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md

@@ -28,7 +28,7 @@ Retrieves all domains related to a specific alert.
 
 
 ## Limitations
-1. You can query on alerts last updated in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
 

windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md

@@ -28,7 +28,7 @@ Retrieves all files related to a specific alert.
 
 
 ## Limitations
-1. You can query on alerts last updated in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
 

windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md

@@ -28,7 +28,7 @@ Retrieves all IPs related to a specific alert.
 
 
 ## Limitations
-1. You can query on alerts last updated in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
 

windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md

@@ -28,7 +28,7 @@ Retrieves [Device](machine.md) related to a specific alert.
 
 
 ## Limitations
-1. You can query on alerts last updated in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
 

windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md

@@ -28,7 +28,7 @@ Retrieves the User related to a specific alert.
 
 
 ## Limitations
-1. You can query on alerts last updated in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
 

windows/security/threat-protection/microsoft-defender-atp/get-alerts.md

@@ -26,12 +26,16 @@ ms.topic: article
 ## API description
 Retrieves a collection of Alerts.
 <br>Supports [OData V4 queries](https://www.odata.org/documentation/).
-<br>The OData's ```$filter``` query is supported on: ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
+<br>OData supported operators:
+<br>```$filter``` on: ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
+<br>```$top``` with max value of 10,000 
+<br>```$skip```
+<br>```$expand``` of ```evidence```
 <br>See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
 
 
 ## Limitations
-1. You can get alerts last updated in the past 30 days.
+1. You can get alerts last updated according to your configured retention period.
 2. Maximum page size is 10,000.
 3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. 
 
@@ -70,14 +74,14 @@ Empty
 If successful, this method returns 200 OK, and a list of [alert](alerts.md) objects in the response body.
 
 
-## Example
+## Example 1 - Default
 
 **Request**
 
 Here is an example of the request.
 
 ```
-GET https://api.securitycenter.windows.com/api/alerts
+GET https://api.securitycenter.microsoft.com/api/alerts
 ```
 
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
@@ -93,41 +97,167 @@ Here is an example of the response.
 
 ```json
 {
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
     "value": [
         {
-            "id": "da637084217856368682_-292920499",
-			"incidentId": 66860,
-			"investigationId": 4416234,
-			"assignedTo": "secop@contoso.com",
-			"severity": "Low",
-			"status": "New",
-			"classification": "TruePositive",
-			"determination": null,
-			"investigationState": "Running",
-			"detectionSource": "WindowsDefenderAtp",
-			"category": "CommandAndControl",
-			"threatFamilyName": null,
-			"title": "Network connection to a risky host",
-			"description": "A network connection was made to a risky host which has exhibited malicious activity.",
-			"alertCreationTime": "2019-11-03T23:49:45.3823185Z",
-			"firstEventTime": "2019-11-03T23:47:16.2288822Z",
-			"lastEventTime": "2019-11-03T23:47:51.2966758Z",
-			"lastUpdateTime": "2019-11-03T23:55:52.6Z",
-			"resolvedTime": null,
-			"machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
+            "id": "da637308392288907382_-880718168",
+            "incidentId": 7587,
+            "investigationId": 723156,
+            "assignedTo": "secop123@contoso.com",
+            "severity": "Low",
+            "status": "New",
+            "classification": "TruePositive",
+            "determination": null,
+            "investigationState": "Queued",
+            "detectionSource": "WindowsDefenderAv",
+            "category": "SuspiciousActivity",
+            "threatFamilyName": "Meterpreter",
+            "title": "Suspicious 'Meterpreter' behavior was detected",
+            "description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.",
+            "alertCreationTime": "2020-07-20T10:53:48.7657932Z",
+            "firstEventTime": "2020-07-20T10:52:17.6654369Z",
+            "lastEventTime": "2020-07-20T10:52:18.1362905Z",
+            "lastUpdateTime": "2020-07-20T10:53:50.19Z",
+            "resolvedTime": null,
+            "machineId": "12ee6dd8c833c8a052ea231ec1b19adaf497b625",
+            "computerDnsName": "temp123.middleeast.corp.microsoft.com",
+            "rbacGroupName": "MiddleEast",
+            "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+            "relatedUser": {
+                "userName": "temp123",
+                "domainName": "MIDDLEEAST"
+            },
 			"comments": [
 				{
 					"comment": "test comment for docs",
-					"createdBy": "secop@contoso.com",
-					"createdTime": "2019-11-05T14:08:37.8404534Z"
+					"createdBy": "secop123@contoso.com",
+					"createdTime": "2020-07-21T01:00:37.8404534Z"
 				}
-			]
+			],
+            "evidence": []
 		}
 		...
 	]
 }
 ```
 
