diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md
index d31baa9297..a14e1d9f0d 100644
--- a/windows/deploy/TOC.md
+++ b/windows/deploy/TOC.md
@@ -1,4 +1,5 @@
 # [Deploy Windows 10](index.md)
+## [What's new in Windows 10 deployment](deploy-whats-new.md)
 ## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
 ## [Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md)
 ### [Upgrade Readiness architecture](upgrade-readiness-architecture.md)
@@ -26,6 +27,7 @@
 ### [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
 ### [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
 ### [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+### [Perform an in-place upgrade to Windows 10 with MDT](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
 ### [Configure MDT settings](configure-mdt-settings.md)
 #### [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
 #### [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
@@ -48,8 +50,7 @@
 ### [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
 ### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 ### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
 ## [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md)
 ## [Convert MBR partition to GPT](mbr-to-gpt.md)
 ## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md
index a3c2c4364e..f0c32cf285 100644
--- a/windows/deploy/change-history-for-deploy-windows-10.md
+++ b/windows/deploy/change-history-for-deploy-windows-10.md
@@ -17,6 +17,9 @@ The topics in this library have been updated for Windows 10, version 1703 (also
 ## March 2017
 | New or changed topic | Description |
 |----------------------|-------------|
+| [What's new in Windows 10 deployment](deploy-whats-new.md) | New | 
+| [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) | Topic moved under [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) in the table of contents and title adjusted to clarify in-place upgrade. | 
+| [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) | Topic moved under [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) in the table of contents and title adjusted to clarify in-place upgrade. | 
 | [Convert MBR partition to GPT](mbr-to-gpt.md) | New | 
 
 ## February 2017
diff --git a/windows/deploy/deploy-whats-new.md b/windows/deploy/deploy-whats-new.md
new file mode 100644
index 0000000000..9d6a1b0d15
--- /dev/null
+++ b/windows/deploy/deploy-whats-new.md
@@ -0,0 +1,123 @@
+---
+title: What's new in Windows 10 deployment
+description: Changes and new features related to Windows 10 deployment
+keywords: deployment, automate, tools, configure, news
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.prod: w10
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+---
+
+# What's new in Windows 10 deployment
+
+**Applies to**
+-   Windows 10
+
+
+## In this topic
+
+This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization.
+
+- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index).
+- For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history).
+
+
+## Windows 10 Enterprise upgrade
+
+Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
+
+For more information, see [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md)
+
+
+## Deployment solutions and tools
+
+### Upgrade Readiness
+
+The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. 
+
+Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. 
+
+The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.  
+
+For more information about Upgrade Readiness, see the following topics:
+
+- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/)
+- [Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md)
+
+
+### Update Compliance
+
+Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
+
+Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
+
+For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](../manage/update-compliance-monitor.md).
+
+
+### MBR2GPT
+
+MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT. 
+
+There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface.  Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
+
+For more information, see [MBR2GPT.EXE](mbr-to-gpt.md).
+
+
+### Microsoft Deployment Toolkit (MDT)
+
+MDT build 884 is available, including support for:
+- Deployment and upgrade of Windows 10, version 1607 (including Enterprise LTSB and Education editions) and Windows Server 2016.
+- The Windows ADK for Windows 10, version 1607.
+- Integration with Configuration Manager version 1606.
+
+For more information about MDT, see the [MDT resource page](https://technet.microsoft.com/en-US/windows/dn475741).
+
+
+### Windows Assessment and Deployment Kit (ADK)
+
+The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. See the following topics:
+
+- [What's new in ADK kits and tools](https://msdn.microsoft.com/windows/hardware/commercialize/what-s-new-in-kits-and-tools)
+- [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)
+
+
+## Testing and validation guidance
+
+### Windows 10 deployment proof of concept (PoC)
+
+The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup. 
+
+For more information, see the following guides:
+
+- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
+- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
+- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
+
+
+## Troubleshooting guidance
+
+[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The topic provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
+
+
+## Online content change history
+
+The following topics provide a change history for Windows 10 ITPro TechNet library content related to deploying and using Windows 10.
+
+[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)
+<BR>[Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
+<BR>[Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
+<BR>[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
+
+
+## Related topics
+
+[Overview of Windows as a service](../manage/waas-overview.md)
+<BR>[Windows 10 deployment considerations](../plan/windows-10-deployment-considerations.md)
+<BR>[Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info.aspx)
+<BR>[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications)
+<BR>[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
+<BR>[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
+
+ 
\ No newline at end of file
diff --git a/windows/deploy/index.md b/windows/deploy/index.md
index 8b1846f60e..8058cf8890 100644
--- a/windows/deploy/index.md
+++ b/windows/deploy/index.md
@@ -16,13 +16,12 @@ Learn about deploying Windows 10 for IT professionals.
 
 |Topic |Description |
 |------|------------|
+|[What's new in Windows 10 deployment](deploy-whats-new.md) |See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. |
 |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
 |[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | 
 |[Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
 |[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
 |[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
-|[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) task sequence to completely automate the process. |
-|[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. |
 |[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
 |[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
 |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
diff --git a/windows/deploy/upgrade-readiness-get-started.md b/windows/deploy/upgrade-readiness-get-started.md
index 9f9abda9b2..4829baa632 100644
--- a/windows/deploy/upgrade-readiness-get-started.md
+++ b/windows/deploy/upgrade-readiness-get-started.md
@@ -44,7 +44,7 @@ If you are already using OMS, you’ll find Upgrade Readiness in the Solutions G
 
 If you are not using OMS:
 
-1.  Go to the [Upgrade Readiness page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **Sign up** to kick off the onboarding process.
+1.  Go to the [Upgrade Readiness page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **New Customers >** to kick off the onboarding process.
 2.  Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
 3.  Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
 4.  If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator.
@@ -130,4 +130,4 @@ To ensure that user computers are receiving the most up to date data from Micros
 
 ### Distribute the deployment script at scale
 
-Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see the [Upgrade Readiness blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
\ No newline at end of file
+Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see the [Upgrade Readiness blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
diff --git a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
index 1739910931..4df01c9022 100644
--- a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
+++ b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
@@ -1,6 +1,6 @@
 ---
-title: Upgrade to Windows 10 with System Center Configuration Manager (Windows 10)
-description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process.
+title: Perform an in-place upgrade to Windows 10 using Configuration Manager (Windows 10)
+description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. Use a System Center Configuration Manager task sequence to completely automate the process.
 ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
 keywords: upgrade, update, task sequence, deploy
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
 author: mtniehaus
 ---
 
-# Upgrade to Windows 10 with System Center Configuration Manager
+# Perform an in-place upgrade to Windows 10 using Configuration Manager
 
 
 **Applies to**
diff --git a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
index c3f69f25b9..4deadb668f 100644
--- a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -1,5 +1,5 @@
 ---
-title: Upgrade to Windows 10 with the Microsoft Deployment Toolkit (Windows 10)
+title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10)
 description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
 ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
 keywords: upgrade, update, task sequence, deploy
@@ -11,7 +11,7 @@ ms.pagetype: mdt
 author: mtniehaus
 ---
 
-# Upgrade to Windows 10 with the Microsoft Deployment Toolkit
+# Perform an in-place upgrade to Windows 10 with MDT
 
 **Applies to**
 -   Windows 10
diff --git a/windows/deploy/windows-10-poc-mdt.md b/windows/deploy/windows-10-poc-mdt.md
index 78b5aa1d76..e42cec7206 100644
--- a/windows/deploy/windows-10-poc-mdt.md
+++ b/windows/deploy/windows-10-poc-mdt.md
@@ -5,6 +5,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
+keywords: deployment, automate, tools, configure, mdt
+localizationpriority: high
 author: greg-lindsay
 ---
 
diff --git a/windows/deploy/windows-10-poc-sc-config-mgr.md b/windows/deploy/windows-10-poc-sc-config-mgr.md
index ff0b497b45..b7c115e44a 100644
--- a/windows/deploy/windows-10-poc-sc-config-mgr.md
+++ b/windows/deploy/windows-10-poc-sc-config-mgr.md
@@ -5,6 +5,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
+keywords: deployment, automate, tools, configure, sccm, configuration manager
+localizationpriority: high
 author: greg-lindsay
 ---
 
diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md
index 74b8d0f352..3db31d59c4 100644
--- a/windows/deploy/windows-10-poc.md
+++ b/windows/deploy/windows-10-poc.md
@@ -5,6 +5,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
+keywords: deployment, automate, tools, configure, mdt, sccm
+localizationpriority: high
 author: greg-lindsay
 ---
 
diff --git a/windows/images/W10-WaaS-poster.PNG b/windows/images/W10-WaaS-poster.PNG
new file mode 100644
index 0000000000..76f843c1b8
Binary files /dev/null and b/windows/images/W10-WaaS-poster.PNG differ
diff --git a/windows/images/front-page-video.PNG b/windows/images/front-page-video.PNG
new file mode 100644
index 0000000000..afe78e3564
Binary files /dev/null and b/windows/images/front-page-video.PNG differ
diff --git a/windows/images/w10-configure.png b/windows/images/w10-configure.png
new file mode 100644
index 0000000000..ebfef8d97b
Binary files /dev/null and b/windows/images/w10-configure.png differ
diff --git a/windows/images/w10-deploy.png b/windows/images/w10-deploy.png
new file mode 100644
index 0000000000..d567f44f1d
Binary files /dev/null and b/windows/images/w10-deploy.png differ
diff --git a/windows/images/w10-manage.png b/windows/images/w10-manage.png
new file mode 100644
index 0000000000..9ace55b79b
Binary files /dev/null and b/windows/images/w10-manage.png differ
diff --git a/windows/images/w10-plan.png b/windows/images/w10-plan.png
new file mode 100644
index 0000000000..045f85e914
Binary files /dev/null and b/windows/images/w10-plan.png differ
diff --git a/windows/images/w10-secure.png b/windows/images/w10-secure.png
new file mode 100644
index 0000000000..7799e94849
Binary files /dev/null and b/windows/images/w10-secure.png differ
diff --git a/windows/images/w10-update.png b/windows/images/w10-update.png
new file mode 100644
index 0000000000..876374904b
Binary files /dev/null and b/windows/images/w10-update.png differ
diff --git a/windows/images/w10-whatsnew.png b/windows/images/w10-whatsnew.png
new file mode 100644
index 0000000000..cc040c45aa
Binary files /dev/null and b/windows/images/w10-whatsnew.png differ
diff --git a/windows/index.md b/windows/index.md
index 08a4bee465..8d86b31add 100644
--- a/windows/index.md
+++ b/windows/index.md
@@ -8,37 +8,94 @@ author: brianlic-msft
 ---
 
 # Windows 10 and Windows 10 Mobile
+
+This library provides the core content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10 or Windows 10 Mobile.
 
+<center><iframe src="https://channel9.msdn.com/Events/Ignite/Australia-2017/WIN212/player" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
 
-This library provides the core content that IT pros need to evaluate, plan, deploy, and manage devices running Windows 10 or Windows 10 Mobile.
+<br/>
+<table border="0" width="100%" align='center'>
+</tr>
+  <tr style="text-align:center;">
+    <td style="width:25%; border:0;">
+      <a href="https://technet.microsoft.com/en-us/itpro/windows/whats-new/index">
+        <img src="images/w10-whatsnew.png" alt="Read what's new in Windows 10" title="What's new in Windows 10?" />
+      </a>
+      <br/>What's New?
+    </td>
+    <td style="width:25%; border:0;">
+      <a href="https://technet.microsoft.com/en-us/itpro/windows/plan/index">
+        <img src="images/w10-plan.png" alt="Plan your Windows 10 enterprise deployment" title="Plan your Windows 10 enterprise deployment" />
+      </a>
+      <br/>Plan
+    </td>
+    <td style="width:25%; border:0;">
+      <a href="https://technet.microsoft.com/en-us/itpro/windows/deploy/index">
+        <img src="images/w10-deploy.png" alt="Deploy Windows 10 in your enterprise" title="Deploy Windows 10" />
+      </a>
+      <br/>Deploy
+    </td>
+    <td style="width:25%; border:0;">
+      <a href="https://technet.microsoft.com/en-us/itpro/windows/manage/index">
+        <img src="images/w10-manage.png" alt="Manage Windows 10 in your enterprise" title="Manage Windows 10" />
+      </a>
+      <br/>Manage
+    </td>
+  </tr>
+  <tr style="text-align:center;">
+    <td style="width:25%; border:0;">
+    <br/>
+      <a href="https://technet.microsoft.com/en-us/itpro/windows/deploy/index">
+        <img src="images/w10-secure.png" alt="Keep Windows 10 secure" title="Keep Windows 10 secure" />
+      </a>
+      <br/>Keep Secure
+    </td>
+    <td style="width:25%; border:0;">
+      <br/>
+      <a href="https://technet.microsoft.com/en-us/itpro/windows/configure/index">
+        <img src="images/W10-configure.png" alt="Configure Windows 10 in your enterprise" title="Configure Windows 10" />
+      </a>
+      <br/>Configure
+    </td>
+    <td style="width:25%; border:0;">
+      <br/>
+      <a href="https://technet.microsoft.com/en-us/itpro/windows/update/index">
+        <img src="images/w10-update.png" alt="Update Windows 10 in your enterprise" title="Update Windows 10" />
+      </a>
+      <br/>Update
+    </td>
+    <td style="width:25%; border:0;">
+      <br/>
+      <a href="">
+        <img src="images/w10-plan.png" alt="Get your " title="What's new in Windows 10" />
+      </a>
+      <br/>Try it
+    </td>
+  </tr>
+</table>
 
-## In this library
+<br/>
 
+# Get to know Windows as a Service (WaaS)
+<table border="0" width="100%" align='center'>
+<tr>
+  <td valign=top width=60%>The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
+
+  These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
+
 
-[What's new in Windows 10](whats-new/index.md)
+  * [Read more about Windows as a Service]()
+  * [Download the WaaS infographic]()
 
-[Plan for Windows 10 deployment](plan/index.md)
+  </td>
+  <td width=40%><center><img style='border:thin silver solid' src="images/w10-WaaS-poster.png" alt="Get to know Windows as a Service (WaaS) " title="Get to know Windows as a Service (WaaS)" /></center></td>
+</tr>
+<table>
 
-[Deploy Windows 10](deploy/index.md)
-
-[Configure Windows 10](configure/index.md)
-
-[Update Windows 10](update/index.md)
-
-[Keep Windows 10 secure](keep-secure/index.md)
-
-[Manage Windows 10](manage/index.md)
 
 ## Related topics
-
-
 [Windows 10 TechCenter](https://go.microsoft.com/fwlink/?LinkId=620009)
 
  
 