+## Example 2 - Get 10 latest Alerts with related Evidence
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
+```
+
+
+**Response**
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response list shown here may be truncated for brevity. All alerts will be returned from an actual call.
+
+
+```json
+{
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
+    "value": [
+		{
+			"id": "da637306396589640224_1753239473",
+			"incidentId": 875832,
+			"investigationId": 478434,
+			"assignedTo": null,
+			"severity": "Low",
+			"status": "New",
+			"classification": null,
+			"determination": null,
+			"investigationState": "PendingApproval",
+			"detectionSource": "WindowsDefenderAv",
+			"category": "UnwantedSoftware",
+			"threatFamilyName": "InstallCore",
+			"title": "An active 'InstallCore' unwanted software was detected",
+			"description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
+			"alertCreationTime": "2020-07-18T03:27:38.9483995Z",
+			"firstEventTime": "2020-07-18T03:25:39.6124549Z",
+			"lastEventTime": "2020-07-18T03:26:18.4362304Z",
+			"lastUpdateTime": "2020-07-18T03:28:19.76Z",
+			"resolvedTime": null,
+			"machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
+			"computerDnsName": "temp2.redmond.corp.microsoft.com",
+			"rbacGroupName": "Ring0",
+			"aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
+			"relatedUser": {
+				"userName": "temp2",
+				"domainName": "REDMOND"
+			},
+			"comments": [],
+			"evidence": [
+				{
+					"entityType": "File",
+					"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
+					"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
+					"fileName": "Your File Is Ready To Download_1911150169.exe",
+					"filePath": "C:\\Users\\temp2\\Downloads",
+					"processId": null,
+					"processCommandLine": null,
+					"processCreationTime": null,
+					"parentProcessId": null,
+					"parentProcessCreationTime": null,
+					"ipAddress": null,
+					"url": null,
+					"accountName": null,
+					"domainName": null,
+					"userSid": null,
+					"aadUserId": null,
+					"userPrincipalName": null
+				},
+				{
+					"entityType": "Process",
+					"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
+					"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
+					"fileName": "Your File Is Ready To Download_1911150169.exe",
+					"filePath": "C:\\Users\\temp2\\Downloads",
+					"processId": 24348,
+					"processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
+					"processCreationTime": "2020-07-18T03:25:38.5269993Z",
+					"parentProcessId": 16840,
+					"parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
+					"ipAddress": null,
+					"url": null,
+					"accountName": null,
+					"domainName": null,
+					"userSid": null,
+					"aadUserId": null,
+					"userPrincipalName": null
+				},
+				{
+					"entityType": "User",
+					"sha1": null,
+					"sha256": null,
+					"fileName": null,
+					"filePath": null,
+					"processId": null,
+					"processCommandLine": null,
+					"processCreationTime": null,
+					"parentProcessId": null,
+					"parentProcessCreationTime": null,
+					"ipAddress": null,
+					"url": null,
+					"accountName": "temp2",
+					"domainName": "REDMOND",
+					"userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
+					"aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
+					"userPrincipalName": "temp2@microsoft.com"
+				}
+			]
+		},
+		...
+	]
+}
+```
+
+
 ## Related topics
 - [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)

windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md

@@ -1,5 +1,5 @@
 ---
-title: Get all vulnerabilities by Machine and Software
+title: Get all vulnerabilities by machine and software
 description: Retrieves a list of all the vulnerabilities affecting the organization by Machine and Software
 keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
 search.product: eADQiWindows 10XVcnh
@@ -16,13 +16,14 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# List vulnerabilities by Machine and Software
+# List vulnerabilities by machine and software
+
 **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Retrieves a list of all the vulnerabilities affecting the organization per [Machine](machine.md) and [Software](software.md).
-<br>If the vulnerability has a fixing KB, it will appear in the response.
-<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
-<br>The OData ```$filter``` is supported on all properties.
+Retrieves a list of all the vulnerabilities affecting the organization per [machine](machine.md) and [software](software.md).
+- If the vulnerability has a fixing KB, it will appear in the response.
+- Supports [OData V4 queries](https://www.odata.org/documentation/).
+- The OData ```$filter``` is supported on all properties.
 
 >[!Tip]
 >This is great API for [Power BI integration](api-power-bi.md).
@@ -100,5 +101,6 @@ Here is an example of the response.
 ```
 
 ## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+
+- [Risk-based threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
 - [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)

windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md

@@ -28,7 +28,7 @@ Retrieves a collection of [Alerts](alerts.md) related to a given domain address.
 
 
 ## Limitations
-1. You can query on alerts last updated in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
 
@@ -48,7 +48,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
 >- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
 
 ## HTTP request
-```
+```http
 GET /api/domains/{domain}/alerts
 ```
 
@@ -73,6 +73,6 @@ Here is an example of the request.
 
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 
-```
+```http
 GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts
 ```

windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md

@@ -28,7 +28,7 @@ Retrieves a collection of [Machines](machine.md) that have communicated to or fr
 
 
 ## Limitations
-1. You can query on devices last seen in the past 30 days.
+1. You can query on devices last updated according to your configured retention period.
 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
 
@@ -48,7 +48,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
 >- Response will include only devices that the user can access, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
 
 ## HTTP request
-```
+```http
 GET /api/domains/{domain}/machines
 ```
 
@@ -75,6 +75,6 @@ Here is an example of the request.
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 
 
-```
+```http
 GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines
 ```

windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md

@@ -28,7 +28,7 @@ Retrieves specific [Machine](machine.md) by its device ID or computer name.
 
 
 ## Limitations
-1. You can get devices last seen in the past 30 days.
+1. You can get devices last seen according to your configured retention policy.
 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
 
@@ -49,7 +49,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
 
 
 ## HTTP request
-```
+```http
 GET /api/machines/{id}
 ```
 
@@ -65,7 +65,7 @@ Empty
 
 ## Response
 If successful and device exists - 200 OK with the [machine](machine.md) entity in the body.
-If machine with the specified id was not found - 404 Not Found.
+If machine with the specified ID was not found - 404 Not Found.
 
 
 ## Example
@@ -76,7 +76,7 @@ Here is an example of the request.
 
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 
-```
+```http
 GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07
 ```
 
@@ -85,7 +85,7 @@ GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932
 Here is an example of the response.
 
 
-```
+```http
 HTTP/1.1 200 OK
 Content-type: application/json
 {

windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md

@@ -28,7 +28,7 @@ Retrieves a collection of logged on users on a specific device.
 
 
 ## Limitations
-1. You can query on devices last seen in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
 
@@ -46,7 +46,7 @@ Delegated (work or school account) | User.Read.All | 'Read user profiles'
 >- Response will include users only if the device is visible to the user, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
 
 ## HTTP request
-```
+```http
 GET /api/machines/{id}/logonusers
 ```
 
@@ -72,7 +72,7 @@ Here is an example of the request.
 
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 
-```
+```http
 GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers
 ```
 
@@ -81,7 +81,7 @@ GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932
 Here is an example of the response.
 
 
-```
+```http
 HTTP/1.1 200 OK
 Content-type: application/json
 {

windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md

@@ -28,7 +28,7 @@ Retrieves all [Alerts](alerts.md) related to a specific device.
 
 
 ## Limitations
-1. You can query on devices last seen in the past 30 days.
+1. You can query on devices last updated according to your configured retention period.
 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
 
@@ -45,7 +45,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
 >- User needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
 
 ## HTTP request
-```
+```http
 GET /api/machines/{id}/alerts
 ```
 

windows/security/threat-protection/microsoft-defender-atp/get-machines.md

@@ -24,14 +24,14 @@ ms.topic: article
 
 
 ## API description
-Retrieves a collection of [Machines](machine.md) that have communicated with  Microsoft Defender ATP cloud on the last 30 days.
+Retrieves a collection of [Machines](machine.md) that have communicated with  Microsoft Defender ATP cloud.
 <br>Supports [OData V4 queries](https://www.odata.org/documentation/).
-<br>The OData's ```$filter``` query is supported on: ```computerDnsName```, ```lastSeen```, ```lastIpAddress```, ```healthStatus```, ```osPlatform```, ```riskScore```, ```rbacGroupId``` and ```machineTags``` properties.
+<br>The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
 <br>See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
 
 
 ## Limitations
-1. You can get devices last seen in the past 30 days.
+1. You can get devices last seen according to your configured retention period.
 2. Maximum page size is 10,000.
 3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. 
 
@@ -51,7 +51,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
 >- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
 
 ## HTTP request
-```
+
+```http
 GET https://api.securitycenter.windows.com/api/machines
 ```
 
@@ -77,7 +78,8 @@ Here is an example of the request.
 
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 
-```
+
+```http
 GET https://api.securitycenter.windows.com/api/machines
 ```
 
@@ -85,8 +87,7 @@ GET https://api.securitycenter.windows.com/api/machines
 
 Here is an example of the response.
 