  
-
-
-
-
-
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 57c4ee7416..f2339f5940 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -801,16 +801,48 @@
 #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
 #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
 #### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
-### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
-#### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
-#### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
-#### [Windows Defender Offline in Windows 10](windows-defender-offline.md)
-#### [Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)
-#### [Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)
-#### [Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)
-#### [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md)
-#### [Detect and block Potentially Unwanted Applications with Windows Defender](enable-pua-windows-defender-for-windows-10.md)
-#### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+###	[Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+#### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md)
+#### [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md)
+#### [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+##### [Deploy and enable Windows Defender Antivirus](deploy-windows-defender-antivirus.md)
+###### [Deployment guide for VDI environments](deployment-vdi-windows-defender-antivirus.md)
+##### [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md)
+##### [Manage updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
+###### [Manage protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
+###### [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+###### [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+###### [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+###### [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+#### [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md)
+##### [Utilize Microsoft cloud-provided protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+###### [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+###### [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md)
+###### [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md)
+###### [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
+###### [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+##### [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
+###### [Detect and block Potentially Unwanted Applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+###### [Enable and configure always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+##### [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
+###### [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+###### [Prevent users from seeing or interacting with the user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
+###### [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+#### [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+##### [Exclude files and processes from scans](configure-exclusions-windows-defender-antivirus.md)
+##### [Configure email, removable storage, network, reparse point, and archive scanning](configure-advanced-scan-types-windows-defender-antivirus.md)
+##### [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
+##### [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+##### [Configure and run scans](run-scan-windows-defender-antivirus.md)
+##### [Review scan results](review-scan-results-windows-defender-antivirus.md)
+##### [Run and review the results of a Windows Defender Offline scan](windows-defender-offline.md)
+#### [Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md)
+#### [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+##### [Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-windows-defender-antivirus.md)
+##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-windows-defender-antivirus.md)
+##### [Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-windows-defender-antivirus.md)
+##### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-windows-defender-antivirus.md)
+##### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](command-line-arguments-windows-defender-antivirus.md)
 ### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
 #### [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md)
 #### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md)
diff --git a/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md b/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md
new file mode 100644
index 0000000000..ea9f0e7d05
--- /dev/null
+++ b/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md
@@ -0,0 +1,59 @@
+---
+title: Use the command line to manage Windows Defender AV
+description: Windows Defender AV has a dedicated command-line utility that can run scans and configure protection.
+keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+# Use the mpcmdrun.exe command-line tool to configure and manage Windows Defender Antivirus
+
+**Applies to:**
+
+- Windows 10
+
+
+You can use a dedicated command-line tool to perform various functions in Windows Defender Antivirus. 
+
+This utility can be handy when you want to automate the use of Windows Defender Antivirus. 
+
+The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
+
+> [!NOTE]
+> You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+
+
+The utility has the following commands:
+
+```DOS
+MpCmdRun.exe [command] [-options]
+```
+
+Command | Description 
+:---|:---
+\- ? **or** -h | Displays all available options for the tool
+\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious software
+\-Trace  [-Grouping #] [-Level #]| Starts diagnostic tracing
+\-GetFiles | Collects support information
+\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
+\-AddDynamicSignature [-Path] | Loads a dynamic signature
+\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
+\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
+\-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md)
+
+
+
+
+## Related topics
+
+- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+
+
diff --git a/windows/keep-secure/configuration-management-reference-windows-defender-antivirus.md b/windows/keep-secure/configuration-management-reference-windows-defender-antivirus.md
new file mode 100644
index 0000000000..edf44cdddc
--- /dev/null
+++ b/windows/keep-secure/configuration-management-reference-windows-defender-antivirus.md
@@ -0,0 +1,44 @@
+---
+title: Windows Defender AV reference for management tools
+description: Learn how Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the comman line can be used to manage Windows Defender AV
+keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Reference topics for management and configuration tools
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+Windows Defender Antivirus can be managed and configured with the following tools:
+
+- Group Policy
+- System Center Configuration Manager and Microsoft Intune
+- PowerShell cmdlets
+- Windows Management Instruction (WMI)
+- The mpcmdrun.exe utility
+
+The topics in this section provide further information, links, and resources for using these tools in conjunction with Windows Defender AV.
+
+## In this section
+
+Topic | Description 
+---|---
+[Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-windows-defender-antivirus.md)|List of all Group Policy settings located in the Windows 10, version 1703 ADMX templates
+[Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-windows-defender-antivirus.md)|Information on using System Center Configuration Manager and Microsoft Intune to deploy, manage, report, and configure Windows Defender AV
+[Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-windows-defender-antivirus.md)|Instructions on using PowerShell cmdlets in the Defender Module and links to documentation for all cmdlets and allowed parameters
+[Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-windows-defender-antivirus.md)| Instructions on using WMI to manage Windows Defender AV and links to documentation for the Windows Defender WMIv2 APIs (including all classes, methods, and properties)
+[Use the mpcmdrun.exe command-line tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Windows Defender AV
+
diff --git a/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
new file mode 100644
index 0000000000..cd5a3e9874
--- /dev/null
+++ b/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
@@ -0,0 +1,158 @@
+---
+title: Configure advanced scanning types for Windows Defender AV
+description: You can configure Windows Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).
+keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure email, removable storage, network, reparse point, and archive scanning in Windows Defender AV
+
+
+**Applies to**
+-   Windows 10
+
+
+
+
+
+
+
+## Manage email scans in Windows Defender
+
+You can use Windows Defender to scan email files. Malware can install itself and hide in email files, and although real-time protection offers you the best protection from email malware, you can also scan emails stored on your PC or server with Windows Defender.
+> **Important:**  Mail scanning only applies to on-demand and scheduled scans, not on-access scans.
+ 
+Windows Defender scans Microsoft Office Outlook 2003 and older email files. We identify the file type at run-time based on the content of the file, not on location or extension.
+> **Note: **  Scanning email files might increase the time required to complete a scan.
+ 
+Windows Defender can extract embedded objects within a file (attachments and archived files, for example) and scan internally.
+> **Note:**  While Windows Defender can be configured to scan email files, it can only remediate threats detected inside certain files, for example:
+-   DBX
+-   MBX
+-   MIME
+ 
+You can configure Windows Defender to scan PST files used by Outlook 2003 or older versions (where the archive type is set to non-uni-code), but Windows Defender cannot remediate threats detected inside PST files. We recommend using real-time protection to protect against email malware.
+
+If Windows Defender detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
+-   Email subject
+-   Attachment name
+Email scanning in Windows Defender is turned off by default. There are three ways you can manage scans through Windows Defender:
+-   *Group Policy* settings
+-   WMI
+-   PowerShell
+> **Important:**  There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
+-   [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1)
+-   [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2)
+ 
+## Use *Group Policy* settings to enable email scans
+
+This policy setting allows you to turn on email scanning. When email scanning is enabled, the engine will parse the mailbox and mail files to analyze the mail bodies and attachments.
+
+Turn on email scanning with the following *Group Policy* settings:
+1.  Open the **Group Policy Editor**.
+2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
+3.  Click **Scan**.
+4.  Double-click **Turn on e-mail scanning**.
+
+    This will open the **Turn on e-mail scanning** window:
+    
+    ![turn on e-mail scanning window](images/defender-scanemailfiles.png)
+    
+5.  Select **Enabled**.
+6.  Click **OK** to apply changes.
+
+## Use WMI to disable email scans
+
+You can write a WMI script or application to disable email scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
+
+Use the **DisableEmailScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
+**DisableEmailScanning**
+Data type: **boolean**
+Access type: Read-only
+Disable email scanning.
+
+## Use PowerShell to enable email scans
+
+You can also enable email scanning using the following PowerShell parameter:
+1.  Open PowerShell or PowerShellIntegrated Scripting Environment (ISE).
+2.  Type **Set-MpPreference -DisableEmailScanning $false**.
+
+Read more about this in:
+-   [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
+-   [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
+
+## Manage archive scans in Windows Defender
+
+You can use Windows Defender to scan archive files. Malware can install itself and hide in archive files, and although real-time protection offers you the best protection from malware, you can also scan archives stored on your PC or server with Windows Defender.
+> **Important:**  Archive scanning only applies to on-demand and scheduled scans, not on-access scans.
+ 
+Archive scanning in Windows Defender is turned on by default. There are four ways you can manage scans through Windows Defender:
+-   *Group Policy* settings
+-   WMI
+-   PowerShell
+-   Endpoint Protection
+> **Note:**  Scanning archive files might increase the time required to complete a scan.
+ 
+If you exclude an archive file type by using the **Extensions** box, Windows Defender will not scan files with that extension (no matter what the content is), even when you have selected the **Scan archive files** check box. For example, if you exclude .rar files but there�s a .r00 file that�s actually .rar content, it will still be scanned if archive scanning is enabled.
+
+## Use *Group Policy* settings to enable archive scans
+
+This policy setting allows you to turn on archive scanning.
+
+Turn on email scanning with the following *Group Policy* settings:
+1.  Open the **Group Policy Editor**.
+2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
+3.  Click **Scan**.
+4.  Double-click **Scan archive files**.
+
+    This will open the **Scan archive files** window:
+    
+    ![scan archive files window](images/defender-scanarchivefiles.png)
+    
+5.  Select **Enabled**.
+6.  Click **OK** to apply changes.
+
+There are a number of archive scan settings in the **Scan** repository you can configure through *Group Policy*, for example:
+-   Maximum directory depth level into which archive files are unpacked during scanning
+
+    ![specify the maximum depth to scan archive files window](images/defender-scanarchivedepth.png)
+    
+-   Maximum size of archive files that will be scanned
+
+    ![specify the maximum size of archive files to be scanned window](images/defender-scanarchivesize.png)
+    
+-   Maximum percentage CPU utilization permitted during a scan
+
+    ![specify the maximum percentage od cpu utilization during a scan window](images/defender-scanarchivecpu.png)
+
+## Use WMI to disable archive scans
+
+You can write a WMI script or application to disable archive scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
+
+Use the **DisableArchiveScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
+**DisableArchiveScanning**
+Data type: **boolean**
+Access type: Read-only
+Disable archive scanning.
+
+## Use PowerShell to enable archive scans
+
+You can also enable archive scanning using the following PowerShell parameter:
+1.  Open PowerShell or PowerShellISE.
+2.  Type **Set-MpPreference -DisableArchiveScanning $false**.
+
+Read more about this in:
+-   [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
+-   [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
+
+## Use Endpoint Protection to configure archive scans
+
+In Endpoint Protection, you can use the advanced scanning options to configure archive scanning. For more information, see [What are advanced scanning options?](https://technet.microsoft.com/library/ff823807.aspx)
+ 
diff --git a/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md
new file mode 100644
index 0000000000..7bd0777196
--- /dev/null
+++ b/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -0,0 +1,149 @@
+---
+title: Enable Block at First Sight to detect malware in seconds
+description: Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly.
+keywords: scan, BAFS, malware, first seen, first sight, cloud, defender
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+
+
+
+# Enable the Block at First Sight feature
+
+**Applies to**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+- Windows Defender Security Center app
+
+
+Block at First Sight is a feature of Windows Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds. 
+
+It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. You can use group policy settings to confirm the feature is enabled.
+
+You can also [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file.
+
+> [!IMPORTANT]
+> There is no specific individual setting in System Center Configuration Manager to enable or disable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly. You must use Group Policy settings to enable or disable the feature.
+
+## How it works
+
+When a Windows Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. The following video describes how this feature works.
+
+The Block at first sight feature only uses the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the EXE file is checked via the cloud backend to determine if this is a previously undetected file.
+
+<iframe 
+src="https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc62c59" width="768" height="432" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe> 
+
+If the cloud backend is unable to make a determination, the file will be locked by Windows Defender AV while a copy is uploaded to the cloud. The cloud will perform additional analysis to reach a determination before it allows the file to run or blocks it in all future encounters, depending on whether the file is determined to be malicious or safe. 
+
+In many cases this process can reduce the response time for new malware from hours to seconds.
+
+
+## Confirm and validate Block at First Sight is enabled
+
+Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work. Usually, these settings are already enabled in most default Windows Defender AV deployments in enterprise networks.
+
+
+
+### Confirm Block at First Sight is enabled with Group Policy
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** and configure the following Group Policies:
+    
+    1.  Double-click the **Join Microsoft MAPS** setting and ensure the option is set to **Enabled**. Click **OK**.
+    
+    1.  Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following:
+    
+        1. Send safe samples (1)
+        
+        1. Send all samples (3)
+
+        > [!WARNING]
+        > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function.
+
+    1. Click **OK**.
+
+1.  In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender Antivirus > Real-time Protection**:
+    
+    1.  Double-click the **Scan all downloaded files and attachments** setting and ensure the option is set to **Enabled**. Click **OK**.
+    
+    1.  Double-click the **Turn off real-time protection** setting and ensure the option is set to **Disabled**. Click **OK**.
+
+If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered.
+
+
+### Confirm Block at First Sight is enabled with the Windows Defender Security Center app
+
+You can confirm that Block at First Sight is enabled in Windows Settings. 
+
+The feature is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
+
+**Confirm Block at First Sight is enabled on individual clients**
+
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png)
+    
+3.	Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
+
+> [!NOTE]
+> If the pre-requisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
+
+
+### Validate Block at First Sight is working
+
+You can validate that the feature is working by following the steps outlined in the [Validate connections between your network and the cloud](configure-network-connections-windows-defender-antivirus.md#validate) topic.
+
+
+## Disable Block at First Sight
+
+> [!WARNING]
+> Disabling the Block at First Sight feature will lower the protection state of the endpoint and your network.
+
+You may choose to disable the Block at First Sight feature if you want to retain the pre-requisite settings without using Block at First Sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
+
+**Disable Block at First Sight with Group Policy**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree through **Windows components > Windows Defender Antivirus > MAPS**.
+
+1.  Double-click the **Configure the �Block at First Sight� feature** setting and set the option to **Disabled**.
+
+    > [!NOTE]
+    > Disabling the Block at First Sight feature will not disable or alter the pre-requisite group policies.
+
+
+## Related topics
+
+- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+
+
diff --git a/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md
new file mode 100644
index 0000000000..8846515965
--- /dev/null
+++ b/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md
@@ -0,0 +1,74 @@
+---
+title: Configure the Windows Defender AV cloud block timeout period
+description: You can configure how long Windows Defender Antivirus will block a file from running while waiting for a cloud determination.
+keywords: windows defender antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure the cloud block timeout period
+
+
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+
+
+
+
+
+
+When Windows Defender Antivirus is suspicious of a file, it can prevent the file from running while it queries the [Windows Defender Antivirus cloud-protection service](utilize-microsoft-cloud-protection-windows-defender-antivirus.md).
+
+The default period that the file will be [blocked](configure-block-at-first-sight-windows-defender-antivirus.md) for is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Windows Defender Antivirus cloud.
+
+
+
+## Prerequisites to use the extended cloud block timeout
+
+The [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature and its prerequisites must be enabled before you can specifiy an extended timeout period. 
+    
+## Specify the extended timeout period
+
+You can use Group Policy to specify an extended timeout for cloud checks.
+
+**Use Group Policy to specify an extended timeout period:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+3.  Click **Policies** then **Administrative templates**.
+
+4.  Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**
+    
+5.  Double-click the **Configure extended cloud check** setting and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination.  You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds.
+    
+6. Click **OK**.
+
+
+## Related topics
+
+- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
+- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+- [Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+
+
+
+
diff --git a/windows/keep-secure/configure-end-user-interaction-windows-defender-antivirus.md b/windows/keep-secure/configure-end-user-interaction-windows-defender-antivirus.md
new file mode 100644
index 0000000000..47b2f3f968
--- /dev/null
+++ b/windows/keep-secure/configure-end-user-interaction-windows-defender-antivirus.md
@@ -0,0 +1,39 @@
+---
+title: Configure how users can interact with Windows Defender AV
+description: Configure how end-users interact with Windows Defender AV, what notifications they see, and if they can override settings.
+keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure end-user interaction with Windows Defender Antivirus
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+
+You can configure how users of the endpoints on your network can interact with Windows Defender Antivirus.
+
+This includes whether they see the Windows Defender AV interface, what notifications they see, and if they can locally override globally deployed Group Policy settings.
+
+## In this section
+
+Topic | Description 
+---|---
+[Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation
+[Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) | Hide the user interface from users
+[Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints
diff --git a/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md
new file mode 100644
index 0000000000..11e86abb86
--- /dev/null
+++ b/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md
@@ -0,0 +1,141 @@
+---
+title: Set up exclusions for Windows Defender AV scans
+description: You can exclude files (including files modified by specified processes) and folders from being scanned by Windows Defender AV
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Exclude files and processes from Windows Defender AV scans
+
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager 
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- Microsoft Intune
+- Windows Defender Security Center
+
+You can exclude certain files, folders, and process-modified files from being scanned by Windows Defender AV. The exclusions apply to both [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md).
+
+Changes made via Group Policy to the exclusion lists will show in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+
+However, changes made in the Windows Defender Security Center app will not show in the lists in the Group Policy settings.
+
+
+## Exclude file extensions from Windows Defender AV scans
+
+You can exclude certain file extenstions from being scanned by Windows Defender AV.
+
+**Use Group Policy to exclude specified file extensions from scans:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. 
+
+
+6. Double-click the **Extension Exclusions** setting and add the exclusions:
+
+    1. Set the option to **Enabled**. 
+    2. Under the **Options** section, click **Show...**
+    3. Enter each file extension on its own line under the **Value name** column.  Enter **0** in the **Value** column for all processes.
+
+7. Click **OK**. 
+
+![The Group Policy setting for file exclusions](images/defender/wdav-extension-exclusions.png)
+
+
+
+
+## Exclude paths and files from Windows Defender AV scans
+
+**Use Group Policy to exclude specified paths or folders from scans:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. 
+
+
+6. Double-click the **Path Exclusions** setting and add the exclusions:
+
+    1. Set the option to **Enabled**. 
+    2. Under the **Options** section, click **Show...**
+    3. Enter each path or file on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extesnsion. Enter **0** in the **Value** column for all processes.
+
+7. Click **OK**. 
+
+![The Group Policy setting for folder exclusions](images/defender/wdav-path-exclusions.png)
+
+
+## Exclude files opened by processes from Windows Defender AV scns
+
+You can exclude files that are opened by specified processes from being scanned. The specified process won't be excluded - but any files that are opened by that process will be.
+
+You can only exclude executable files.
+
+**Use Group Policy to exclude files that have been used or modified by specified processes from scans:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. 
+
+
+6. Double-click the **Process Exclusions** setting and add the exclusions:
+
+    1. Set the option to **Enabled**. 
+    2. Under the **Options** section, click **Show...**
+    3. Enter each process on its own line under the **Value name** column. Ensure you enter a fully qualified path to the process, including the drive letter, folder path, filename, and extesnsion. Enter **0** in the **Value** column for all processes.
+
+7. Click **OK**. 
+
+![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png)
+
+
+ ## Configure auto exclusions lists for Windows Server deployments
+
+If you are using Windows Defender AV to protect Windows Server endpoints or machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Server role.
+
+These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+
+You can also [add custom exclusions to the auto exclusions with PowerShell](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server#BKMK_DefExclusions).
+Exclusions | Turn off Auto Exclusions | 
+
+
+
+
+
+
+
+## Related topics
+
+- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md
new file mode 100644
index 0000000000..fb1993e2a1
--- /dev/null
+++ b/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -0,0 +1,103 @@
+---
+title: Configure local overrides for Windows Defender AV settings
+description: Enable or disable users from locally changing settings in Windows Defender AV.
+keywords: local override, local policy, group policy, gpo, lockdown,merge, lists
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Prevent or allow users to locally modify Windows Defender AV policy settings
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+
+
+By default, Windows Defender AV settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances. 
+
+For example, it may be necessary to allow certain user groups (such as security researchers and threat investigators) further control over individual settings on the endpoints they use.
+
+## Configure local overrides for Windows Defender AV settings
+
+The default setting for these policies is **Disabled**.
+
+If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Defender Security Center](windows-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate).
+
+The following table lists each of the override policy setting and the configuration instructions for the associated feature or setting.
+
+To configure these settings:
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+
+6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+
+7. Deploy the Group Policy Object as usual.
+
+Location | Setting | Impact if **Enabled** | Configuration topic
+---|---|---|---
+MAPS | Configure local setting override for reporting to Microsoft MAPS | User can disable cloud protection | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+Quarantine | Configure local setting override for the removal of items from Quarantine folder | User can change the number of days threats are kept in the quarantine folder before being removed |[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring file and program activity on your computer | User can disable real-time protection | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | User can change direction for file activity monitoring | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for scanning all downloaded files and attachments | Allow user to disable scans of downloaded files and attachments | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for turn on behavior monitoring | User  | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override to turn on real-time protection | xxx | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | xxx | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
+Scan | Configure local setting override for maximum percentage of CPU utilization | xxx | [Configure and run scans](run-scan-windows-defender-antivirus.md)
+Scan | Configure local setting override for schedule scan day | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Configure local setting override for scheduled quick scan time | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Configure local setting override for scheduled scan time | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Configure local setting override for the scan type to use for a scheduled scan | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+
+
+
+
+
+
+## Configure how locally and globally defined threat remediation and exclusions lists are merged
+
+You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md) and [specified remediation lists](configure-remediation-windows-defender-antivirus.md).
+
+By default, lists that have been configured in local group policy and the Windows Defender Security Center app are merged with lists that are defined by the appropriate GPO that you have deployed on your network. Where there are conflicts, the globally defined list takes precendence.
+
+You can disable this setting to ensure that only globally defined lists (such as those from any deployed GPOs) are used.
+
+
+**Use Group Policy to disable local list merging:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus**.
+
+6. Double-click the **Configure local administrator merge behavior for lists** setting and set the option to **Enabled**. Click **OK**. 
+
+
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
\ No newline at end of file
diff --git a/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md b/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md
new file mode 100644
index 0000000000..4bba9f4ec2
--- /dev/null
+++ b/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md
@@ -0,0 +1,199 @@
+---
+title: Configure and test Windows Defender Antivirus network connections
+description: Configure and test your connection to the Windows Defender Antivirus cloud-delivered protection service.
+keywords: windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure and validate network connections for Windows Defender Antivirus
+
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+
+To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
+
+This topic lists the connections that must be allowed, including firewall rules, and provides instructions for validating your connection. This will help ensure you receive the best protection from our cloud-delivered protection services.
+
+See the Enterprise Mobility and Security blog post [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) for some details about network connectivity.
+
+## Allow connections to the Windows Defender Antivirus cloud
+
+The Windows Defender Antivirus cloud provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommend as it provides very important protection against malware on your endpoints and across your network.
+
+>[!NOTE] 
+>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
+
+See the [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) topic for details on enabling the service with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app.
+
+After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
+
+The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them:
+
+<table  style="vertical-align:top">
+<tr style="vertical-align:top">
+<th >Service</th>
+<th>Description</th>
+<th>URL</th>
+</tr>
+<tr style="vertical-align:top">
+<td>
+ Windows Defender Antivirus cloud-based protection service, also referred to as Microsoft Active Protection Service (MAPS)
+</td>
+<td>
+ Used by Windows Defender Antivirus to provide cloud-based protection
+</td>
+<td>
+*.wdcp.microsoft.com*<br />
+*.wdcpalt.microsoft.com*
+</td>
+</tr>
+<tr style="vertical-align:top">
+<td>
+Microsoft Update Service (MU)
+</td>
+<td>
+Signature and product updates
+</td>
+<td>
+*.updates.microsoft.com
+</td>
+</tr>
+<tr style="vertical-align:top">
+<td>
+ Definition updates alternate download location (ADL)
+</td>
+<td>
+ Alternate location for Windows Defender Antivirus definition updates if the installed definitions fall out of date (7 or more days behind)
+</td>
+<td>
+*.download.microsoft.com
+</td>
+</tr>
+<tr style="vertical-align:top">
+<td>
+ Malware submission storage 
+</td>
+<td>
+ Upload location for files submitted to Microsoft via the <a href="https://www.microsoft.com/en-us/security/portal/submission/submit.aspx">Submission form</a> or automatic sample submission
+</td>
+<td>
+*.blob.core.windows.net
+</td>
+</tr>
+<tr style="vertical-align:top">
+<td>
+Certificate Revocation List (CRL)
+</td>
+<td>
+Used by Windows when creating the SSL connection to MAPS for updating the CRL
+</td>
+<td>
+http://www.microsoft.com/pkiops/crl/<br />
+http://www.microsoft.com/pkiops/certs<br />
+http://crl.microsoft.com/pki/crl/products<br />
+http://www.microsoft.com/pki/certs
+</ul>
+</td>
+</tr>
+<tr style="vertical-align:top">
+<td>
+Symbol Store 
+</td>
+<td>
+Used by Windows Defender Antivirus to restore certain critical files during remediation flows
+</td>
+<td>
+https://msdl.microsoft.com/download/symbols
+</td>
+</tr>
+<tr style="vertical-align:top">
+<td>
+Universal Telemetry Client
+</td>
+<td>
+Used by Windows to send client telemetry, Windows Defender Antivirus uses this for product quality monitoring purposes
+</td>
+<td>
+This update uses SSL (TCP Port 443) to download manifests and upload telemetry to Microsoft that uses the following DNS endpoints:  <ul><li>vortex-win.data.microsoft.com</li><li>settings-win.data.microsoft.com</li></ul></td>
+</tr>
+</table>
+
+<a id="validate"></a>
+
+
+## Validate connections between your network and the cloud
+
+After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender AV cloud and are correctly reporting and receiving information to ensure you are fully protected.
+
+**Use the cmdline tool to validate cloud-delivered protection:**
+
+Use the following argument with the Windows Defender AV command line utility (*mpcmdrun.exe*) to verify that your network can communicate with the Windows Defender AV cloud:
+
+```DOS
+MpCmdRun - ValidateMapsConnection 
+```
+
+See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility.
+
+**Attempt to download a fake malware file from Microsoft:**
+
+You can download a sample file that Windows Defender AV will detect and block if you are properly connected to the cloud.
+
+Download the file by visiting the following link:
+- http://aka.ms/ioavtest
+
+>[!NOTE] 
+>This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.
+
+If you are properly connected, you will see a warning notification from Windows Defender Antivirus:
+
+![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-malware-detected.png)
+
+If you are using Microsoft Edge, you'll also see a notification message:
+
+![Microsoft Edge informing the user that malware was found](images/defender/wdav-bafs-edge.png)
+
+A similar message occurs if you are uding Internet Explorer:
+
+![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png)
+
+You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Defender Security Center app:
+
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label:
+
+    ![Screenshot of the Scan history label in the Windows Defender Security Center app](images/defender/wdav-history-wdsc.png)
+    
+3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware:
+
+    ![Screenshot of quarantined items in the Windows Defender Security Center app](images/defender/wdav-quarantined-history-wdsc.png)
+
+The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md).
+
+>[!IMPORTANT]
+>You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will  need to verify your proxy servers and any network filtering tools manually to ensure connectivity.
+
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+- [Run a Windows Defender scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md)
+- [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) 
+
+
diff --git a/windows/keep-secure/configure-notifications-windows-defender-antivirus.md b/windows/keep-secure/configure-notifications-windows-defender-antivirus.md
new file mode 100644
index 0000000000..2244318943
--- /dev/null
+++ b/windows/keep-secure/configure-notifications-windows-defender-antivirus.md
@@ -0,0 +1,129 @@
+---
+title: Configure notifications for Windows Defender Antivirus
+description: Configure and customize notifications from Windows Defender AV.
+keywords: notifications, defender, endpoint, management, admin
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure the notifications that appear on endpoints
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+- Windows Defender Security Center app
+
+In Windows 10, application notifications about malware detection and remediation by Windows Defender are more robust, consistent, and concise.
+
+Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals.
+
+You can also configure how standard notifications appear on endpoints, such as notfications for reboot or when a threat has been detected and remediated.
+
+## Configure the additional notifications that appear on endpoints
+
+You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md) and with Group Policy.
+
+> [!NOTE]
+> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10 it is called **Enhanced notifications**.
+
+> [!IMPORTANT]
+> Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts.
+
+**Use the Windows Defender Security Center app to disable additional notifications:** 
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](images/defender/wdav-protection-settings-wdsc.png)
+    
+3.	Scroll to the **Notifications** section and click **Change notification settings**.
+
+4. Slide the switch to **Off** or **On** to disable or enable additional notifications.
+
+**Use Group Policy to disable additional notifications:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**. 
+
+6.  Double-click the **Turn off enhanced notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
+
+
+## Configure standard notifications on endpoints
+
+You can use Group Policy to:
+- Display additional, customized text on endpoints when the user needs to perform an action
+- Hide all notifications on endpoints
+- Hide reboot notifications on endpoints
+
+Hiding notifications can be useful in situations where you cannot hide the entire Windows Defender AV interface. See [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information.
+
+> [!NOTE]
+> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
+
+**Use Group Policy to display additional, custom text in notifications:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. 
+
+6.  Double-click the **Display additional text to clients when they need to perform an action** setting and set the option to **Enabled**. 
+
+7. Enter the additional text you want to be shown to users. Click **OK**. 
+
+**Use Group Policy to hide notifications:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. 
+
+6.  Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
+
+**Use Group Policy to hide reboot notifications:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. 
+
+6.  Double-click the **Suppresses reboot notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
+
+
+
+
+
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
diff --git a/windows/keep-secure/configure-protection-features-windows-defender-antivirus.md b/windows/keep-secure/configure-protection-features-windows-defender-antivirus.md
new file mode 100644
index 0000000000..bf1f2f595e
--- /dev/null
+++ b/windows/keep-secure/configure-protection-features-windows-defender-antivirus.md
@@ -0,0 +1,43 @@
+---
+title: Enable and configure protection features in Windows Defender AV
+description: Enable behavior-based, heuristic, and real-time protection in Windows Defender AV.
+keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, windows defender antivirus, antimalware, security, defender
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure behavioral, heuristic, and real-time protection
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+Windows Defender Antivirus uses several methods to provide threat protection:
+
+- Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
+- Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection")
+- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
+
+You can configure how Windows Defender AV uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
+
+This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware. 
+
+See the [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) section for how to enable and configure Windows Defender AV cloud-delivered protection.
+
+
+## In this section
+
+ Topic | Description 
+---|---
+[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
+[Enable and configure Windows Defender AV protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on antivirus monitoring features
\ No newline at end of file
diff --git a/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md b/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md
new file mode 100644
index 0000000000..ad4ca873ec
--- /dev/null
+++ b/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md
@@ -0,0 +1,99 @@
+---
+title: Configure always-on real-time protection in Windows Defender AV
+description: Enable and configure real-time protectoin features such as behavior monitoring, heuristics, and machine-learning in Windows Defender AV
+keywords: real-time protection, rtp, machine-learning, behavior monitoring, heuristics
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+
+# Enable and configure Windows Defender AV always-on protection and monitoring
+
+
+
+**Applies to:**
+
+- Windows 10
+
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+
+
+
+
+Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. 
+
+These activities include events such as processes making unusual changes to existing files, modifiying or creating automatic startup registry keys and startup locations (also known as auto-start extensibilty points, or ASEPs), and other changes to the file system or file structure.
+
+
+## Configure and enable always-on protection
+
+You can configure how always-on protection works with the following Group Policy settings described in this section.
+
+To configure these settings:
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+
+6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+
+
+
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Real-time protection | Monitor file and program activity on your computer | The AV engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled
+Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to Windows Defender SmartScreen filter, which scans files before and during downloading | Enabled
+Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the AV engine to scan running processes for suspicious modifications or behaviors. This is useful if you have disabled real-time protection | Enabled
+Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled
+Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analysed by behavior monitoring | Enabled
+Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled 
+Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or server roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. 
+Scan	| Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the AV engine is asked to detect the activity | Enabled (both directions)
+
+
+
+
+## Disable real-time protection
+> [!WARNING]
+> Disabling real-time protection will drastically reduce the protection on your endpoints and is not recommended.
+
+The main real-time protection capability is enabled by default, but you can disable it with Group Policy:
+
+**Use Group Policy to diasble real-time protection:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Real-time protection**.
+
+6. Double-click the **Turn off real-time protection** setting and set the option to **Enabled**. Click **OK**. 
+
+
+
+## Related topics
+
+- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/configure-remediation-windows-defender-antivirus.md b/windows/keep-secure/configure-remediation-windows-defender-antivirus.md
new file mode 100644
index 0000000000..bfc941c20c
--- /dev/null
+++ b/windows/keep-secure/configure-remediation-windows-defender-antivirus.md
@@ -0,0 +1,17 @@
+---
+title: Remediate and resolve infections detected by Windows Defender AV
+description: Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+
+# Configure remediation for Windows Defender AV scans
\ No newline at end of file
diff --git a/windows/keep-secure/configure-windows-defender-antivirus-features.md b/windows/keep-secure/configure-windows-defender-antivirus-features.md
new file mode 100644
index 0000000000..d1da91abab
--- /dev/null
+++ b/windows/keep-secure/configure-windows-defender-antivirus-features.md
@@ -0,0 +1,54 @@
+---
+title: Configure Windows Defender Antivirus features (Windows 10)
+description: You can configure features for Windows Defender Antivirus using Configuration Manager, MDM software (such as Intune), PowerShell, and with Group Policy settings.
+keywords: windows defender antivirus, antimalware, security, defender, configure, configuration, Config Manager, System Center Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure Windows Defender Antivirus features
+
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+Windows Defender Antivirus can be configured with a number of tools, including:
+
+- Group Policy settings
+- System Center Configuration Manager
+- PowerShell cmdlets
+- Windows Management Instrumentation (WMI)
+- Microsoft Intune
+
+
+The following broad categories of features can be configured:
+
+- Cloud-delivered protection
+- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
+- How end-users interact with the client on individual endpoints
+
+The topics in this section describe how to perform key tasks when configuring Windows Defender AV. Each topic includes instructions for the applicable configuration tool (or tools).
+
+You can also review the [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) topic for an overview of each tool and links to further help.
+
+
+## In this section
+Topic | Description
+:---|:---
+[Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection
+[Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time protection in Windows Defender AV
+[Configure end-user interaction with WDAM](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender AV, what notifications they see, and if they can override settings
+
+
+
diff --git a/windows/keep-secure/configure-windows-defender-in-windows-10.md b/windows/keep-secure/configure-windows-defender-in-windows-10.md
index 93469dafa2..32dc5bdf7d 100644
--- a/windows/keep-secure/configure-windows-defender-in-windows-10.md
+++ b/windows/keep-secure/configure-windows-defender-in-windows-10.md
@@ -1,6 +1,6 @@
 ---
 title: Configure and use Windows Defender in Windows 10
-description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
+description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
 ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -8,197 +8,9 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: jasesso
+redirect_url: /itpro/windows/keep-secure/deploy-manage-report-windows-defender-antivirus/
 ---
 