-
-```
+```http
 HTTP/1.1 200 OK
 Content-type: application/json
 {

windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md

@@ -0,0 +1,136 @@
+---
+title: Grant access to managed security service provider (MSSP)
+description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP 
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Grant managed security service provider (MSSP) access (preview)
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+
+>[!IMPORTANT] 
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+To implement a multi-tenant delegated access solution, take the following steps:
+
+1. Enable [role-based access control](rbac.md) in Microsoft Defender ATP and connect with Active Directory (AD) groups.
+
+2. Configure [Governance Access Packages](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview) for access request and provisioning.
+
+3. Manage access requests and audits in [Microsoft Myaccess](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-request-approve).
+
+## Enable role-based access controls in Microsoft Defender ATP
+
+1. **Create access groups for MSSP resources in Customer AAD: Groups**
+
+    These groups will be linked to the Roles you create in Microsoft Defender ATP. To do so, in the customer AD tenant, create three groups. In our example approach, we create the following groups:
+
+    - Tier 1 Analyst 
+    - Tier 2 Analyst 
+    - MSSP Analyst Approvers  
+
+
+2. Create Microsoft Defender ATP roles for appropriate access levels in Customer Microsoft Defender ATP.
+
+    To enable RBAC in the customer Microsoft Defender Security Center, access **Settings > Permissions > Roles** and "Turn on roles", from a user account with Global Administrator or Security Administrator rights.
+
+    ![Image of MSSP access](images/mssp-access.png)
+
+    Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via “Assigned user groups”.
+
+    Two possible roles:
+
+    - **Tier 1 Analysts** <br>
+      Perform all actions except for live response and manage security settings.
+
+    - **Tier 2 Analysts** <br>
+      Tier 1 capabilities with the addition to [live response](live-response.md)
+
+    For more information, see [Use role-based access control](rbac.md).
+
+
+
+## Configure Governance Access Packages
+
+1.	**Add MSSP as Connected Organization in Customer AAD: Identity Governance**
+    
+    Adding the MSSP as a connected organization will allow the MSSP to request and have accesses provisioned. 
+
+    To do so, in the customer AD tenant, access Identity Governance: Connected organization. Add a new organization and search for your MSSP Analyst tenant via Tenant ID or Domain. We suggest creating a separate AD tenant for your MSSP Analysts.
+
+2. **Create a resource catalog in Customer AAD: Identity Governance**
+
+    Resource catalogs are a logical collection of access packages, created in the customer AD tenant.
+
+    To do so, in the customer AD tenant,  access Identity Governance: Catalogs, and add **New Catalog**. In our example, we will call it **MSSP Accesses**. 
+
+    ![Image of new catalog](images/goverance-catalog.png)
+
+    Further more information, see [Create a catalog of resources](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-catalog-create).
+
+
+3. **Create access packages for MSSP resources Customer AAD: Identity Governance**
+
+    Access packages are the collection of rights and accesses that a requestor will be granted upon approval. 
+
+    To do so, in the customer AD tenant, access Identity Governance: Access Packages, and add **New Access Package**. Create an access package for the MSSP approvers and each analyst tier. For example, the following Tier 1 Analyst configuration creates an access package that:
+
+    - Requires a member of the AD group **MSSP Analyst Approvers** to authorize new requests
+    - Has annual access reviews, where the SOC analysts can request an access extension
+    - Can only be requested by users in the MSSP SOC Tenant
+    - Access auto expires after 365 days
+
+    ![Image of new access package](images/new-access-package.png)
+
+    For more information, see [Create a new access package](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-access-package-create).
+
+
+4. **Provide access request link to MSSP resources from Customer AAD: Identity Governance**
+
+    The My Access portal link is used by MSSP SOC analysts to request access via the access packages created. The link is durable, meaning the same link may be used over time for new analysts. The analyst request goes into a queue for approval by the **MSSP Analyst Approvers**.
+
+
+    ![Image of access properties](images/access-properties.png)
+
+    The link is located on the overview page of each access package.
+
+## Manage access 
+
+1. Review and authorize access requests in Customer and/or MSSP myaccess.
+
+    Access requests are managed in the customer My Access, by members of the MSSP Analyst Approvers group.
+
+    To do so, access the customer’s myaccess using: 
+    `https://myaccess.microsoft.com/@<Customer Domain >`. 
+
+    Example:  `https://myaccess.microsoft.com/@M365x440XXX.onmicrosoft.com#/`   
+2. Approve or deny requests in the **Approvals** section of the UI.
+
+    At this point, analyst access has been provisioned, and each analyst should be able to access the customer’s Microsoft Defender Security Center: `https://securitycenter.Microsoft.com/?tid=<CustomerTenantId>`
+
+## Related topics
+- [Access the MSSP customer portal](access-mssp-portal.md)
+- [Configure alert notifications](configure-mssp-notifications.md)
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
+
+
+
+ 
+

windows/security/threat-protection/microsoft-defender-atp/images/desktop.ini

@@ -1,4 +0,0 @@
-[LocalizedFileNames]
-atp-mapping7.png=@atp-mapping7,0
-atp-machine-health-details.PNG=@atp-machine-health-details,0
-email-notification.png=@email-notification,0

windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md

@@ -18,7 +18,7 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Create indicators based on certificates (preview)
+# Create indicators based on certificates
 
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -69,4 +69,4 @@ It's important to understand the following requirements prior to creating indica
 - [Create indicators](manage-indicators.md)
 - [Create indicators for files](indicator-file.md)
 - [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
-- [Manage indicators](indicator-manage.md)
+- [Manage indicators](indicator-manage.md)

windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md

@@ -27,6 +27,9 @@ ms.topic: article
 
 Investigate the details of an alert raised on a specific device to identify other behaviors or events that might be related to the alert or the potential scope of the breach.
 