 # Configure Windows Defender in Windows 10
 
-**Applies to**
--   Windows 10
-
-You can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
-
-You can also enable and configure the Microsoft Active Protection Service to ensure endpoints are protected by cloud-based protection technologies.
-
-## Configure definition updates
-
-It is important to update definitions regularly to ensure that your endpoints are protected. Definition updates can be configured to suit the requirements of your organization.
-
-Windows Defender supports the same updating options (such as using multiple definition sources) as other Microsoft endpoint protection products; for more information, see [Configuring Definition Updates](https://technet.microsoft.com/library/gg412502.aspx).
-
-When you configure multiple definition sources in Windows Defender, you can configure the fallback order using the following values through *Group Policy* settings:
-
--   InternalDefinitionUpdateServer - WSUS
--   MicrosoftUpdateServer - Microsoft Update
--   MMPC - [Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx)
--   FileShares - file share
-
-Read about deploying administrative template files for Windows Defender in the article [Description of the Windows Defender Group Policy administrative template settings](https://support.microsoft.com/kb/927367).
-
-You can also manage your Windows Defender update configuration settings through System Center Configuration Manager. See [How to Configure Definition Updates for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/jj822983.aspx) for details.
-
-## Definition update logic
-
-You can update Windows Defender definitions in four ways depending on your business requirements:
-
--   WSUS, the managed server. You can manage the distribution of updates that are released through Microsoft Update to computers in your enterprise environment; read more on the [Windows Server Update Services](https://technet.microsoft.com/windowsserver/bb332157.aspx) website.
--   Microsoft Update, the unmanaged server. You can use this method to get regular updates from Microsoft Update.
--   The [Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx), as an alternate download location. You can use this method if you want to download the latest definitions.
--   File share, where the definition package is downloaded. You can retrieve definition updates from a file share. The file share must be provisioned on a regular basis with the update files.
-
-## Update Windows Defender definitions through Active Directory and WSUS
-
-This section details how to update Windows Defender definitions for Windows 10 endpoints through Active Directory and WSUS.
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Method</th>
-<th align="left">Instructions</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>WSUS</p></td>
-<td align="left"><p>See [Software Updates and Windows Server Update Services Definition Updates](https://technet.microsoft.com/library/gg398036.aspx) in the [Configuring Definition Updates](https://technet.microsoft.com/library/gg412502.aspx) topic that also applies to Windows Defender.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Microsoft Update</p></td>
-<td align="left"><p>Set the following fallback order <em>Group Policy</em> to enable Microsoft Update:</p>
-<ol>
-<li>Open the <strong>Group Policy Editor</strong>.</li>
-<li>In the <strong>Local Computer Policy</strong> tree, expand <strong>Computer Configuration</strong>, then <strong>Administrative Templates</strong>, then <strong>Windows Components</strong>, then <strong>Windows Defender</strong>.</li>
-<li>Click on <strong>Signature Updates</strong>.</li>
-<li><p>Double-click on <strong>Define the order of sources for downloading definition updates</strong>.</p>
-<p>This will open the <strong>Define the order of sources for downloading definition updates</strong> window.</p></li>
-<li>Click <strong>Enable</strong>.</li>
-<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to enable Microsoft Update:</p>
-<p><strong>{MicrosoftUpdateServer}</strong></p>
-<p><img src="images/defender-gp-defsourcefield.png" alt="&quot;Define the order of sources for downloading definition updates&quot; field" /></p></li>
-<li><p>Click <strong>OK</strong>.</p>
-<p>The window will close automatically.</p></li>
-</ol></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx)</p></td>
-<td align="left"><p>Set the following fallback order <em>Group Policy</em> to enable Windows Defender to download updated signatures:</p>
-<ol>
-<li>Open the <strong>Group Policy Editor</strong>.</li>
-<li>In the <strong>Local Computer Policy</strong> tree, expand <strong>Computer Configuration</strong>, then <strong>Administrative Templates</strong>, then <strong>Windows Components</strong>, then <strong>Windows Defender</strong>.</li>
-<li>Click on <strong>Signature Updates</strong>.</li>
-<li><p>Double-click on <strong>Define the order of sources for downloading definition updates</strong>.</p>
-<p>This will open the <strong>Define the order of sources for downloading definition updates</strong> window.</p></li>
-<li>Click <strong>Enable</strong>.</li>
-<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to enable Windows Defender to download updated signatures:</p>
-<p><strong>{MMPC}</strong></p>
-<p><img src="images/defender-gp-defsourcefield.png" alt="&quot;Define the order of sources for downloading definition updates&quot; field" /></p></li>
-<li><p>Click <strong>OK</strong>.</p>
-<p>The window will close automatically.</p></li>
-</ol></td>
-</tr>
-<tr class="even">
-<td align="left"><p>File share</p></td>
-<td align="left"><p></p>
-<ol>
-<li>Open the <strong>Group Policy Editor</strong>.</li>
-<li>In the <strong>Local Computer Policy</strong> tree, expand <strong>Computer Configuration</strong>, then <strong>Administrative Templates</strong>, then <strong>Windows Components</strong>, then <strong>Windows Defender</strong>.</li>
-<li>Click on <strong>Signature Updates</strong>.</li>
-<li><p>Double-click on <strong>Define the order of sources for downloading definition updates</strong>.</p>
-<p>This will open the <strong>Define the order of sources for downloading definition updates</strong> window:</p></li>
-<li>Click <strong>Enable</strong>.</li>
-<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to enable Windows Defender to download updated signatures:</p>
-<p><strong>{FileShares}</strong></p>
-<p><img src="images/defender-gp-defsourcefield.png" alt="&quot;Define the order of sources for downloading definition updates&quot; field" /></p></li>
-<li><p>Click <strong>OK</strong>.</p>
-<p>The window will close automatically.</p></li>
-<li><p>Double-click on <strong>Define file shares for downloading definition updates</strong>.</p>
-<p>This will open the <strong>Define file shares for downloading definition updates</strong> window.</p></li>
-<li>Click <strong>Enable</strong>.</li>
-<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to specify the Universal Naming Convention (UNC) share source:</p>
-<p><strong>{\\unc1\\unc2}</strong> - where you define [unc] as the UNC shares.</p>
-<p><img src="images/defender-gp-defsharesfield.png" alt="&quot;Define the file shares for downloading definition updates&quot; field" /></p></li>
-<li><p>Click <strong>OK</strong>.</p>
-<p>The window will close automatically.</p></li>
-</ol></td>
-</tr>
-</tbody>
-</table>
- 
-## Manage cloud-based protection
-
-Windows Defender offers improved cloud-based protection and threat intelligence for endpoint protection clients using the Microsoft Active Protection Service. Read more about the Microsoft Active Protection Service community in [Join the Microsoft Active Protection Service community](http://windows.microsoft.com/windows-8/join-maps-community).
-
-You can enable or disable the Microsoft Active Protection Service using *Group Policy* settings and administrative template files.
-
-More information on deploying administrative template files for Windows Defender is available in the article [Description of the Windows Defender Group Policy administrative template settings](https://support.microsoft.com/kb/927367).
-
-The Microsoft Active Protection Service can be configured with the following *Group Policy* settings:
-
-1.  Open the **Group Policy Editor**.
-2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
-3.  Click on **MAPS**.
-4.  Double-click on **Join Microsoft MAPS**.
-5.  Select your configuration option from the **Join Microsoft MAPS** list.
-
-    >**Note:**  Any settings modified on an endpoint will be overridden by the administrator's policy setting.
-     
-Use the Windowsdefender.adm *Group Policy* template file to control the policy settings for Windows Defender in Windows 10:
-
-Policy setting: **Configure Microsoft SpyNet Reporting**
-
-Registry key name: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SpyNetReporting**
-
-Policy description: **Adjusts membership in Microsoft Active Protection Service**
-
-You can also configure preferences using the following PowerShell parameters:
-
--   Turn Microsoft Active Protection Service off: *Set-MpPreference -MAPSReporting 0*
--   Turn Microsoft Active Protection Service on: *Set-MpPreference -MAPSReporting 2*
-
-Read more about this in:
-
--   [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
--   [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
-
->**Note:**  Any information that Windows Defender collects is encrypted in transit to our servers, and then stored in secure facilities. Microsoft takes several steps to avoid collecting any information that directly identifies you, such as your name, email address, or account ID.
- 
-Read more about how to manage your privacy settings in [Setting your preferences for Windows 10 services](http://windows.microsoft.com/windows-10/services-setting-preferences).
-
-## Opt-in to Microsoft Update
-
-You can use Microsoft Update to keep definitions on mobile computers running Windows Defender in Windows 10 up to date when they are not connected to the corporate network. If the mobile computer doesn't have a [Windows Server Update Service](https://technet.microsoft.com/windowsserver/bb332157.aspx) (WSUS) connection, the signatures will still come from Microsoft Update. This means that signatures can be pushed down (via Microsoft Update) even if WSUS overrides Windows Update.
-
-You need to opt-in to Microsoft Update on the mobile computer before it can retrieve the definition updates from Microsoft Update.
-
-There are two ways you can opt-in to Microsoft Update in Windows Defender for Windows 10:
-
-1.  Use a VBScript to create a script, then run it on each computer in your network.
-2.  Manually opt-in every computer on your network through the **Settings** menu.
-
-You can create a VBScript and run it on each computer on your network; this is an efficient way to opt-in to Microsoft Update.
-
-**Use a VBScript to opt in to Microsoft Update**
-
-1.  Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
-2.  Run the VBScript you created on each computer in your network.
-
-You can manually opt-in each individual computer on your network to receive Microsoft Update.
-
-**Manually opt-in to Microsoft Update**
-
-1.  Open **Windows Update** in **Update & security** settings on the computer you want to opt-in.
-2.  Click **Advanced** options.
-3.  Select the checkbox for **Give me updates for other Microsoft products when I update Windows**.
-
-## Schedule updates for Microsoft Update
-
-Opting-in to Microsoft Update means that your system administrator can schedule updates to your mobile computer, so that it keeps up-to-date with the latest software versions and security definitions, even when you’re on the road.
-
-For more information on scheduling updates, see [Configure definition updates](https://technet.microsoft.com/library/mt622088.aspx#configure-definition-updates).
-
-## Related topics
-
-- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
-- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+This page has been redirected to *Windows Defender Antivirus in Windows 10*.
diff --git a/windows/keep-secure/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/keep-secure/customize-run-review-remediate-scans-windows-defender-antivirus.md
new file mode 100644
index 0000000000..ac57f3e615
--- /dev/null
+++ b/windows/keep-secure/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -0,0 +1,40 @@
+---
+title: Run and customize scheduled and on-demand scans
+description: Customize and initiate scans using Windows Defender AV on endpoints across your network.
+keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Customize, initiate, and review the results of Windows Defender AV scans and remediation
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+
+You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure scans run by Windows Defender Antivirus.
+
+
+
+## In this section
+
+Topic | Description 
+---|---
+[Exclude files and processes from scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
+[Configure email, removable storage, network, reparse point, and archive scanning](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender AV to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
+[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quaratine folder
+[Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
+[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app 
+[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using  System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app
+
diff --git a/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md b/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md
new file mode 100644
index 0000000000..18cfd5e134
--- /dev/null
+++ b/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md
@@ -0,0 +1,94 @@
+---
+title: Deploy, manage, and report on Windows Defender Antivirus
+description: You can deploy and manage Windows Defender Antivirus with Group Policy, Configuration Manager, WMI, PowerShell, or Intune
+keywords: deploy, manage, update, protection, windows defender antivirus
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Deploy, manage, and report on Windows Defender Antivirus
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- IT administrators
+
+You can deploy, manage, and report on Windows Defender Antivirus in a number of ways. 
+
+As the Windows Defender AV client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply.
+
+However, in most cases you will still need to enable the protection service on your endpoints with System Center Configuration Manager, Microsoft Intune, Azure Secrutiy Center, or Group Policy Objects, which is described in the following table.
+
+You'll also see additional links for:
+- Managing Windows Defender Antivirus protection, including managing product and protection updates
+- Reporting on Windows Defender Antivirus protection
+
+> [!IMPORTANT]
+> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-part antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus.
+
+
+Tool|Deployment options (<a href="#fn1" id="ref1">1</a>)|Management options (network-wide configuration and policy or baseline deployment) ([2](#fn2))|Reporting options  
+---|---|---|---  
+System Center Configuration Manager ([3](#fn3))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]  
+Microsoft Intune|[Deploy the Microsoft Intune client to endpoints][]|Use and deploy a [custom Intune policy][] and use the Intune console to [manage tasks][]|[Monitor endpoint protection in the Microsoft Intune administration console][]  
+Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
+PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][]
+Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
+Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD.
+
+1. <span id="fn1" />The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager, current branch (for example, System Center Configuration Manager 2016) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager, current branch (2016). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for a table that describes the major differences.  [(Return to table)](#ref1)
+
+1. <span id="fn2" />Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library.  [(Return to table)](#ref2)
+  
+1.	<span id="fn3" />In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date. Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers.  [(Return to table)](#ref3)
+
+
+
+
+
+[Endpoint Protection point site system role]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection-site-role
+[default and customized antimalware policies]:  https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies
+[client management]:  https://docs.microsoft.com/en-us/sccm/core/clients/manage/manage-clients
+[enable Endpoint Protection with custom client settings]:  https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection-configure-client
+[Configuration Manager Monitoring workspace]:  https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection 
+[email alerts]:  https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts
+[Deploy the Microsoft Intune client to endpoints]: https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune
+[custom Intune policy]:  https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection
+ [custom Intune policy]:  https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection 
+[manage tasks]: https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-management-tasks-for-endpoint-protection
+[Monitor endpoint protection in the Microsoft Intune administration console]: https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection
+[Set method of the MSFT_MpPreference class]:  https://msdn.microsoft.com/en-us/library/dn439474 
+[Update method of the MSFT_MpSignature class]:  https://msdn.microsoft.com/en-us/library/dn439474
+[MSFT_MpComputerStatus]:  https://msdn.microsoft.com/en-us/library/dn455321 
+[Windows Defender WMIv2 Provider]: https://msdn.microsoft.com/en-us/library/dn439477
+[Set-MpPreference]:  https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference.md
+[Update-MpSignature]: https://technet.microsoft.com/itpro/powershell/windows/defender/update-mpsignature
+[Get- cmdlets available in the Defender module]: https://technet.microsoft.com/itpro/powershell/windows/defender/index
+[Configure update options for Windows Defender Antivirus]: manage-updates-baselines-windows-defender-antivirus.md
+[Configure Windows Defender features]: configure-windows-defender-antivirus-features.md
+[Group Policies to determine if any settings or policies are not applied]: https://technet.microsoft.com/en-us/library/cc771389.aspx
+[Possibly infected devices]: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices
+[Windows Defender Antivirus events]: troubleshoot-windows-defender-antivirus.md
+
+
+## In this section
+
+Topic | Description 
+---|---
+[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with System Center Configuration Manager, Microsoft Intune, or Group Policy Objects.
+[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating definitions (protection updates). You can update definitions in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI.
+[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use System Center Configuration Manager, a third-party SIEM product (by consuming Windows event logs), or Microsoft Intune to monitor protection status and create reports about endpoint protection
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md)
diff --git a/windows/keep-secure/deploy-windows-defender-antivirus.md b/windows/keep-secure/deploy-windows-defender-antivirus.md
new file mode 100644
index 0000000000..6f98f62d52
--- /dev/null
+++ b/windows/keep-secure/deploy-windows-defender-antivirus.md
@@ -0,0 +1,40 @@
+---
+title: Deploy and enable Windows Defender Antivirus 
+description: Deploy Windows Defender AV for protection of your endpoints with Configuration Manager, Microsoft Intune, Group Policy, PowerShell cmdlets, or WMI.
+keywords: deploy, enable, windows defender av
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Deploy and enable Windows Defender Antivirus
+
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Network administrators
+- IT administrators
+
+
+Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender AV protection.
+
+See the [(Deployment, managament, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref1) for instructions on how to enable protection with System Center Configuration Manager, Group Policy, Active Directory, Microsoft Azure, Microsoft Intune, PowerShell cmdlets, and Windows Management Instruction (WMI).
+
+Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender AV protection, such as Virtual Desktop Infrastructure (VDI) environments.
+
+The remaining topic in this section provides end-to-end advice and best practices for [setting up Windows Defender AV ion virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md).
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrasructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)
\ No newline at end of file
diff --git a/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md b/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
new file mode 100644
index 0000000000..50d37bfe9d
--- /dev/null
+++ b/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
@@ -0,0 +1,309 @@
+---
+title: Windows Defender Antivirus VDI deployment guide
+description: Learn how to deploy Windows Defender Antivirus in a VDI environment for the best balance between protection and performance.
+keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- IT professionals
+
+**Manageability available with**
+
+- System Center Configuration Manager (current branch)
+- Group Policy
+
+
+
+In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus (Windows Defender AV) in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. 
+
+Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware. For more details on the best configuration options to ensure a good balance between performance and protection, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section.
+
+See the [Microsoft Desktop virtualization site](https://www.microsoft.com/en-us/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support.
+
+For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection) topic.
+
+There are three main steps in this guide to help roll out Windows Defender AV protection across your VDI:
+
+1.	[Create and deploy the base image (for example, as a virtual hard disk (VHD)) that your virtual machines (VMs) will use](#create-and-deploy-the-base-image)
+2.	[Manage the base image and updates for your VMs](#manage-vms-and-base-image)
+3.	[Configure the VMs for optimal protection and performance](#configure-endpoints-for-optimal-performance), including:
+    - [Randomize scheduled scans](#randomize-scheduled-scans)
+    - [Use quick scans](#use-quick-scans)
+    - [Prevent notifications](#prevent-notifications)
+    - [Disable scans from occuring after every update](#disable-scans-after-an-update)
+    - [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
+
+>[!IMPORTANT]
+> While the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
+
+>[!NOTE] 
+>When you manage Windows with System Center Configuration Manager, Windows Defender AV protection will be referred to as Endpoint Protection or System Center Endpoint Protection. See the [Endpoint Protection section at the Configuration Manager library]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) for more information.
+
+The following table lists the configuration settings that we recommend when deploying Windows Defender AV in a VDI environment:
+
+
+
+## Create and deploy the base image 
+
+The main steps in this section include:
+1.	Create your standard base image according to your requirements
+2.	Apply Windows Defender AV protection updates to your base image
+3.	Seal or “lock” the image to create a “known-good” image
+4.	Deploy your image to your VMs
+
+### Create the base image  
+First, you should create your base image according to your business needs, applying or installing the relevant line of business (LOB) apps and settings as you normally would. Typically, this would involve creating a VHD or customized .iso, depending on how you will deploy the image to your VMs.
+
+### Apply protection updates to the base image
+After creating the image, you should ensure it is fully updated. See [Configure Windows Defender in Windows 10]( https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-windows-defender-in-windows-10) for instructions on how to update Windows Defender AV protection via WSUS, Microsoft Update, the MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft and Windows updates and patches.
+
+### Seal the base image
+When the base image is fully updated, you should run a quick scan on the image. This “sealing” or “locking” of the image helps Windows Defender AV build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted.
+
+You can run a quick scan [from the command line](command-line-arguments-windows-defender-antivirus.md) or via [System Center Configuration Manager](run-scan-windows-defender-antivirus.md).
+
+>[!NOTE] 
+><b>Quick scan versus full scan</b>
+>Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. Combined with our always on real-time protection capability - which reviews files when they are opened and closed, and whenever a user navigates to a folder – quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.  
+>Therefore, when considering performance – especially for creating a new or updated image in preparation for deployment – it makes sense to use a quick scan only. 
+>A full scan, however, can be useful on a VM that has encountered a malware threat to identify if there are any inactive components lying around and help perform a thorough clean-up.
+
+
+### Deploy the base image  
+You’ll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your base image, and then use that VHD when you create or start your VMs. 
+
+The following references provide ways you can create and deploy the base image across your VDI:
+
+- [Single image management for Virtual Desktop Collections](https://blogs.technet.microsoft.com/enterprisemobility/2012/10/29/single-image-management-for-virtual-desktop-collections-in-windows-server-2012/)
+- [Using Hyper-V to create a Base OS image that can be used for VMs and VHDs](https://blogs.technet.microsoft.com/haroldwong/2011/06/12/using-hyper-v-to-create-a-base-os-image-that-can-be-used-for-vms-and-boot-to-vhd/)
+- [Plan for Hyper-V security in Windows Server 2016]( https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/plan/plan-for-hyper-v-security-in-windows-server-2016)
+- [Create a virtual machine in Hyper-V (with a VHD)](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/get-started/create-a-virtual-machine-in-hyper-v)
+- [Build Virtual Desktop templates]( https://technet.microsoft.com/en-us/library/dn645526(v=ws.11).aspx)
+
+
+
+
+
+## Manage your VMs and base image
+How you manage your VDI will affect the performance impact of Windows Defender AV on your VMs and infrastructure.
+
+Because Windows Defender AV downloads protection updates every day, [or based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time.  
+
+Following the guidelines in this means the VMs will only need to download “delta” updates, which are the differences between an existing definition set and the next one. Delta updates are typically much smaller (a few kilobytes) than a full definition download (which can average around 150 mb).
+
+
+### Manage updates for persistent VDIs
+
+If you are using a persistent VDI, you should update the base image monthly, and set up protection updates to be delivered daily via a file share, as follows:  
+1. Create a dedicated file share location on your network that can be accessed by your VMs and your VM host (or other, persistent machine, such as a dedicated admin console that you use to manage your VMs).
+2. Set up a scheduled task on your VM host to automatically download updates from the MMPC website or Microsoft Update and save them to the file share (the [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) can help with this).
+3. [Configure the VMs to pull protection updates from the file share](manage-protection-updates-windows-defender-antivirus.md).
+4. Disable or delay automatic Microsoft updates on your VMs. See [Update Windows 10 in the enterprise](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10) for information on managing operating system updates with WSUS, SCCM, and others.
+5. On or just after each Patch Tuesday (the second Tuesday of each month), update your base image with [the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md). Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/).
+5. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
+
+A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them. 
+
+
+### Manage updates for non-persistent VDIs
+
+If you are using a non-persistent VDI, you can update the base image daily (or nightly) and directly apply the latest updates to the image.
+
+An example:  
+1. Every night or other time when you can safely take your VMs offline, update your base image with t[the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md).
+2. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
+
+
+
+
+## Configure endpoints for optimal performance
+There are a number of settings that can help ensure optimal performance on your VMs and VDI without affecting the level of protection, including:
+    - [Randomize scheduled scans](#randomize-scheduled-scans)
+    - [Use quick scans](#use-quick-scans)
+    - [Prevent notifications](#prevent-notifications)
+    - [Disable scans from occuring after every update](#disable-scans-after-an-update)
+    - [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
+
+These settings can be configured as part of creating your base image, or as a day-to-day management function of your VDI infrastructure or network.
+
+
+
+
+### Randomize scheduled scans
+
+Windows Defender AV supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjuction with [Disable scans from occuring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline).
+
+Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-windows-defender-antivirus.md).
+
+The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime.  
+ 
+<!-- individual instructions will be removed and linked to RS2 content when it’s live, for now I’ll put them inline-->
+
+**Use Group Policy to randomize scheduled scan start times:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender** and configure the following setting:
+    
+    1.  Double-click the **Randomize scheduled task times** setting and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the signature update. For example, if the sechedule start time was set at 2.30pm, then enabling this setting  could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm.
+
+**Use Configuration Manager to randomize schedule scans:**
+
+See [How to create and deploy antimalware policies: Advanced settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#advanced-settings) for details on configuring System Center Configuration Manager (current branch).
+
+See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans.
+
+### Use quick scans
+
+You can specify the type of scan that should be performed during a scheduled scan.
+Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. 
+
+**Use Group Policy to specify the type of scheduled scan:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+3.  Click **Policies** then **Administrative templates**.
+
+4.  Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:  
+    1.  Double-click the **Specify the scan type to use for a scheduled scan** setting and set the option to **Enabled** and **Quick scan**. Click **OK**. 
+
+**Use Configuration Manager to specify the type of scheduled scan:**
+
+See [How to create and deploy antimalware policies: Scheduled scans settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) for details on configuring System Center Configuration Manager (current branch).
+
+<!--
+See [Schedule scans](schedule-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans.
+-->
+
+### Prevent notifications
+
+Sometimes, Windows Defender AV notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the user interface for Windows Defender AV.
+
+**Use Group Policy to hide notifications:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings:
+    
+1.	Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or remediation is performed.
+2.	Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users.
+
+
+**Use Configuration Manager to hide notifications:**
+
+1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2.  Go to the **Advanced** section and configure the following settings:
+
+1.	Set **Disable the client user interface** to **Yes**. This hides the entire Windows Defender AV user interface.
+2.	Set **Show notifications messages on the client computer...** to **Yes**. This hides notifications from appearing.
+
+3. Click **OK**.
+
+3.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+### Disable scans after an update
+
+This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you’ve already scanned it when you created the base image).
+
+>[!IMPORTANT]
+>Running scans after an update will help ensure your VMs are protected with the latest definition updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image.
+
+**Use Group Policy to disable scans after an update:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender > Signature Updates** and configure the following setting:
+    
+1.  Double-click the **Turn on scan after signature update** setting and set the option to **Disabled**. Click **OK**. This prevents a scan from running immediately after an update.
+
+
+**Use Configuration Manager to disable scans after an update:**
+
+1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2.  Go to the **Scheduled scans** section and configure the following setting:
+
+1.	Set **Check for the latest definition updates before running a scan** to **No**. This prevents a scan after an update.
+
+3. Click **OK**.
+
+2.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+
+
+
+
+### Scan VMs that have been offline 
+
+This setting will help ensure protection for a VM that has been offline for some time or has otherwise missed a scheduled scan. 
+
+DisableCatchupQuickScan, is the setting that I use (set to OFF) to ensure that a quick scan is performed on a VM which has been offline and has missed a schedule scan. 
+
+
+**Use Group Policy to enable a catch-up scan:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
+    
+1.  Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
+
+
+**Use Configuration Manager to disable scans after an update:**
+
+1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2.  Go to the **Scheduled scans** section and configure the following setting:
+
+1.	Set **Force a scan of the selected scan type if client computer is offline during...** to **Yes**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
+
+3. Click **OK**.
+
+2.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+
+
+### Exclusions
+Windows Server 2016 contains Windows Defender Antivirus and will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page:
+- [Automatic exclusions for Windows Server Antimalware](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender)
+
+## Additional resources
+
+- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s)
+- [Project VRC: Antivirus impact and best practices on VDI](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/)
+- [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS)
+- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) 
diff --git a/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
new file mode 100644
index 0000000000..30d7011a23
--- /dev/null
+++ b/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -0,0 +1,110 @@
+---
+title: Block Potentially Unwanted Applications with Windows Defender AV
+description: Enable the Potentially Unwanted Application (PUA) feature in Windows Defender Antivirus to block unwanted software such as adware.
+keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, windows defender
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: detect
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Detect and block Potentially Unwanted Applications
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- System Center Configuration Manager
+- PowerShell cmdlets
+- Microsoft Intune
+
+The Potentially Unwanted Application (PUA) protection feature in Windows Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network.
+
+These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have a poor reputation.
+
+Typical PUA behavior includes:
+- Various types of software bundling
+- Ad-injection into web browsers
+- Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint and make no changes or optimizations (also known as "rogue antivirus" programs)
+
+These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications.
+
+## How it works
+
+PUAs are blocked when a user attempts to download or install the detected file, and if the file meets one of the following conditions:
+- The file is being scanned from the browser
+- The file is in the %downloads% folder
+- The file is in the %temp% folder
+
+The file is placed in the quarantine section so it won’t run. 
+
+When a PUA is detected on an endpoint, the endpoint will present a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:"). 
+
+They will also appear in the usual [quarantine list in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#detection-history).
+
+
+## View PUA events
+
+PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. 
+
+See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160.
+
+
+## Configure the PUA protection feature
+
+You can enable the PUA protection feature with System Center Configuration Manager, PowerShell cmdlets, or Microsoft Intune.
+
+You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log. 
+
+This feature is useful if your company is conducting an internal software security compliance check and you’d like to avoid any false positives.
+
+
+**Use Configuration Manager to configure the PUA protection feature:**
+
+PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later. 
+
+See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (current branch).
+
+For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA).
+
+> [!NOTE]
+> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.  
+
+**Use PowerShell cmdlets to configure the PUA protection feature:**
+
+Use the following cmdlet:
+
+```PowerShell
+Set-MpPreference -PUAProtection
+```
+
+Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. 
+
+Setting `AuditMode` will detect PUAs but will not block them.
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+
+**Use Intune to configure the PUA protection feature**
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
+
+
+
+## Related topics
+
+- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md)
+- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
+
+
diff --git a/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md b/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md
new file mode 100644
index 0000000000..ddb0ce57ac
--- /dev/null
+++ b/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md
@@ -0,0 +1,153 @@
+---
+title: Enable cloud-delivered protection in Windows Defender Antivirus
+description: Enable cloud-delivered protection to benefit from fast and advanced protection features.
+keywords: windows defender antivirus, antimalware, security, cloud, block at first sight
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Enable cloud-delivered protection in Windows Defender AV
+
+
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager
+- PowerShell cmdlets
+- Windows Management Instruction (WMI)
+- Microsoft Intune
+- Windows Defender Security Center app
+
+
+>[!NOTE] 
+>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
+
+
+
+You can enable or disable Windows Defender Antivirus cloud-delivered protection with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app.
+
+See [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-based protection.
+
+There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections for Windows Defender AV](configure-network-connections-windows-defender-antivirus.md) for more details.
+
+>[!NOTE]
+>In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect.
+
+
+**Use Group Policy to enable cloud-delivered protection:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > MAPS**
+    
+1.  Double-click the **Join Microsoft MAPS** setting and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**.
+
+1.  Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following:
+    
+    1. **Send safe samples** (1)
+    1. **Send all samples** (3)
+
+        > [!WARNING]
+        > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+
+1. Click **OK**.
+
+
+
+**Use Configuration Manager to enable cloud-delivered protection:**
+
+See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
+
+
+**Use PowerShell cmdlets to enable cloud-delivered protection:**
+
+Use the following cmdlets to enable cloud-delivered protection:
+
+```PowerShell
+Set-MpPreference -MAPSReporting Advanced
+Set-MpPreference -SubmitSamplesConsent 3
+```
+>[!NOTE]
+>You can also set -SubmitSamplesConsent to 1. Setting it to 0 will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to enable cloud-delivered protection:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn439474(v=vs.85).aspx) class for the following properties:
+
+```WMI
+MAPSReporting 
+SubmitSamplesConsent
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+**Use Intune to enable cloud-delivered protection**
+
+1.  Open the [Microsoft Intune administration console](https://manage.microsoft.com/), and navigate to the associated policy you want to configure.
+2.  Under the **Endpoint Protection** setting, scroll down to the **Endpoint Protection Service** section set the **Submit files automatically when further analysis is required** setting to either of the following:
+    1. **Send samples automatically**
+    1. **Send all samples automatically**
+
+        > [!WARNING]
+        > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+5. Scoll down to the **Microsoft Active Protection Service** section and set the following settings:
+    
+   Setting | Set to
+    --|--
+    Join Microsoft Active Protection Service | Yes
+    Membership level | Advanced
+    Receive dynamic definitions based on Microsoft Active Protection Service reports | Yes
+  
+3.  Save and [deploy the policy as usual](https://docs.microsoft.com/en-us/intune/deploy-use/common-windows-pc-management-tasks-with-the-microsoft-intune-computer-client).
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) for more details.
+
+**Enable cloud-delivered protection on individual clients with the Windows Defender Security Center app**
+> [!NOTE]
+> If the **Configure local setting override for reporting Microsoft MAPS** GP setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
+
+
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png)
+    
+3.	Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
+
+>[!NOTE]
+>If automatic sample submission has been configured with GP then the setting will be greyed-out and unavailble.
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+- [Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
+- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
+- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)]
+- [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx)
+- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
\ No newline at end of file
diff --git a/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md b/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
index 82a3908d87..0feb3a91f8 100644
--- a/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
@@ -10,111 +10,9 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: dulcemv
+redirect_url: /detect-block-potentially-unwanted-apps-windows-defender-antivirus/
 ---
 
 # Detect and block Potentially Unwanted Application in Windows 10
 
-**Applies to:**
-
-- Windows 10
-
-You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
-
-Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
-
-Typical examples of PUA behavior include:
-*	Various types of software bundling
-*	Ad-injection into your browsers
-*	Driver and registry optimizers that detect issues, request payment to fix them, and persist
-
-These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
-
-Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
-
-##Enable PUA protection in System Center Configuration Manager and Intune
-
-The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
-
-###Configure PUA in System Center Configuration Manager
-
-For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
-
-If you are using these versions | See these topics
-:---|:---
-System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
-System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
-
-<br>
-###Use PUA audit mode in System Center Configuration Manager
-
-You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and you’d like to avoid any false positives.
-
-1. Open PowerShell as Administrator: <br>
-
-    a.  Click **Start**, type **powershell**, and press **Enter**.
-    
-    b.  Click **Windows PowerShell** to open the interface.
-    >[!NOTE]
-    >You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
-2. Enter the PowerShell command:
-
-  ```text
-  set-mpPreference -puaprotection 2
-  ```
-> [!NOTE]
-> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.  
-
-
-###Configure PUA in Intune
-
- PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
-
-
-###Use PUA audit mode in Intune
-
- You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
-
-1. Open PowerShell as Administrator: <br>
-
-    a.  Click **Start**, type **powershell**, and press **Enter**.
-    
-    b.  Click **Windows PowerShell** to open the interface.
-    
-    >[!NOTE]
-    >You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
-    
-2. Enter the PowerShell command:
-
-  ```text
-  set-mpPreference -puaprotection 1
-  ```
-
-##View PUA events
-
-PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
-
-1.  Open **Event Viewer**.
-2.  In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
-3.  Double-click on **Operational**.
-4.  In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
-
-You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
-
-
-##What PUA notifications look like
-
-When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
-
-
-To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
-
-##PUA threat naming convention
-
-When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
-
-##PUA blocking conditions
-
-PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
-*	The file is being scanned from the browser
-*	The file is in the %downloads% folder
-*	Or if the file in the %temp% folder
+This page has been redirected to *Detect and block unwanted applications*.
\ No newline at end of file
diff --git a/windows/keep-secure/evaluate-windows-defender-antivirus.md b/windows/keep-secure/evaluate-windows-defender-antivirus.md
new file mode 100644
index 0000000000..af84e29eb5
--- /dev/null
+++ b/windows/keep-secure/evaluate-windows-defender-antivirus.md
@@ -0,0 +1,51 @@
+---
+title: Evaluate Windows Defender Antivirus
+description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Windows Defender Antivirus in Windows 10.
+keywords: windows defender antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Evaluate Windows Defender Antivirus protection
+
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+
+If you�re an enterprise security administrator, and you want to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications, then you can use this guide to help you evaluate Microsoft protection.
+
+It explains the important features available for both small and large enterprises in Windows Defender, and how they will increase malware detection and protection across your network.
+
+You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the settings.
+
+The guide is available in PDF format for offline viewing:
+- [Download the guide in PDF format](https://www.microsoft.com/download/details.aspx?id=54795)
+
+You can also download a PowerShell that will enable all the settings described in the guide automatically. You can obtain the script alongside the PDF download above, or individually from PowerShell Gallery:
+- [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/1.0/DisplayScript)
+
+> [!IMPORTANT]
+> The guide is currently intended for single-machine evaluation of Windows Defender Antivirus protection. Enabling all of the settings in this guide may not be suitable for real-world deployment.
+>
+> For the latest recommendations for real-world deployment and monitoring of Windows Defender Antivirus across a network, see the [Deploy, manage, and report](deploy-manage-report-windows-defender-antivirus.md) topic in this library. 
+
+
+## Related topics
+
+- [Windows Defender Antivirus](windows-defender-in-windows-10.md)
+- [Deploy, manage, and report](deploy-manage-report-windows-defender-antivirus.md)
+
+
+
diff --git a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
index f7c920bb4f..e9c2b82470 100644
--- a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
@@ -8,183 +8,9 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: jasesso
+redirect_url: /deploy-manage-report-windows-defender-antivirus/
 ---
 
 # Update and manage Windows Defender in Windows 10
 
-**Applies to**
--   Windows 10
-
-IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using:
-
--   Group Policy Settings
--   Windows Management Instrumentation (WMI)
--   PowerShell
-
-## Manage Windows Defender endpoints through Active Directory and WSUS
-
-All Windows 10 endpoints are installed with Windows Defender and include support for management through:
--   Active Directory
--   WSUS
-
-You can use the Active Directory to configure the settings; Group policies can be used for centralized configuration and enforcement of many Windows Defender settings including client user interface, scan settings, and exclusions.
-WSUS can be used to view basic update compliance and deploy updates manually or through automatic rules.
-
-Note that System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including:
-
--   Settings management
--   Definition update management
--   Alerts and alert management
--   Reports and reporting
-
-When you enable *Endpoint Protection* on your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for System Center Endpoint Protection or Intune will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed. Learn more about managing *Endpoint Protection*:
-
--   [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://technet.microsoft.com/library/dn646970.aspx)
--   [Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508760.aspx)
-
-Read more about System Center Configuration Manager in [Introduction to Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508781.aspx).
-> **Important:**  You must be licensed to use *Endpoint Protection* to manage clients in your Configuration Manager hierarchy.
- 
-## Apply updates to Windows Defender endpoints
-
-It is important to keep Windows Defender endpoints updated to ensure they are protected. All Windows Defender updates, including General Distribution Release (GDR) updates, are now applied as operating system updates.
-You can manage the distribution of updates through the [Windows Server Update Services (WSUS)](https://technet.microsoft.com/windowsserver/bb332157).
-
-## Manage email scans in Windows Defender
-
-You can use Windows Defender to scan email files. Malware can install itself and hide in email files, and although real-time protection offers you the best protection from email malware, you can also scan emails stored on your PC or server with Windows Defender.
-> **Important:**  Mail scanning only applies to on-demand and scheduled scans, not on-access scans.
- 
-Windows Defender scans Microsoft Office Outlook 2003 and older email files. We identify the file type at run-time based on the content of the file, not on location or extension.
-> **Note: **  Scanning email files might increase the time required to complete a scan.
- 
-Windows Defender can extract embedded objects within a file (attachments and archived files, for example) and scan internally.
-> **Note:**  While Windows Defender can be configured to scan email files, it can only remediate threats detected inside certain files, for example:
--   DBX
--   MBX
--   MIME
- 
-You can configure Windows Defender to scan PST files used by Outlook 2003 or older versions (where the archive type is set to non-uni-code), but Windows Defender cannot remediate threats detected inside PST files. We recommend using real-time protection to protect against email malware.
-
-If Windows Defender detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
--   Email subject
--   Attachment name
-Email scanning in Windows Defender is turned off by default. There are three ways you can manage scans through Windows Defender:
--   *Group Policy* settings
--   WMI
--   PowerShell
-> **Important:**  There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
--   [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1)
--   [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2)
- 
-## Use *Group Policy* settings to enable email scans
-
-This policy setting allows you to turn on email scanning. When email scanning is enabled, the engine will parse the mailbox and mail files to analyze the mail bodies and attachments.
-
-Turn on email scanning with the following *Group Policy* settings:
-1.  Open the **Group Policy Editor**.
-2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
-3.  Click **Scan**.
-4.  Double-click **Turn on e-mail scanning**.
-
-    This will open the **Turn on e-mail scanning** window:
-    
-    ![turn on e-mail scanning window](images/defender-scanemailfiles.png)
-    
-5.  Select **Enabled**.
-6.  Click **OK** to apply changes.
-
-## Use WMI to disable email scans
-
-You can write a WMI script or application to disable email scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
-
-Use the **DisableEmailScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
-**DisableEmailScanning**
-Data type: **boolean**
-Access type: Read-only
-Disable email scanning.
-
-## Use PowerShell to enable email scans
-
-You can also enable email scanning using the following PowerShell parameter:
-1.  Open PowerShell or PowerShellIntegrated Scripting Environment (ISE).
-2.  Type **Set-MpPreference -DisableEmailScanning $false**.
-
-Read more about this in:
--   [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
--   [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
-
-## Manage archive scans in Windows Defender
-
-You can use Windows Defender to scan archive files. Malware can install itself and hide in archive files, and although real-time protection offers you the best protection from malware, you can also scan archives stored on your PC or server with Windows Defender.
-> **Important:**  Archive scanning only applies to on-demand and scheduled scans, not on-access scans.
- 
-Archive scanning in Windows Defender is turned on by default. There are four ways you can manage scans through Windows Defender:
--   *Group Policy* settings
--   WMI
--   PowerShell
--   Endpoint Protection
-> **Note:**  Scanning archive files might increase the time required to complete a scan.
- 
-If you exclude an archive file type by using the **Extensions** box, Windows Defender will not scan files with that extension (no matter what the content is), even when you have selected the **Scan archive files** check box. For example, if you exclude .rar files but there’s a .r00 file that’s actually .rar content, it will still be scanned if archive scanning is enabled.
-
-## Use *Group Policy* settings to enable archive scans
-
-This policy setting allows you to turn on archive scanning.
-
-Turn on email scanning with the following *Group Policy* settings:
-1.  Open the **Group Policy Editor**.
-2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
-3.  Click **Scan**.
-4.  Double-click **Scan archive files**.
-
-    This will open the **Scan archive files** window:
-    
-    ![scan archive files window](images/defender-scanarchivefiles.png)
-    
-5.  Select **Enabled**.
-6.  Click **OK** to apply changes.
-
-There are a number of archive scan settings in the **Scan** repository you can configure through *Group Policy*, for example:
--   Maximum directory depth level into which archive files are unpacked during scanning
-
-    ![specify the maximum depth to scan archive files window](images/defender-scanarchivedepth.png)
-    
--   Maximum size of archive files that will be scanned
-
-    ![specify the maximum size of archive files to be scanned window](images/defender-scanarchivesize.png)
-    
--   Maximum percentage CPU utilization permitted during a scan
-
-    ![specify the maximum percentage od cpu utilization during a scan window](images/defender-scanarchivecpu.png)
-
-## Use WMI to disable archive scans
-
-You can write a WMI script or application to disable archive scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
-
-Use the **DisableArchiveScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
-**DisableArchiveScanning**
-Data type: **boolean**
-Access type: Read-only
-Disable archive scanning.
-
-## Use PowerShell to enable archive scans
-
-You can also enable archive scanning using the following PowerShell parameter:
-1.  Open PowerShell or PowerShellISE.
-2.  Type **Set-MpPreference -DisableArchiveScanning $false**.
-
-Read more about this in:
--   [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
--   [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
-
-## Use Endpoint Protection to configure archive scans
-
-In Endpoint Protection, you can use the advanced scanning options to configure archive scanning. For more information, see [What are advanced scanning options?](https://technet.microsoft.com/library/ff823807.aspx)
-
-## Related topics
-
-- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
-- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
- 
- 
+This page has been redirected to *Windows Defender Antivirus in Windows 10*.
diff --git a/windows/keep-secure/images/defender/malware-detected.png b/windows/keep-secure/images/defender/malware-detected.png
new file mode 100644
index 0000000000..91fce5a44b
Binary files /dev/null and b/windows/keep-secure/images/defender/malware-detected.png differ
diff --git a/windows/keep-secure/images/defender/order-update-sources-wdav.png b/windows/keep-secure/images/defender/order-update-sources-wdav.png
new file mode 100644
index 0000000000..904f314699
Binary files /dev/null and b/windows/keep-secure/images/defender/order-update-sources-wdav.png differ
diff --git a/windows/keep-secure/images/defender/quarantine.png b/windows/keep-secure/images/defender/quarantine.png
new file mode 100644
index 0000000000..6a908aedec
Binary files /dev/null and b/windows/keep-secure/images/defender/quarantine.png differ
diff --git a/windows/keep-secure/images/defender/wdav-bafs-edge.png b/windows/keep-secure/images/defender/wdav-bafs-edge.png
new file mode 100644
index 0000000000..d7376570b6
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-bafs-edge.png differ
diff --git a/windows/keep-secure/images/defender/wdav-bafs-ie.png b/windows/keep-secure/images/defender/wdav-bafs-ie.png
new file mode 100644
index 0000000000..94cb3a30fb
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-bafs-ie.png differ
diff --git a/windows/keep-secure/images/defender/wdav-extension-exclusions.png b/windows/keep-secure/images/defender/wdav-extension-exclusions.png
new file mode 100644
index 0000000000..e1a86e09e0
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-extension-exclusions.png differ
diff --git a/windows/keep-secure/images/defender/wdav-headless-mode-1607.png b/windows/keep-secure/images/defender/wdav-headless-mode-1607.png
new file mode 100644
index 0000000000..7ccaf5d0ff
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-headless-mode-1607.png differ
diff --git a/windows/keep-secure/images/defender/wdav-headless-mode-1703.png b/windows/keep-secure/images/defender/wdav-headless-mode-1703.png
new file mode 100644
index 0000000000..d4288ca82c
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-headless-mode-1703.png differ
diff --git a/windows/keep-secure/images/defender/wdav-headless-mode-off-1703.png b/windows/keep-secure/images/defender/wdav-headless-mode-off-1703.png
new file mode 100644
index 0000000000..d5599ce99b
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-headless-mode-off-1703.png differ
diff --git a/windows/keep-secure/images/defender/wdav-history-wdsc.png b/windows/keep-secure/images/defender/wdav-history-wdsc.png
new file mode 100644
index 0000000000..cdc75b8852
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-history-wdsc.png differ
diff --git a/windows/keep-secure/images/defender/wdav-malware-detected.png b/windows/keep-secure/images/defender/wdav-malware-detected.png
new file mode 100644
index 0000000000..b0add084db
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-malware-detected.png differ
diff --git a/windows/keep-secure/images/defender/wdav-order-update-sources.png b/windows/keep-secure/images/defender/wdav-order-update-sources.png
new file mode 100644
index 0000000000..fb6fefee98
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-order-update-sources.png differ
diff --git a/windows/keep-secure/images/defender/wdav-path-exclusions.png b/windows/keep-secure/images/defender/wdav-path-exclusions.png
new file mode 100644
index 0000000000..2fb0f6e107
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-path-exclusions.png differ
diff --git a/windows/keep-secure/images/defender/wdav-process-exclusions.png b/windows/keep-secure/images/defender/wdav-process-exclusions.png
new file mode 100644
index 0000000000..559d65ac2f
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-process-exclusions.png differ
diff --git a/windows/keep-secure/images/defender/wdav-protection-settings-wdsc.png b/windows/keep-secure/images/defender/wdav-protection-settings-wdsc.png
new file mode 100644
index 0000000000..854e2b209d
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-protection-settings-wdsc.png differ
diff --git a/windows/keep-secure/images/defender/wdav-quarantined-history-wdsc.png b/windows/keep-secure/images/defender/wdav-quarantined-history-wdsc.png
new file mode 100644
index 0000000000..e8e2eec956
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-quarantined-history-wdsc.png differ
diff --git a/windows/keep-secure/images/defender/wdav-settings-old.png b/windows/keep-secure/images/defender/wdav-settings-old.png
new file mode 100644
index 0000000000..05c23e510a
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-settings-old.png differ
diff --git a/windows/keep-secure/images/defender/wdav-wdsc.png b/windows/keep-secure/images/defender/wdav-wdsc.png
new file mode 100644
index 0000000000..81c50c1635
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-wdsc.png differ
diff --git a/windows/keep-secure/images/defender/wdav-windows-defender-app-old.png b/windows/keep-secure/images/defender/wdav-windows-defender-app-old.png
new file mode 100644
index 0000000000..09cea8052c
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-windows-defender-app-old.png differ
diff --git a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md
index 3b6173cf5c..e188c2bed0 100644
--- a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md
+++ b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -43,10 +43,10 @@ The following table lists the actual and effective default values for this polic
 | - | - |
 | Default Domain Policy| Not defined| 
 | Default Domain Controller Policy | Not defined| 
-| Stand-Alone Server Default Settings | 14 days|
-| DC Effective Default Settings | 14 days | 
-| Member Server Effective Default Settings| 14 days |
-| Client Computer Effective Default Settings | 14 days| 
+| Stand-Alone Server Default Settings | 5 days|
+| DC Effective Default Settings | 5 days | 
+| Member Server Effective Default Settings| 5 days |
+| Client Computer Effective Default Settings | 5 days| 
  
 ## Policy management
 
@@ -74,11 +74,11 @@ If user passwords are configured to expire periodically in your organization, us
 
 ### Countermeasure
 
-Configure the **Interactive logon: Prompt user to change password before expiration** setting to 14 days.
+Configure the **Interactive logon: Prompt user to change password before expiration** setting to 5 days.
 
 ### Potential impact
 
-Users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 14 or fewer days.
+Users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 5 or fewer days.
 