+> [!NOTE]
+> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices).
+
 You can click on affected devices whenever you see them in the portal to open a detailed report about that device. Affected devices are identified in the following areas:
 
 - [Devices list](investigate-machines.md)

windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md

@@ -19,6 +19,10 @@ ms.topic: conceptual
 
 # What's new in Microsoft Defender Advanced Threat Protection for Linux
 
+## 101.03.48
+
+- Bug fixes
+
 ## 101.02.55
 
 - Fixed an issue where the product sometimes does not start following a reboot / upgrade

windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md

@@ -74,7 +74,7 @@ You can validate that your exclusion lists are working by using `curl` to downlo
 In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
 
 ```bash
-$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
+curl -o test.txt https://www.eicar.org/download/eicar.com.txt
 ```
 
 If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).

windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md

@@ -50,7 +50,7 @@ The following table summarizes the steps you would need to take to deploy and ma
 | [Approve Kernel Extension for Microsoft Defender ATP](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A |
 | [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc |
 | [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 |
-| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)<br/><br/> **Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
+| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)<br/><br/> **Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
 | [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
 
 ## Download installation and onboarding packages
@@ -69,12 +69,12 @@ Download the installation and onboarding packages from Microsoft Defender Securi
     Extract the contents of the .zip files:
 
     ```bash
-    $ ls -l
+    ls -l
     total 721688
     -rw-r--r--  1 test  staff     269280 Mar 15 11:25 IntuneAppUtil
     -rw-r--r--  1 test  staff      11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
     -rw-r--r--  1 test  staff  354531845 Mar 13 08:57 wdav.pkg
-    $ unzip WindowsDefenderATPOnboardingPackage.zip
+    unzip WindowsDefenderATPOnboardingPackage.zip
     Archive:  WindowsDefenderATPOnboardingPackage.zip
     warning:  WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
       inflating: intune/kext.xml
@@ -85,13 +85,13 @@ Download the installation and onboarding packages from Microsoft Defender Securi
 7. Make IntuneAppUtil an executable:
 
     ```bash
-    $ chmod +x IntuneAppUtil
+    chmod +x IntuneAppUtil
     ```
 
 8. Create the wdav.pkg.intunemac package from wdav.pkg:
 
     ```bash
-    $ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"
+    ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"
     Microsoft Intune Application Utility for Mac OS X
     Version: 1.0.0.0
     Copyright 2018 Microsoft Corporation

windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md

@@ -34,7 +34,7 @@ This topic describes how to deploy Microsoft Defender ATP for Mac through JAMF.
 
 ## Prerequisites and system requirements
 
-Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
+Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
 
 In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow.
 
@@ -45,7 +45,7 @@ The following table summarizes the steps you would need to take to deploy and ma
 | Step | Sample file names | BundleIdentifier |
 |-|-|-|
 | [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
-| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#property-list-for-jamf-configuration-profile-1)<br/><br/> **Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.plist | com.microsoft.wdav |
+| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#property-list-for-jamf-configuration-profile-1)<br/><br/> **Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.plist | com.microsoft.wdav |
 | [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#notification-settings) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.wdav.tray |
 | [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#jamf) | MDATP_Microsoft_AutoUpdate.mobileconfig | com.microsoft.autoupdate2 |
 | [Grant Full Disk Access to Microsoft Defender ATP](#privacy-preferences-policy-control) | Note: If there was one, MDATP_tcc_Catalina_or_newer.plist | com.microsoft.wdav.tcc |
@@ -67,11 +67,11 @@ Download the installation and onboarding packages from Microsoft Defender Securi
 5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so:
 
     ```bash
-    $ ls -l
+    ls -l
     total 721160
     -rw-r--r--  1 test  staff      11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
     -rw-r--r--  1 test  staff  354531845 Mar 13 08:57 wdav.pkg
-    $ unzip WindowsDefenderATPOnboardingPackage.zip
+    unzip WindowsDefenderATPOnboardingPackage.zip
     Archive:  WindowsDefenderATPOnboardingPackage.zip
     warning:  WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
     inflating: intune/kext.xml
@@ -208,7 +208,7 @@ Once the policy is applied, you'll see the Microsoft Defender ATP icon in the ma
 You can monitor policy installation on a device by following the JAMF log file:
 
 ```bash
-    $ tail -f /var/log/jamf.log
+    tail -f /var/log/jamf.log
     Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found.
     Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"...
     Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV
@@ -221,7 +221,7 @@ You can monitor policy installation on a device by following the JAMF log file:
 You can also check the onboarding status:
 