 ## Related topics
 
diff --git a/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md b/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md
new file mode 100644
index 0000000000..39ecd14409
--- /dev/null
+++ b/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md
@@ -0,0 +1,179 @@
+---
+title: Apply Windows Defender AV updates after certain events
+description: Manage how Windows Defender Antivirus applies proteciton updates after startup or receiving cloud-delivered detection reports.
+keywords: updates, protection, force updates, events, startup, check for latest, notifications
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Manage event-based forced updates
+
+**Applies to**
+-   Windows 10
+
+**Audience**
+
+- Network administrators
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager
+- PowerShell cmdlets
+- Windows Management Instruction (WMI)
+
+
+Windows Defender AV allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
+
+
+## Check for protection updates before running a scan
+
+You can use Group Policy, Configuration Manager, PowerShell cmdlets, and WMI to force Windows Defender AV to check and download protection updates before running a scheduled scan.
+
+
+**Use Group Policy to check for protection updates before running a scan:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Scan**.
+
+6.  Double-click the **Check for the latest virus and spyware definitions before running a scheduled scan** setting and set the option to **Enabled**. 
+
+7.  Click **OK**.
+
+**Use Configuration Manager to check for protection updates before running a scan:**
+
+1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2.  Go to the **Scheduled scans** section and set **Check for the latest definition updates before running a scan** to **Yes**.
+
+3. Click **OK**.
+
+4.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+**Use PowerShell cmdlets to to check for protection updates before running a scan:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -CheckForSignaturesBeforeRunningScan
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+**Use Windows Management Instruction (WMI) to to check for protection updates before running a scan**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+CheckForSignaturesBeforeRunningScan
+```
+
+See the following for more information:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+
+
+
+
+## Check for protection updates on startup
+
+You can use Group Policy to force Windows Defender AV to check and download protection updates when the machine is started.
+
+**Use Group Policy to download protection updates at startup:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+
+5.  Double-click the **Check for the latest virus and spyware definitions on startup** setting and set the option to **Enabled**. 
+
+6.  Click **OK**.
+
+You can also use Group Policy, PowerShell, or WMI to configure Windows Defender AV to check for updates at startup even when it is not running.
+
+**Use Group Policy to download updates when Windows Defender AV is not present:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+
+6.  Double-click the **Initiate definition update on startup** setting and set the option to **Enabled**. 
+
+7.  Click **OK**.
+
+**Use PowerShell cmdlets to download updates when Windows Defender AV is not present:**
+
+Use the following cmdlets to enable cloud-delivered protection:
+
+```PowerShell
+Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+**Use Windows Management Instruction (WMI) to download updates when Windows Defender AV is not present:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureDisableUpdateOnStartupWithoutEngine
+```
+
+See the following for more information:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+
+
+
+<a id="cloud-report-updates"></a>
+## Allow ad hoc changes to protection based on cloud-delivered protection
+
+Windows Defender AV can make changes to its protection based on cloud-delivered protection. This can occur outside of normal or scheduled protection updates.
+
+If you have enabled cloud-delivered protection, Windows Defender AV will send files it is suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Windows Defender AV to automatically receive that protection update. Other important protection updates can also be applied.
+
+**Use Group Policy to automatically download recent updates based on cloud-delivered protection:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following:
+    1. Double-click the **Allow real-time definition updates based on reports to Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**.
+    2. Double-click the **Allow notifications to disable definitions based reports to Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**.
+
+
+
+## Related topics
+
+- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
+- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+
+
+
diff --git a/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md
new file mode 100644
index 0000000000..87b9ad4cbd
--- /dev/null
+++ b/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md
@@ -0,0 +1,190 @@
+---
+title: Apply Windows Defender AV protection updates to out of date endpoints
+description: Define when and how updates should be applied for endpoints that have not updated in a while.
+keywords: updates, protection, out-of-date, outdated, old, catch-up
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Manage updates and scans for endpoints that are out of date
+
+**Applies to**
+-   Windows 10
+
+**Audience**
+
+- Network administrators
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager
+- PowerShell cmdlets
+- Windows Management Instruction (WMI)
+
+
+
+Windows Defender AV lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis.
+
+For example, an employee that uses a particular PC is on break for three days and does not log on to their PC during that time.
+
+When the user returns to work and logs on to their PC, Windows Defender AV will immediately check and download the latest protection updates, and run a scan.
+
+## Set up catch-up protection updates for endpoints that haven't updated for a while
+
+If Windows Defender AV did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md).
+
+**Use Group Policy to enable and configure the catch-up update feature:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+
+6.  Double-click the **Define the number of days after which a catch-up definition update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update.
+
+7. Click **OK**.
+
+**Use PowerShell cmdlets to configure catch-up protection updates:**
+
+Use the following cmdlets to enable cloud-delivered protection:
+
+```PowerShell
+Set-MpPreference -SignatureUpdateCatchupInterval
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to configure catch-up protection updates:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureUpdateCatchupInterval
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+**Use Configuration Manager to configure catch-up protection updates:**
+
+1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2.  Go to the **Definition updates** section and configure the following settings:
+
+    1.	Set **Force a definition update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
+    2.	For the  **If Configuration Manager is used as a source for definition updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
+
+3. Click **OK**.
+
+4.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+
+## Set the number of days before protection is reported as out-of-date
+
+You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
+
+**Use Group Policy to specify the number of days before protection is considered out-of-date:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings:
+
+    1.  Double-click the **Define the number of days before spyware definitions are considered out of date** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to consider spyware definitions as out-of-date.
+
+    2. Click **OK**.
+
+    3.  Double-click the **Define the number of days before virus definitions are considered out of date** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to consider virus and other threat definitions as out-of-date.
+
+    4. Click **OK**.
+
+
+
+
+## Set up catch-up scans for endpoints that have not been scanned for a while
+
+You can set the number of consecutive scheduled scans that can be missed before Windows Defender AV will force a scan.
+
+The process for enabling this feature is:
+
+1. Set up at least one scheduled scan (see the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic).
+2. Enable the catch-up scan feature.
+3. Define the number of scans that can be skipped before a catch-up scan occurs.
+
+This feature can be enabled for both full and quick scans.
+
+**Use Group Policy to enable and configure the catch-up scan feature:**
+
+1.  Ensure you have set up at least one scheduled scan.
+
+2.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Scan** and configure the following settings:
+
+    1.  If you have set up scheduled quick scans, double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. 
+    2. If you have set up scheduled full scans, double-click the **Turn on catch-up full scan** setting and set the option to **Enabled**. Click **OK**.
+    3. Double-click the **Define the number of days after which a catch-up scan is forced** setting and set the option to **Enabled**. 
+    4. Enter the number of scans that can be missed before a scan will be automatically run when the user next logs on to the PC. The type of scan that is run is determined by the **Specify the scan type to use for a scheduled scan** (see the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic). Click **OK**.
+
+> [!NOTE]
+> The GP setting title refers to the number of days. The setting, however, is applied to the number of scans (not days) before the catch-up scan will be run.
+
+**Use PowerShell cmdlets to XX:**
+
+Use the following cmdlets to enable cloud-delivered protection:
+
+```PowerShell
+Set-MpPreference -DisableCatchupFullScan
+Set-MpPreference -DisableCatchupQuickScan
+
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to configure catch-up scans:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+DisableCatchupFullScan
+DisableCatchupQuickScan
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+**Use Configuration Manager to configure catch-up scans:**
+
+1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2.  Go to the **Scheduled scans** section and **Force a scan of the selected scan type if client computer is offline...** to **Yes**. 
+
+3. Click **OK**.
+
+4.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+
+## Related topics
+
+- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
+- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
diff --git a/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md
new file mode 100644
index 0000000000..8112758cdd
--- /dev/null
+++ b/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md
@@ -0,0 +1,111 @@
+---
+title: Schedule Windows Defender Antivirus protection updates
+description: Schedule the day, time, and interval for when protection updates should be downloaded 
+keywords: updates, security baselines, schedule updates
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Manage the schedule for when protection updates should be downloaded and applied
+
+**Applies to**
+-   Windows 10
+
+**Audience**
+
+- Network administrators
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager
+- PowerShell cmdlets
+- Windows Management Instruction (WMI)
+
+
+Windows Defender AV lets you determine when it should look for and download updates.
+
+You can schedule updates for your endpoints by: 
+
+- Specifying the day of the week to check for protection updates 
+- Specifying the interval to check for protection updates
+- Specifying the time to check for protection updates
+
+You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic for more information.
+
+**Use Group Policy to schedule protection updates:**
+
+> [!IMPORTANT]
+> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default.
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings:
+
+    1.  Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the nuber of hours between updates. Click **OK**.
+    2. Double-click the **Specify the day of the week to check for definition updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
+    3. Double-click the **Specify the time to check for definition updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
+
+
+**Use Configuration Manager to schedule protection updates:**
+
+1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2.  Go to the **Definition updates** section.
+
+3. To check and download updates at a certain time:
+      1. Set **Check for Endpoint Protection definitions at a specific interval...** to **0**.
+      2. Set **Check for Endpoint Protection definitions daily at...** to the time when updates should be checked.
+      3
+4. To check and download updates on a continual interval, Set **Check for Endpoint Protection definitions at a specific interval...** to the number of hours that should occur between updates.
+
+5.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+
+**Use PowerShell cmdlets to schedule protection updates:**
+
+Use the following cmdlets to enable cloud-delivered protection:
+
+```PowerShell
+Set-MpPreference -SignatureScheduleDay
+Set-MpPreference -SignatureScheduleTime
+Set-MpPreference -SignatureUpdateInterval
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to schedule protection updates:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureScheduleDay
+SignatureScheduleTime
+SignatureUpdateInterval
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+## Related topics
+
+- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
+- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+
+
+
+
+
+
diff --git a/windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md b/windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md
new file mode 100644
index 0000000000..00e332bca1
--- /dev/null
+++ b/windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md
@@ -0,0 +1,136 @@
+---
+title: Manage how and where Windows Defender AV receives updates
+description: Manage how Windows Defender Antivirus receives protection updates.
+keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Manage Windows Defender Antivirus protection and definition updates
+
+**Applies to**
+-   Windows 10
+
+**Audience**
+
+- Network administrators
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager
+- PowerShell cmdlets
+- Windows Management Instruction (WMI)
+
+<a id="protection-updates"></a>  
+<!-- this has been used as anchor in VDI content -->
+
+Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
+
+The cloud-based protection is “always-on” and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured).  
+
+There are two components to managing protection updates - where the updates are downloaded from, and when updates are downloaded and applied.
+
+This topic describes the locations 
+
+<a id="fallback-order"></a>
+## Manage the fallback order for downloading protection updates
+There are five locations where you can specify where an endpoint should obtain updates. Typically, you would configure each endpoint to individually download the updates from a primary source and specify fallback sources in case the primary source is unavailable.
+
+-   [Windows Server Update Service (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx)
+-   Microsoft Update.
+-   The [Microsoft Malware Protection Center definitions page (MMPC)](http://www.microsoft.com/security/portal/definitions/adl.aspx)
+-   A network file share
+-   Configuration manager
+
+Each location has typical scenarios (in addition to acting as fallback locations) for when you would use that source, as described in the following table:
+
+Location | Sample scenario
+---|---
+WSUS | You are using WSUS to manage updates for your network
+Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network.
+MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md).
+File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.
+Configuration Manager | You are using System Center Configuration Manager to update your endpoints.
+
+You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI.
+
+> [!IMPORTANT]
+> If you set WSUS as a download location, you must approve the updates - regardless of what management tool you use to specify the location. You can set up an automatic approval rule with WSUS, which may be useful as updates arrive at least once a day. See [To synchronize endpoint protection updates in standalone WSUS](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) for more details.
+
+
+**Use Group Policy to manage the update location:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender > Signature updates** and configure the following settings:
+    
+    1.  Double-click the **Define the order of sources for downloading definition updates** setting and set the option to **Enabled**.  
+
+    2.  Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, shown in the following screenshot.  
+
+    ![Screenshot of group policy setting listing the order of sources](images/defender/wdav-order-update-sources.png)
+
+    3.  Click **OK**. This will set the order of protection update sources.  
+
+    1.  Double-click the **Define file shares for downloading definition updates** setting and set the option to **Enabled**.  
+
+    2.  Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://msdn.microsoft.com/en-us/library/gg465305.aspx) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`.  If you do not enter any paths then this source will be skipped when the VM downloads updates.
+
+    3.  Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting.
+
+
+**Use Configuration Manager to manage the update location:**
+
+See [Configure Definition Updates for Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-definition-updates) for details on configuring System Center Configuration Manager (current branch).
+
+
+**Use PowerShell cmdlets to manage the update location:**
+
+Use the following PowerShell cmdlets to set the update order.
+
+```PowerShell
+Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION}
+Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce {\\UNC SHARE PATH|\\UNC SHARE PATH}
+```
+See the following for more information:
+- [Set-MpPreference -SignatureFallbackOrder](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference#-signaturefallbackorder)
+- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources)
+- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
+- [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) 
+
+**Use Windows Management Instruction (WMI) to manage the update location:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSouce
+```
+
+See the following for more information:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+
+
+
+
+
+
+
+
+## Related topics
+
+- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
diff --git a/windows/keep-secure/manage-updates-baselines-windows-defender-antivirus.md b/windows/keep-secure/manage-updates-baselines-windows-defender-antivirus.md
new file mode 100644
index 0000000000..f2036b77ff
--- /dev/null
+++ b/windows/keep-secure/manage-updates-baselines-windows-defender-antivirus.md
@@ -0,0 +1,53 @@
+---
+title: Manage Windows Defender Antivirus updates and apply baselines
+description: Manage how Windows Defender Antivirus receives protection and product updates.
+keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Manage Windows Defender Antivirus updates and apply baselines
+
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Network administrators
+
+There are two types of updates related to keeping Windows Defender Antivirus:
+1. Protection updates
+2. Product updates
+
+You can also apply [Windows security baselines](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection.
+
+## Protection updates
+
+Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
+
+The cloud-based protection is �always-on� and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. 
+
+
+## Product updates
+
+Windows Defender AV requires monthly updates (known as "engine updates"), and will receive major feature updates alongside Windows 10 releases.
+
+You can manage the distribution of updates through Windows Server Update Service (WSUS), with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
+
+## In this section
+
+Topic | Description 
+---|---
+[Manage how protection updates are downloaded and applied](manage-protection-updates-windows-defender-antivirus.md) | Protection updates can be delivered through a number of sources.
+[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) | You can schedule when protection updates should be downloaded.
+[Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next log on.
+[Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-based protection events.
+[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines.
diff --git a/windows/keep-secure/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/keep-secure/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
new file mode 100644
index 0000000000..660d4049a7
--- /dev/null
+++ b/windows/keep-secure/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
@@ -0,0 +1,104 @@
+---
+title: Define how mobile devices are updated by Windows Defender AV
+description: Manage how mobile devices, such as laptops, should be updated with Windows Defender AV protection updates.
+keywords: updates, protection, schedule updates, battery, mobile device, laptop, notebook, opt-in, microsoft update, wsus, override
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Manage updates for mobile devices and virtual machines (VMs)
+
+**Applies to**
+-   Windows 10
+
+**Audience**
+
+- Network administrators
+
+**Manageability available with**
+
+- Group Policy
+
+
+
+
+Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates.
+
+There are two settings that are particularly useful for these devices:
+
+- Opt-in to Microsoft Update on mobile computers without a WSUS connection
+- Prevent definition updates when running on battery power
+
+The following topics may also be useful in this situations:
+- [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)
+
+## Opt-in to Microsoft Update on mobile computers without a WSUS connection
+
+You can use Microsoft Update to keep definitions on mobile devices running Windows Defender AV up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection. 
+
+This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update.
+
+You can opt-in to Microsoft Update on the mobile device in one of the following ways:
+
+1. Change the setting with Group Policy
+2. Use a VBScript to create a script, then run it on each computer in your network.
+3. Manually opt-in every computer on your network through the **Settings** menu.
+
+**Use Group Policy to opt-in to Microsoft Update:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+
+6.  Double-click the **Allow definition updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**.
+
+
+**Use a VBScript to opt-in to Microsoft Update**
+
+1.  Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
+2.  Run the VBScript you created on each computer in your network.
+
+
+**Manually opt-in to Microsoft Update**
+
+1.  Open **Windows Update** in **Update & security** settings on the computer you want to opt-in.
+2.  Click **Advanced** options.
+3.  Select the checkbox for **Give me updates for other Microsoft products when I update Windows**.
+
+## Prevent definition updates when running on battery power
+
+You can configure Windows Defender AV to only download protection updates when the PC is connected to a wired power source. 
+
+**Use Group Policy to prevent definition updates on battery power:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following setting:
+
+    1. Double-click the **Allow definition updates when running on battery power** setting and set the option to **Disabled**. 
+    2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power.
+
+
+
+
+
+## Related topics
+
+- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
+- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
diff --git a/windows/keep-secure/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/keep-secure/prevent-end-user-interaction-windows-defender-antivirus.md
new file mode 100644
index 0000000000..ce95481ff2
--- /dev/null
+++ b/windows/keep-secure/prevent-end-user-interaction-windows-defender-antivirus.md
@@ -0,0 +1,89 @@
+---
+title: Hide the Windows Defender Antivirus interface
+description: You can hide virus and threat protection tile in the Windows Defender Security Center app.
+keywords: ui lockdown, headless mode, hide app, hide settings, hide interface
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Prevent users from seeing or interacting with the Windows Defender AV user interface
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+
+
+You can use Group Policy to prevent users on endpoints from seeing the Windows Defender Antivirus interface. You can also prevent them from pausing scans.
+
+## Hide the Windows Defender Antivirus interface
+
+In Windows 10, versions 1703, hiding the interface will hide Windows Defender AV notifications and prevent the Virus & threat protection tile from appearing in the Windows Defender Security Center app.
+
+With the setting set to **Enabled**:
+
+![Screenshot of Windows Defender Security Center without the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-1703.png)
+
+With the setting set to **Disabled** or not configured:
+
+![Scheenshot of Windows Defender Security Center showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png)
+
+>[!NOTE]
+>Hiding the interface will also prevent Windows Defender AV notifications from appearing on the endpoint. Windows Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+
+
+In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning "Your system administrator has restricted access to this app.":
+
+![Warning message when headless mode is enabled in Windows 10, versions earlier than 1703 that says Your system administrator has restricted access to this app](images/defender/wdav-headless-mode-1607.png)
+
+**Use Group Policy to hide the Windows Defender AV interface from users:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
+
+6. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**. 
+
+
+Also see the [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topic for more options on preventing users form modifying protection on their PCs.
+
+## Prevent users from pausing a scan
+
+You can prevent users from pausing scans. This can be helpful to ensure scheduled or on-demand scans are not interrupted by users.
+
+
+**Use Group Policy to prevent users from pausing a scan:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Scan**.
+
+6. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**. 
+
+
+## Related topics
+
+
+- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/report-monitor-windows-defender-antivirus.md b/windows/keep-secure/report-monitor-windows-defender-antivirus.md
new file mode 100644
index 0000000000..c2a5ab14a1
--- /dev/null
+++ b/windows/keep-secure/report-monitor-windows-defender-antivirus.md
@@ -0,0 +1,38 @@
+---
+title: Monitor and report on Windows Defender Antivirus protection
+description: Use Configuration Manager or SIEM tools to consume reports, and monitor Windows Defender AV with PowerShell and WMI.
+keywords: siem, monitor, report, windows defender av
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Report on Windows Defender Antivirus protection
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- IT administrators
+
+There are a number of ways you can review protection status and alerts, depending on the management tool you are using for Windows Defender AV.
+
+
+
+You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using the [Microsoft Intune console](ttps://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection).  
+
+If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
+
+For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, managament, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref1).
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
diff --git a/windows/keep-secure/review-scan-results-windows-defender-antivirus.md b/windows/keep-secure/review-scan-results-windows-defender-antivirus.md
new file mode 100644
index 0000000000..7147c968b9
--- /dev/null
+++ b/windows/keep-secure/review-scan-results-windows-defender-antivirus.md
@@ -0,0 +1,15 @@
+---
+title: Review the results of Windows Defender AV scans 
+description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Review Windows Defender AV scan results
diff --git a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
index 2234eebd86..f8f3682a5d 100644
--- a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
@@ -10,46 +10,9 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: mjcaparas
+redirect_url: /command-line-arguments-windows-defender-antivirus/
 ---
 
 # Run a Windows Defender scan from the command line
 
-**Applies to:**
-
-- Windows 10
-
-IT professionals can use a command-line utility to run a Windows Defender scan. 
-
-The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_.
-
-This utility can be handy when you want to automate the use of Windows Defender. 
-
-**To run a quick scan from the command line**
-
-1. Click **Start**, type **cmd**, and press **Enter**.
-2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**:
-
-```
-C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 1
-```
-The quick scan will start. When the scan completes, you'll see a message indicating that the scan is finished. 
-
-
-The utility also provides other commands that you can run:
-
-```
-MpCmdRun.exe [command] [-options]
-```
-
-Command | Description 
-:---|:---
-\- ? / -h | Displays all available options for the tool
-\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious software
-\-Trace  [-Grouping #] [-Level #]| Starts diagnostic tracing
-\-GetFiles | Collects support information
-\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
-\-AddDynamicSignature [-Path] | Loads a dynamic signature
-\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
-\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
-<br>
-The command-line utility provides detailed information on the other commands supported by the tool. 
+This page has been redirected to *Use�the�mpcmdrun.exe�commandline�tool�to�configure�and�manage�Windows�Defender�Antivirus*.
\ No newline at end of file
diff --git a/windows/keep-secure/run-scan-windows-defender-antivirus.md b/windows/keep-secure/run-scan-windows-defender-antivirus.md
new file mode 100644
index 0000000000..2c09909c04
--- /dev/null
+++ b/windows/keep-secure/run-scan-windows-defender-antivirus.md
@@ -0,0 +1,59 @@
+---
+title: Run and customize on-demand scans in Windows Defender AV
+description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+
+
+
+# Configure and run Windows Defender AV scans
+
+**Applies to:**
+
+- Windows 10
+
+IT professionals can use a command-line utility to run a Windows Defender scan. 
+
+The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_.
+
+This utility can be handy when you want to automate the use of Windows Defender. 
+
+**To run a quick scan from the command line**
+
+1. Click **Start**, type **cmd**, and press **Enter**.
+2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**:
+
+```
+C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 1
+```
+The quick scan will start. When the scan completes, you'll see a message indicating that the scan is finished. 
+
+
+The utility also provides other commands that you can run:
+
+```
+MpCmdRun.exe [command] [-options]
+```
+
+Command | Description 
+:---|:---
+\- ? / -h | Displays all available options for the tool
+\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious software
+\-Trace  [-Grouping #] [-Level #]| Starts diagnostic tracing
+\-GetFiles | Collects support information
+\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
+\-AddDynamicSignature [-Path] | Loads a dynamic signature
+\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
+\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
+<br>
+The command-line utility provides detailed information on the other commands supported by the tool. 
diff --git a/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
new file mode 100644
index 0000000000..0c16327c23
--- /dev/null
+++ b/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -0,0 +1,50 @@
+---
+title: Schedule regular scans with Windows Defender AV
+description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+# Configure scheduled scans for Windows Defender AV
+
+
+
+**Applies to**
+-   Windows 10
+
+**Audience**
+
+- Network administrators
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager
+- PowerShell cmdlets
+- Windows Management Instruction (WMI)
+
+
+
+> [!IMPORTANT]
+> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default. 
+
+
+RANDOMIZE
+
+
+
+
+
+## Related topics
+
+- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
+- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
diff --git a/windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md
new file mode 100644
index 0000000000..923b49d30a
--- /dev/null
+++ b/windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md
@@ -0,0 +1,69 @@
+---
+title: Specify cloud-delivered protection level in Windows Defender Antivirus
+description: Set the aggressiveness of cloud-delivered protection in Windows Defender Antivirus.
+keywords: windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Specify the cloud-delivered protection level
+
+
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager (current branch)
+
+You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager.
+
+>[!NOTE] 
+>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
+
+
+
+**Use Group Policy to specify the level of cloud-delivered protection:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.  
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**.
+
+1.  Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:  
+    1.  Setting to **Default Windows Defender Antivirus blocking level** will provide strong detection without increasing the risk of detecting legitimate files.  
+    2.  Setting to **High blocking level** will apply a strong level of detection. While unlikely, some legitimate files may be detected (although you will have the option to unblock or dispute that detection).  
+ 
+1. Click **OK**.
+
+  
+**Use Configuration Manager to specify the level of cloud-delivered protection:**
+
+1.  See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
+
+
+
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
+
+
diff --git a/windows/keep-secure/troubleshoot-windows-defender-antivirus.md b/windows/keep-secure/troubleshoot-windows-defender-antivirus.md
new file mode 100644
index 0000000000..0006cde7b3
--- /dev/null
+++ b/windows/keep-secure/troubleshoot-windows-defender-antivirus.md
@@ -0,0 +1,3325 @@
+---
+title: Windows Defender AV event IDs and error codes
+description: Look up the causes and solutions for Windows Defender Antivirus event IDs and errors
+keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding
+ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Review event logs and error codes to troubleshoot issues with Windows Defender AV
+
+
+**Applies to**
+-   Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+
+If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution.
+
+The tables list:
+
+- [Windows Defender AV client event IDs](#windows-defender-av-ids)
+- [Windows Defender AV client error codes](#error-codes)
+- [Internal Windows Defender AV client error codes (used by Microsoft during development and testing)](#internal-error-codes)
+
+
+<a id="windows-defender-av-ids"></a>
+## Windows Defender AV client event IDs
+
+Windows Defender AV records event IDs in the Windows event log.
+
+You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
+
+The table in this section lists the main Windows Defender Antivirus client event IDs and, where possible, provides suggested solutions to fix or resolve the error. 
+
+**To view a Windows Defender client event**
+
+1.  Open **Event Viewer**.
+2.  In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
+3.  Double-click on **Operational**.
+4.  In the details pane, view the list of individual events to find your event.
+5.  Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
+
+
+
+<table>
+<tr>
+<th rowspan="3">Event ID: 1000</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SCAN_STARTED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>An antimalware scan started.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>Scan Resources: &lt;Resources (such as files/directories/BHO) that were scanned.&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1001</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SCAN_COMPLETED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>An antimalware scan finished.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Scan Time: &lt;The duration of a scan.&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1002</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SCAN_CANCELLED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>An antimalware scan was stopped before it finished.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Scan Time: &lt;The duration of a scan.&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1003</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SCAN_PAUSED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>An antimalware scan was paused.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1004</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SCAN_RESUMED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>An antimalware scan was resumed.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1005</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SCAN_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>An antimalware scan failed. 
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
+</p>
+<p>To troubleshoot this event:
+<ol>
+<li>Run the scan again.</li>
+<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1006</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_MALWARE_DETECTED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine found malware or other potentially unwanted software.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>Status: &lt;Status&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1007</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_MALWARE_ACTION_TAKEN
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:</p>
+<dl>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Status: &lt;Status&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1008</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_MALWARE_ACTION_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:</p>
+<dl>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values. </dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Status: &lt;Status&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1009</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_QUARANTINE_RESTORE
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform restored an item from quarantine.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has restored an item from quarantine. For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1010</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform could not restore an item from quarantine.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values. </dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1011</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_QUARANTINE_DELETE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform deleted an item from quarantine.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has deleted an item from quarantine.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1012</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_QUARANTINE_DELETE_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform could not delete an item from quarantine.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to delete an item from quarantine.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values. </dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1013</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform deleted history of malware and other potentially unwanted software.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has removed history of malware and other potentially unwanted software.</p>
+<dl>
+<dt>Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1014</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p>The antimalware platform could not delete history of malware and other potentially unwanted software.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.</p>
+<dl>
+<dt>Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values. </dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1015</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_BEHAVIOR_DETECTED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform detected suspicious behavior.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has detected a suspicious behavior.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>Status: &lt;Status&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Signature ID: Enumeration matching severity.</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+<dt>Fidelity Label:</dt>
+<dt>Target File Name: &lt;File name&gt;
+Name of the file.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1116</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_STATE_MALWARE_DETECTED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform detected malware or other potentially unwanted software.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has detected malware or other potentially unwanted software.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click <b>Clean Computer</b>.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1117</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has taken action to protect this machine from malware or other potentially unwanted software.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Action Status: &lt;Description of additional actions&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+<p>NOTE:
+<p>Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:<ul>
+<li>Default Internet Explorer or Edge setting</li>
+<li>User Access Control settings</li>
+<li>Chrome settings</li>
+<li>Boot Control Data</li>
+<li>Regedit and Task Manager registry settings</li>
+<li>Windows Update, Background Intelligent Transfer Service, and Remote Procedure Call service</li>
+<li>Windows Operating System files</li></ul>
+The above context applies to the following client and server versions:
+<table>
+<tr>
+<th>Operating system</th>
+<th>Operating system version</th>
+</tr>
+<tr>
+<td>
+<p>Client Operating System </p>
+</td>
+<td>
+<p>Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Server Operating System</p>
+</td>
+<td>
+<p>Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016</p>
+</td>
+</tr>
+</table>
+</p>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is necessary. Windows Defender removed or quarantined a threat. </p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1118</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Action Status: &lt;Description of additional actions&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1119</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Action Status: &lt;Description of additional actions&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant <b>User action</b> steps below.</p>
+<table>
+<tr>
+<th>Action</th>
+<th>User action</th>
+</tr>
+<tr>
+<td>
+<p><b>Remove</b></p>
+</td>
+<td>
+<p>Update the definitions then verify that the removal was successful.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><b>Clean</b></p>
+</td>
+<td>
+<p>Update the definitions then verify that the remediation was successful.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><b>Quarantine</b></p>
+</td>
+<td>
+<p>Update the definitions and verify that the user has permission to access the necessary resources.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><b>Allow</b></p>
+</td>
+<td>
+<p>Verify that the user has permission to access the necessary resources.</p>
+</td>
+</tr>
+</table>
+<p> </p>
+<p>If this event persists:<ol>
+<li>Run the scan again.</li>
+<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1120</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_THREAT_HASH</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Windows Defender has deduced the hashes for a threat resource.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender client is up and running in a healthy state.</p>
+<dl>
+<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
+<dt>Threat Resource Path: &lt;Path&gt;</dt>
+<dt>Hashes: &lt;Hashes&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td></td>
+<td colspan="2">
+<div class="alert"><b>Note</b>  This event will only be logged if the following policy is set: <b>ThreatFileHashLogging 	unsigned</b>.</div>
+<div> </div>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1150</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SERVICE_HEALTHY</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender client is up and running in a healthy state.</p>
+<dl>
+<dt>Platform Version: &lt;Current platform version&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is necessary. The Windows Defenderclient is in a healthy state. This event is reported on an hourly basis.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2000</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_UPDATED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware definitions updated successfully.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender signature version has been updated.</p>
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Update Type: &lt;Update type&gt;, either Full or Delta.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2001</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware definition update failed. 
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to update signatures.</p>
+<dl>
+<dt>New Signature Version: &lt;New version number&gt;</dt>
+<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
+<dt>Update Source: &lt;Update source&gt;, for example:
+<ul>
+<li>Signature update folder</li>
+<li>Internal definition update server</li>
+<li>Microsoft Update Server</li>
+<li>File share</li>
+<li>Microsoft Malware Protection Center (MMPC)</li>
+</ul>
+</dt>
+<dt>Update Stage: &lt;Update stage&gt;, for example:
+<ul>
+<li>Search</li>
+<li>Download</li>
+<li>Install</li>
+</ul>
+</dt>
+<dt>Source Path: File share name for Universal Naming Convention (UNC), server name for Windows Server Update Services (WSUS)/Microsoft Update/ADL.</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Update Type: &lt;Update type&gt;, either Full or Delta.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>This error occurs when there is a problem updating definitions.</p>
+<p>To troubleshoot this event:
+<ol>
+<li>Update the definitions. Either:<ol>
+<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
+</li>
+<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
+<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
+</li>
+</ol>
+</li>
+<li>Review the entries in the %Windir%\WindowsUpdate.log file for more information about this error.</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2002</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ENGINE_UPDATED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine updated successfully.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender engine version has been updated.</p>
+<dl>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
+<dt>Engine Type: &lt;Engine type&gt;, either antimalware engine or Network Inspection System engine.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2003</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ENGINE_UPDATE_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine update failed.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to update the engine.</p>
+<dl>
+<dt>New Engine Version:</dt>
+<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
+<dt>Engine Type: &lt;Engine type&gt;, either antimalware engine or Network Inspection System engine.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.</p>
+<p>To troubleshoot this event:
+<ol>
+<li>Update the definitions. Either:<ol>
+<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
+</li>
+<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
+<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
+</li>
+</ol>
+</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2004</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_REVERSION</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.</p>
+<dl>
+<dt>Signatures Attempted:</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions.</p>
+<p>To troubleshoot this event:
+<ol>
+<li>Restart the computer and try again.</li>
+<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
+<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
+</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2005</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted.</p>
+<dl>
+<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2006</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_PLATFORM_UPDATE_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The platform update failed.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to update the platform.</p>
+<dl>
+<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2007</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The platform will soon be out of date. Download the latest platform to maintain up-to-date protection.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available.</p>
+<dl>
+<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2010</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine used the Dynamic Signature Service to get additional definitions.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender used <i>Dynamic Signature Service</i> to retrieve additional signatures to help protect your machine.</p>
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Dynamic Signature Type: &lt;Dynamic signature type&gt;, for example:
+<ul>
+<li>Version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+<li>Duration</li>
+</ul>
+</dt>
+<dt>Persistence Path: &lt;Path&gt;</dt>
+<dt>Dynamic Signature Version: &lt;Version number&gt;</dt>
+<dt>Dynamic Signature Compilation Timestamp: &lt;Timestamp&gt;</dt>
+<dt>Persistence Limit Type: &lt;Persistence limit type&gt;, for example:
+<ul>
+<li>VDM version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+</ul>
+</dt>
+<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2011</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The Dynamic Signature Service deleted the out-of-date dynamic definitions.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender used <i>Dynamic Signature Service</i> to discard obsolete signatures.</p>
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Dynamic Signature Type: &lt;Dynamic signature type&gt;, for example:
+<ul>
+<li>Version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+<li>Duration</li>
+</ul>
+</dt>
+<dt>Persistence Path: &lt;Path&gt;</dt>
+<dt>Dynamic Signature Version: &lt;Version number&gt;</dt>
+<dt>Dynamic Signature Compilation Timestamp: &lt;Timestamp&gt;</dt>
+<dt>Removal Reason:</dt>
+<dt>Persistence Limit Type: &lt;Persistence limit type&gt;, for example:
+<ul>
+<li>VDM version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+</ul>
+</dt>
+<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2012</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine encountered an error when trying to use the Dynamic Signature Service.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to use <i>Dynamic Signature Service</i>.</p>
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Dynamic Signature Type: &lt;Dynamic signature type&gt;, for example:
+<ul>
+<li>Version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+<li>Duration</li>
+</ul>
+</dt>
+<dt>Persistence Path: &lt;Path&gt;</dt>
+<dt>Dynamic Signature Version: &lt;Version number&gt;</dt>
+<dt>Dynamic Signature Compilation Timestamp: &lt;Timestamp&gt;</dt>
+<dt>Persistence Limit Type: &lt;Persistence limit type&gt;, for example:
+<ul>
+<li>VDM version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+</ul>
+</dt>
+<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>Check your Internet connectivity settings.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2013</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The Dynamic Signature Service deleted all dynamic definitions.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender discarded all <i>Dynamic Signature Service</i> signatures.</p>
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2020</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine downloaded a clean file.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender downloaded a clean file.</p>
+<dl>
+<dt>Filename: &lt;File name&gt;
+Name of the file.</dt>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2021</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine failed to download a clean file.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to download a clean file.</p>
+<dl>
+<dt>Filename: &lt;File name&gt;
+Name of the file.</dt>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>Check your Internet connectivity settings.
+</p>
+<p>The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. 
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2030</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine was downloaded and is configured to run offline on the next system restart.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2031</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine was unable to download and configure an offline scan.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to download and configure Windows Defender Offline.</p>
+<dl>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2040</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_OS_EXPIRING
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Antimalware support for this operating system version will soon end.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2041</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_OS_EOL
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Antimalware support for this operating system has ended. You must upgrade the operating system for continued support.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2042</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_PROTECTION_EOL
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 3002</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_RTP_FEATURE_FAILURE
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Real-time protection encountered an error and failed.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender Real-Time Protection feature has encountered an error and failed.</p>
+<dl>
+<dt>Feature: &lt;Feature&gt;, for example:
+<ul>
+<li>On Access</li>
+<li>Internet Explorer downloads and Microsoft Outlook Express attachments</li>
+<li>Behavior monitoring</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Reason: The reason Windows Defender real-time protection has restarted a feature.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>You should restart the system then run a full scan because it’s possible the system was not protected for some time.
+</p>
+<p>The Windows Defender client’s real-time protection feature encountered an error because one of the services failed to start. 
+</p>
+<p>If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. 
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 3007</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_RTP_FEATURE_RECOVERED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Real-time protection recovered from a failure. We recommend running a full system scan when you see this error.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.</p>
+<dl>
+<dt>Feature: &lt;Feature&gt;, for example:
+<ul>
+<li>On Access</li>
+<li>IE downloads and Outlook Express attachments</li>
+<li>Behavior monitoring</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Reason: The reason Windows Defender real-time protection has restarted a feature.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>The real-time protection feature has restarted. If this event happens again, contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>. </p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5000</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_RTP_ENABLED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Real-time protection is enabled.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5001</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_RTP_DISABLED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Real-time protection is disabled.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled. </p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5004</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_RTP_FEATURE_CONFIGURED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The real-time protection configuration changed.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender Real-time Protection feature configuration has changed.</p>
+<dl>
+<dt>Feature: &lt;Feature&gt;, for example:
+<ul>
+<li>On Access</li>
+<li>IE downloads and Outlook Express attachments</li>
+<li>Behavior monitoring</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Configuration: </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5007</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_CONFIG_CHANGED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform configuration changed.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.</p>
+<dl>
+<dt>Old value: &lt;Old value number&gt;
+Old Windows Defender configuration value.</dt>
+<dt>New value: &lt;New value number&gt;
+New Windows Defender configuration value.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="5">Event ID: 5008</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ENGINE_FAILURE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine encountered an error and failed.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender  engine has been terminated due to an unexpected error.</p>
+<dl>
+<dt>Failure Type: &lt;Failure type&gt;, for example:
+Crash
+or Hang</dt>
+<dt>Exception Code: &lt;Error code&gt;</dt>
+<dt>Resource: &lt;Resource&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>To troubleshoot this event:<ol>
+<li>Try to restart the service.<ul>
+<li>For antimalware, antivirus and spyware, at an elevated command prompt, type <b>net stop msmpsvc</b>, and then type <b>net start msmpsvc</b> to restart the antimalware engine.</li>
+<li>For the <i>Network Inspection System</i>, at an elevated command prompt, type <b>net start nissrv</b>, and then type <b>net start nissrv</b> to restart the <i>Network Inspection System</i> engine by using the NiSSRV.exe file.
+</li>
+</ul>
+</li>
+<li>If it fails in the same way, look up the error code by accessing the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support Site</a>  and entering the error number in the <b>Search</b> box, and contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>The Windows Defender client engine stopped due to an unexpected error.</p>
+<p>To troubleshoot this event:
+<ol>
+<li>Run the scan again.</li>
+<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5009</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ANTISPYWARE_ENABLED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Scanning for malware and other potentially unwanted software is enabled.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender scanning for malware and other potentially unwanted software has been enabled.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5010</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ANTISPYWARE_DISABLED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Scanning for malware and other potentially unwanted software is disabled.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender scanning for malware and other potentially unwanted software is disabled.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5011</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ANTIVIRUS_ENABLED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Scanning for viruses is enabled.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender scanning for viruses has been enabled. </p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5012</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ANTIVIRUS_DISABLED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Scanning for viruses is disabled.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender scanning for viruses is disabled. </p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5100</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_EXPIRATION_WARNING_STATE
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform will expire soon.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender  has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.</p>
+<dl>
+<dt>Expiration Reason: The reason Windows Defender will expire.</dt>
+<dt>Expiration Date: The date Windows Defender will expire.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5101</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_DISABLED_EXPIRED_STATE
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform is expired.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description::</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender  grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.</p>
+<dl>
+<dt>Expiration Reason:</dt>
+<dt>Expiration Date: </dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+</table>
+
+<a id="error-codes"></a>
+## Windows Defender client error codes
+If Windows Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
+This section provides the following information about Windows Defender Antivirus client errors.
+-   The error code
+-   The possible reason for the error
+-   Advice on what to do now
+Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes.
+<table>
+<tr>
+<th colspan="4">External error codes</th>
+</tr>
+<tr>
+<th>Error code</th>
+<th>Message displayed</th>
+<th>Possible reason for error</th>
+<th>What to do now</th>
+</tr>
+<tr>
+<td>
+<p>0x80508007 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_NO_MEMORY 
+</b></p>
+</td>
+<td>
+<p>This error indicates that you might have run out of memory. 
+</p>
+</td>
+<td>
+<p>
+<ol>
+<li>Check the available memory on your device.</li>
+<li>Close any unused applications that are running to free up memory on your device.</li>
+<li>Restart the device and run the scan again. 
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050800C</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_INPUT_DATA</b></p>
+</td>
+<td>
+<p>This error indicates that there might be a problem with your security product.</p>
+</td>
+<td rowspan="4">
+<p>
+<ol>
+<li>Update the definitions. Either:<ol>
+<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
+</li>
+<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
+<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
+</li>
+</ol>
+</li>
+<li>Run a full scan.
+</li>
+<li>Restart the device and try again.</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508020</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_CONFIGURATION 
+</b></p>
+</td>
+<td>
+<p>This error indicates that there might be an engine configuration error; commonly, this is related to input 
+data that does not allow the engine to function properly. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x805080211 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_QUARANTINE_FAILED 
+</b></p>
+</td>
+<td>
+<p>This error indicates that Windows Defender failed to quarantine a threat. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508022 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_REBOOT_REQUIRED 
+</b></p>
+</td>
+<td>
+<p>This error indicates that a reboot is required to complete threat removal. 
+</p>
+</td>
+</tr>
+<tr>
+<td rowspan="2">
+<p>0x80508023 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_THREAT_NOT_FOUND 
+</b></p>
+</td>
+<td>
+<p>This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device. 
+</p>
+</td>
+<td>
+<p>Run the <a href="https://www.microsoft.com/security/scanner/default.aspx">Microsoft Safety Scanner</a> then update your security software and try again. 
+</p>
+</td>
+</tr>
+<tr>
+<td rowspan="2">
+<p><b>ERR_MP_FULL_SCAN_REQUIRED 
+</b></p>
+</td>
+<td rowspan="2">
+<p>This error indicates that a full system scan might be required. 
+</p>
+</td>
+<td rowspan="2">
+<p>Run a full system scan. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508024 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508025 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_MANUAL_STEPS_REQUIRED 
+</b></p>
+</td>
+<td>
+<p>This error indicates that manual steps are required to complete threat removal. 
+</p>
+</td>
+<td>
+<p>Follow the manual remediation steps outlined in the <a href="https://www.microsoft.com/security/portal/threat/Threats.aspx">Microsoft Malware Protection Encyclopedia</a>. You can find a threat-specific link in the event history.  
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508026 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_REMOVE_NOT_SUPPORTED 
+</b></p>
+</td>
+<td>
+<p>This error indicates that removal inside the container type might not be not supported. 
+</p>
+</td>
+<td>
+<p>Windows Defender is not able to remediate threats detected inside the archive. Consider manually removing the detected resources. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508027 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_REMOVE_LOW_MEDIUM_DISABLED 
+</b></p>
+</td>
+<td>
+<p>This error indicates that removal of low and medium threats might be disabled. 
+</p>
+</td>
+<td>
+<p>Check the detected threats and resolve them as required. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508029 
+</p>
+</td>
+<td>
+<p><b>ERROR_MP_RESCAN_REQUIRED 
+</b></p>
+</td>
+<td>
+<p>This error indicates a rescan of the threat is required. 
+</p>
+</td>
+<td>
+<p>Run a full system scan. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508030 
+</p>
+</td>
+<td>
+<p><b>ERROR_MP_CALLISTO_REQUIRED 
+</b></p>
+</td>
+<td>
+<p>This error indicates that an offline scan is required. 
+</p>
+</td>
+<td>
+<p>Run Windows Defender Offline. You can read about how to do this in the <a href="http://windows.microsoft.com/windows/what-is-windows-defender-offline">Windows Defender Offline 
+article</a>.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508031 
+</p>
+</td>
+<td>
+<p><b>ERROR_MP_PLATFORM_OUTDATED  
+</b></p>
+</td>
+<td>
+<p>This error indicates that Windows Defender does not support the current version of the platform and requires a new version of the platform. 
+</p>
+</td>
+<td>
+<p>You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use <a href="https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx">System Center Endpoint Protection</a>.  
+</p>
+</td>
+</tr>
+</table>
+
+<a id="internal-error-codes"></a>
+The following error codes are used during internal testing of Windows Defender AV.
+
+<table>
+<tr>
+<th colspan="4">Internal error codes</th>
+</tr>
+<tr>
+<th>Error code</th>
+<th>Message displayed</th>
+<th>Possible reason for error</th>
+<th>What to do now</th>
+</tr>
+<tr>
+<td>
+<p>0x80501004</p>
+</td>
+<td>
+<p><b>ERROR_MP_NO_INTERNET_CONN 
+</b></p>
+</td>
+<td>
+<p>Check your Internet connection, then run the scan again.</p>
+</td>
+<td>
+<p>Check your Internet connection, then run the scan again.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501000</p>
+</td>
+<td>
+<p><b>ERROR_MP_UI_CONSOLIDATION_BAS</b>E</p>
+</td>
+<td rowspan="34">
+<p>This is an internal error. The cause is not clearly defined.</p>
+</td>
+<td rowspan="36">
+<p>
+<ol>
+<li>Update the definitions. Either:<ol>
+<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
+</li>
+<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
+<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
+</li>
+</ol>
+</li>
+<li>Run a full scan.
+</li>
+<li>Restart the device and try again.</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501001</p>
+</td>
+<td>
+<p><b>ERROR_MP_ACTIONS_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501002</p>
+</td>
+<td>
+<p><b>ERROR_MP_NOENGINE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501003</p>
+</td>
+<td>
+<p><b>ERROR_MP_ACTIVE_THREATS</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x805011011</p>
+</td>
+<td>
+<p><b>MP_ERROR_CODE_LUA_CANCELLED </b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501101</p>
+</td>
+<td>
+<p><b>ERROR_LUA_CANCELLATION </b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501102</p>
+</td>
+<td>
+<p><b>MP_ERROR_CODE_ALREADY_SHUTDOWN</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501103</p>
+</td>
+<td>
+<p><b>MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING </b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501104</p>
+</td>
+<td>
+<p><b>MP_ERROR_CODE_CANCELLED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501105</p>
+</td>
+<td>
+<p><b>MP_ERROR_CODE_NO_TARGETOS</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501106</p>
+</td>
+<td>
+<p><b>MP_ERROR_CODE_BAD_REGEXP</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501107</p>
+</td>
+<td>
+<p><b>MP_ERROR_TEST_INDUCED_ERROR</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501108</p>
+</td>
+<td>
+<p><b>MP_ERROR_SIG_BACKUP_DISABLED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508001</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_INIT_MODULES</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508002</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_DATABASE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508004</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_UFS </b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050800C</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_INPUT_DATA</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050800D</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_GLOBAL_STORAGE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050800E</p>
+</td>
+<td>
+<p><b>ERR_MP_OBSOLETE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050800F</p>
+</td>
+<td>
+<p><b>ERR_MP_NOT_SUPPORTED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050800F
+0x80508010
+</p>
+</td>
+<td>
+<p><b>ERR_MP_NO_MORE_ITEMS </b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508011</p>
+</td>
+<td>
+<p><b>ERR_MP_DUPLICATE_SCANID</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508012</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_SCANID</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508013</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_USERDB_VERSION</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508014</p>
+</td>
+<td>
+<p><b>ERR_MP_RESTORE_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508016</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_ACTION</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508019</p>
+</td>
+<td>
+<p><b>ERR_MP_NOT_FOUND</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80509001</p>
+</td>
+<td>
+<p><b>ERR_RELO_BAD_EHANDLE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80509003</p>
+</td>
+<td>
+<p><b>ERR_RELO_KERNEL_NOT_LOADED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050A001</p>
+</td>
+<td>
+<p><b>ERR_MP_BADDB_OPEN</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050A002</p>
+</td>
+<td>
+<p><b>ERR_MP_BADDB_HEADER</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050A003</p>
+</td>
+<td>
+<p><b>ERR_MP_BADDB_OLDENGINE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050A004</p>
+</td>
+<td>
+<p><b>ERR_MP_BADDB_CONTENT </b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050A005</p>
+</td>
+<td>
+<p><b>ERR_MP_BADDB_NOTSIGNED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050801</p>
+</td>
+<td>
+<p><b>ERR_MP_REMOVE_FAILED</b></p>
+</td>
+<td>
+<p>This is an internal error. It might be triggered when malware removal is not successful. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508018 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_SCAN_ABORTED 
+</b></p>
+</td>
+<td>
+<p>This is an internal error. It might have triggered when a scan fails to complete. 
+</p>
+</td>
+</tr>
+</table>
+
+## Related topics
+
+- [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
index 3730d58e83..2c5e7c8ce8 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
@@ -1,6 +1,6 @@
 ---
 title: Troubleshoot Windows Defender in Windows 10 (Windows 10)
-description: IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take.
+description: IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take.
 ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -8,3315 +8,9 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: jasesso
+redirect_url: /troubleshoot-windows-defender-antivirus/
 ---
 