 ```bash
-$ mdatp --health
+mdatp --health
 ...
 licensed                                : true
 orgId                                   : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45"
@@ -237,7 +237,7 @@ orgId                                   : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45"
 You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status:
 
 ```bash
-$ mdatp --health healthy
+mdatp --health healthy
 ```
 
 The above command prints "1" if the product is onboarded and functioning as expected.

windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md

@@ -747,7 +747,7 @@ The following templates contain entries for all settings described in this docum
 The property list must be a valid *.plist* file. This can be checked by executing:
 
 ```bash
-$ plutil -lint com.microsoft.wdav.plist
+plutil -lint com.microsoft.wdav.plist
 com.microsoft.wdav.plist: OK
 ```
 

windows/security/threat-protection/microsoft-defender-atp/mac-pua.md

@@ -53,7 +53,7 @@ You can configure how PUA files are handled from the command line or from the ma
 In Terminal, execute the following command to configure PUA protection:
 
 ```bash
-$ mdatp --threat --type-handling potentially_unwanted_application [off|audit|block]
+mdatp --threat --type-handling potentially_unwanted_application [off|audit|block]
 ```
 
 ### Use the management console to configure PUA protection:

windows/security/threat-protection/microsoft-defender-atp/mac-resources.md

@@ -25,12 +25,12 @@ ms.topic: conceptual
 
 ## Collecting diagnostic information
 
-If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.
+If you can reproduce a problem, increase the logging level, run the system for some time, and restore the logging level to the default.
 
 1. Increase logging level:
 
    ```bash
-   $ mdatp --log-level verbose
+   mdatp --log-level verbose
    Creating connection to daemon
    Connection established
    Operation succeeded
@@ -38,10 +38,10 @@ If you can reproduce a problem, please increase the logging level, run the syste
 
 2. Reproduce the problem
 
-3. Run `sudo mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
+3. Run `sudo mdatp --diagnostic --create` to back up Microsoft Defender ATP's logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
 
    ```bash
-   $ sudo mdatp --diagnostic --create
+   sudo mdatp --diagnostic --create
    Creating connection to daemon
    Connection established
    ```
@@ -49,7 +49,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
 4. Restore logging level:
 
    ```bash
-   $ mdatp --log-level info
+   mdatp --log-level info
    Creating connection to daemon
    Connection established
    Operation succeeded
@@ -63,7 +63,7 @@ The detailed log will be saved to `/Library/Logs/Microsoft/mdatp/install.log`. I
 
 ## Uninstalling
 
-There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune.
+There are several ways to uninstall Microsoft Defender ATP for Mac. Note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune.
 
 ### Interactive uninstallation
 
@@ -100,6 +100,36 @@ Important tasks, such as controlling product settings and triggering on-demand s
 |EDR          |Add group tag to device. EDR tags are used for managing device groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` |
 |EDR          |Remove group tag from device              |`mdatp --edr --remove-tag [name]`                                            |
 
+### How to enable autocompletion
+
+To enable autocompletion in `Bash`, run the following command and restart the Terminal session:
+
+```bash
+$ echo "source /Applications/Microsoft\ Defender\ ATP.app/Contents/Resources/Tools/mdatp_completion.bash" >> ~/.bash_profile
+```
+
+To enable autocompletion in `zsh`:
+
+- Check whether autocompletion is enabled on your device:
+
+   ```zsh
+   $ cat ~/.zshrc | grep autoload
+   ```
+
+- If the above command does not produce any output, you can enable autocompletion using the following command:
+
+   ```zsh
+   $ echo "autoload -Uz compinit && compinit" >> ~/.zshrc
+   ```
+
+- Run the following command to enable autocompletion for Microsoft Defender ATP for Mac and restart the Terminal session:
+
+   ```zsh
+   sudo mkdir -p /usr/local/share/zsh/site-functions
+
+   sudo ln -svf "/Applications/Microsoft Defender ATP.app/Contents/Resources/Tools/mdatp_completion.zsh" /usr/local/share/zsh/site-functions/_mdatp
+   ```
+
 ## Client Microsoft Defender ATP quarantine directory
 
 `/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`.