 # Troubleshoot Windows Defender in Windows 10
 
-**Applies to**
--   Windows 10
-
-IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take.
-
-## Windows Defender client event IDs
-
-This section provides the following information about Windows Defender client events:
-
--   The text of the message as it appears in the event
--   The name of the source of the message
--   The symbolic name that identifies each message in the programming source code
--   Additional information about the message
-
-Use the information in this table to help troubleshoot Windows Defender client events; these are located in the **Windows Event Viewer**, under **Windows Logs**.
-
-**To view a Windows Defender client event**
-
-1.  Open **Event Viewer**.
-2.  In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
-3.  Double-click on **Operational**.
-4.  In the details pane, view the list of individual events to find your event.
-5.  Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
-
-You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
-
-<table>
-<tr>
-<th rowspan="3">Event ID: 1000</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_STARTED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>An antimalware scan started.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<dl>
-<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
-<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-</ul>
-</dt>
-<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
-<li>Full scan</li>
-<li>Quick scan</li>
-<li>Customer scan</li>
-</ul>
-</dt>
-<dt>Scan Resources: &lt;Resources (such as files/directories/BHO) that were scanned.&gt;</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1001</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_COMPLETED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>An antimalware scan finished.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<dl>
-<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
-<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-</ul>
-</dt>
-<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
-<li>Full scan</li>
-<li>Quick scan</li>
-<li>Customer scan</li>
-</ul>
-</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Scan Time: &lt;The duration of a scan.&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1002</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_CANCELLED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>An antimalware scan was stopped before it finished.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<dl>
-<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
-<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-</ul>
-</dt>
-<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
-<li>Full scan</li>
-<li>Quick scan</li>
-<li>Customer scan</li>
-</ul>
-</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Scan Time: &lt;The duration of a scan.&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1003</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_PAUSED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>An antimalware scan was paused.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<dl>
-<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
-<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-</ul>
-</dt>
-<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
-<li>Full scan</li>
-<li>Quick scan</li>
-<li>Customer scan</li>
-</ul>
-</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1004</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_RESUMED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>An antimalware scan was resumed.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<dl>
-<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
-<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-</ul>
-</dt>
-<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
-<li>Full scan</li>
-<li>Quick scan</li>
-<li>Customer scan</li>
-</ul>
-</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 1005</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_FAILED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>An antimalware scan failed. 
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<dl>
-<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
-<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-</ul>
-</dt>
-<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
-<li>Full scan</li>
-<li>Quick scan</li>
-<li>Customer scan</li>
-</ul>
-</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
-</p>
-<p>To troubleshoot this event:
-<ol>
-<li>Run the scan again.</li>
-<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
-<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
-</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1006</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_DETECTED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine found malware or other potentially unwanted software.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>Detection Origin: &lt;Detection origin&gt;, for example:<ul>
-<li>Unknown</li>
-<li>Local computer</li>
-<li>Network share</li>
-<li>Internet</li>
-<li>Incoming traffic</li>
-<li>Outgoing traffic</li>
-</ul>
-</dt>
-<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
-<li>Heuristics</li>
-<li>Generic</li>
-<li>Concrete</li>
-<li>Dynamic signature</li>
-</ul>
-</dt>
-<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
-<li>User: user initiated</li>
-<li>System: system initiated</li>
-<li>Real-time: real-time component initiated</li>
-<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
-<li>NIS: Network inspection system</li>
-<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
-<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
-<li>Remote attestation</li>
-</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
-UAC</dt>
-<dt>Status: &lt;Status&gt;</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Process Name: &lt;Process in the PID&gt;</dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1007</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_ACTION_TAKEN
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:</p>
-<dl>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Action: &lt;Action&gt;, for example:<ul>
-<li>Clean: The resource was cleaned</li>
-<li>Quarantine: The resource was quarantined</li>
-<li>Remove: The resource was deleted</li>
-<li>Allow: The resource was allowed to execute/exist</li>
-<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
-<li>No action: No action</li>
-<li>Block: The resource was blocked from executing</li>
-</ul>
-</dt>
-<dt>Status: &lt;Status&gt;</dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1008</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_ACTION_FAILED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:</p>
-<dl>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>Action: &lt;Action&gt;, for example:<ul>
-<li>Clean: The resource was cleaned</li>
-<li>Quarantine: The resource was quarantined</li>
-<li>Remove: The resource was deleted</li>
-<li>Allow: The resource was allowed to execute/exist</li>
-<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
-<li>No action: No action</li>
-<li>Block: The resource was blocked from executing</li>
-</ul>
-</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values. </dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-<dt>Status: &lt;Status&gt;</dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1009</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_QUARANTINE_RESTORE
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform restored an item from quarantine.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has restored an item from quarantine. For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1010</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform could not restore an item from quarantine.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values. </dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1011</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_QUARANTINE_DELETE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform deleted an item from quarantine.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has deleted an item from quarantine.  
-For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1012</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_QUARANTINE_DELETE_FAILED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform could not delete an item from quarantine.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to delete an item from quarantine.  
-For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values. </dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1013</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform deleted history of malware and other potentially unwanted software.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has removed history of malware and other potentially unwanted software.</p>
-<dl>
-<dt>Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1014</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p>The antimalware platform could not delete history of malware and other potentially unwanted software.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.</p>
-<dl>
-<dt>Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values. </dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1015</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_BEHAVIOR_DETECTED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform detected suspicious behavior.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has detected a suspicious behavior.  
-For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>Detection Origin: &lt;Detection origin&gt;, for example:
-<ul>
-<li>Unknown</li>
-<li>Local computer</li>
-<li>Network share</li>
-<li>Internet</li>
-<li>Incoming traffic</li>
-<li>Outgoing traffic</li>
-</ul>
-</dt>
-<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
-<li>Heuristics</li>
-<li>Generic</li>
-<li>Concrete</li>
-<li>Dynamic signature</li>
-</ul>
-</dt>
-<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
-<li>User: user initiated</li>
-<li>System: system initiated</li>
-<li>Real-time: real-time component initiated</li>
-<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
-<li>NIS: Network inspection system</li>
-<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
-<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
-<li>Remote attestation</li>
-</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
-UAC</dt>
-<dt>Status: &lt;Status&gt;</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Process Name: &lt;Process in the PID&gt;</dt>
-<dt>Signature ID: Enumeration matching severity.</dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-<dt>Fidelity Label:</dt>
-<dt>Target File Name: &lt;File name&gt;
-Name of the file.</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 1116</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_STATE_MALWARE_DETECTED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform detected malware or other potentially unwanted software.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has detected malware or other potentially unwanted software.  
-For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>Detection Origin: &lt;Detection origin&gt;, for example:
-<ul>
-<li>Unknown</li>
-<li>Local computer</li>
-<li>Network share</li>
-<li>Internet</li>
-<li>Incoming traffic</li>
-<li>Outgoing traffic</li>
-</ul>
-</dt>
-<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
-<li>Heuristics</li>
-<li>Generic</li>
-<li>Concrete</li>
-<li>Dynamic signature</li>
-</ul>
-</dt>
-<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
-<li>User: user initiated</li>
-<li>System: system initiated</li>
-<li>Real-time: real-time component initiated</li>
-<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
-<li>NIS: Network inspection system</li>
-<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
-<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
-<li>Remote attestation</li>
-</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
-UAC</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Process Name: &lt;Process in the PID&gt;</dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click <b>Clean Computer</b>.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 1117</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has taken action to protect this machine from malware or other potentially unwanted software.  
-For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>Detection Origin: &lt;Detection origin&gt;, for example:
-<ul>
-<li>Unknown</li>
-<li>Local computer</li>
-<li>Network share</li>
-<li>Internet</li>
-<li>Incoming traffic</li>
-<li>Outgoing traffic</li>
-</ul>
-</dt>
-<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
-<li>Heuristics</li>
-<li>Generic</li>
-<li>Concrete</li>
-<li>Dynamic signature</li>
-</ul>
-</dt>
-<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
-<li>User: user initiated</li>
-<li>System: system initiated</li>
-<li>Real-time: real-time component initiated</li>
-<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
-<li>NIS: Network inspection system</li>
-<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
-<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
-<li>Remote attestation</li>
-</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
-UAC</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Process Name: &lt;Process in the PID&gt;</dt>
-<dt>Action: &lt;Action&gt;, for example:<ul>
-<li>Clean: The resource was cleaned</li>
-<li>Quarantine: The resource was quarantined</li>
-<li>Remove: The resource was deleted</li>
-<li>Allow: The resource was allowed to execute/exist</li>
-<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
-<li>No action: No action</li>
-<li>Block: The resource was blocked from executing</li>
-</ul>
-</dt>
-<dt>Action Status: &lt;Description of additional actions&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-<p>NOTE:
-<p>Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:<ul>
-<li>Default Internet Explorer or Edge setting</li>
-<li>User Access Control settings</li>
-<li>Chrome settings</li>
-<li>Boot Control Data</li>
-<li>Regedit and Task Manager registry settings</li>
-<li>Windows Update, Background Intelligent Transfer Service, and Remote Procedure Call service</li>
-<li>Windows Operating System files</li></ul>
-The above context applies to the following client and server versions:
-<table>
-<tr>
-<th>Operating system</th>
-<th>Operating system version</th>
-</tr>
-<tr>
-<td>
-<p>Client Operating System </p>
-</td>
-<td>
-<p>Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Server Operating System</p>
-</td>
-<td>
-<p>Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016</p>
-</td>
-</tr>
-</table>
-</p>
-</dl>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>No action is necessary. Windows Defender removed or quarantined a threat. </p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 1118</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software.  
-For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>Detection Origin: &lt;Detection origin&gt;, for example:
-<ul>
-<li>Unknown</li>
-<li>Local computer</li>
-<li>Network share</li>
-<li>Internet</li>
-<li>Incoming traffic</li>
-<li>Outgoing traffic</li>
-</ul>
-</dt>
-<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
-<li>Heuristics</li>
-<li>Generic</li>
-<li>Concrete</li>
-<li>Dynamic signature</li>
-</ul>
-</dt>
-<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
-<li>User: user initiated</li>
-<li>System: system initiated</li>
-<li>Real-time: real-time component initiated</li>
-<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
-<li>NIS: Network inspection system</li>
-<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
-<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
-<li>Remote attestation</li>
-</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
-UAC</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Process Name: &lt;Process in the PID&gt;</dt>
-<dt>Action: &lt;Action&gt;, for example:<ul>
-<li>Clean: The resource was cleaned</li>
-<li>Quarantine: The resource was quarantined</li>
-<li>Remove: The resource was deleted</li>
-<li>Allow: The resource was allowed to execute/exist</li>
-<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
-<li>No action: No action</li>
-<li>Block: The resource was blocked from executing</li>
-</ul>
-</dt>
-<dt>Action Status: &lt;Description of additional actions&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 1119</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software.  
-For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>Detection Origin: &lt;Detection origin&gt;, for example:
-<ul>
-<li>Unknown</li>
-<li>Local computer</li>
-<li>Network share</li>
-<li>Internet</li>
-<li>Incoming traffic</li>
-<li>Outgoing traffic</li>
-</ul>
-</dt>
-<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
-<li>Heuristics</li>
-<li>Generic</li>
-<li>Concrete</li>
-<li>Dynamic signature</li>
-</ul>
-</dt>
-<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
-<li>User: user initiated</li>
-<li>System: system initiated</li>
-<li>Real-time: real-time component initiated</li>
-<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
-<li>NIS: Network inspection system</li>
-<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
-<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
-<li>Remote attestation</li>
-</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
-UAC</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Process Name: &lt;Process in the PID&gt;</dt>
-<dt>Action: &lt;Action&gt;, for example:<ul>
-<li>Clean: The resource was cleaned</li>
-<li>Quarantine: The resource was quarantined</li>
-<li>Remove: The resource was deleted</li>
-<li>Allow: The resource was allowed to execute/exist</li>
-<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
-<li>No action: No action</li>
-<li>Block: The resource was blocked from executing</li>
-</ul>
-</dt>
-<dt>Action Status: &lt;Description of additional actions&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant <b>User action</b> steps below.</p>
-<table>
-<tr>
-<th>Action</th>
-<th>User action</th>
-</tr>
-<tr>
-<td>
-<p><b>Remove</b></p>
-</td>
-<td>
-<p>Update the definitions then verify that the removal was successful.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><b>Clean</b></p>
-</td>
-<td>
-<p>Update the definitions then verify that the remediation was successful.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><b>Quarantine</b></p>
-</td>
-<td>
-<p>Update the definitions and verify that the user has permission to access the necessary resources.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><b>Allow</b></p>
-</td>
-<td>
-<p>Verify that the user has permission to access the necessary resources.</p>
-</td>
-</tr>
-</table>
-<p> </p>
-<p>If this event persists:<ol>
-<li>Run the scan again.</li>
-<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
-<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
-</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 1120</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_THREAT_HASH</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Windows Defender has deduced the hashes for a threat resource.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender client is up and running in a healthy state.</p>
-<dl>
-<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
-<dt>Threat Resource Path: &lt;Path&gt;</dt>
-<dt>Hashes: &lt;Hashes&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td></td>
-<td colspan="2">
-<div class="alert"><b>Note</b>  This event will only be logged if the following policy is set: <b>ThreatFileHashLogging 	unsigned</b>.</div>
-<div> </div>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 1150</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SERVICE_HEALTHY</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender client is up and running in a healthy state.</p>
-<dl>
-<dt>Platform Version: &lt;Current platform version&gt;</dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>No action is necessary. The Windows Defenderclient is in a healthy state. This event is reported on an hourly basis.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 2000</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_UPDATED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware definitions updated successfully.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender signature version has been updated.</p>
-<dl>
-<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
-<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
-<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-<li>Network Inspection System</li>
-</ul>
-</dt>
-<dt>Update Type: &lt;Update type&gt;, either Full or Delta.</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
-<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 2001</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware definition update failed. 
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to update signatures.</p>
-<dl>
-<dt>New Signature Version: &lt;New version number&gt;</dt>
-<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
-<dt>Update Source: &lt;Update source&gt;, for example:
-<ul>
-<li>Signature update folder</li>
-<li>Internal definition update server</li>
-<li>Microsoft Update Server</li>
-<li>File share</li>
-<li>Microsoft Malware Protection Center (MMPC)</li>
-</ul>
-</dt>
-<dt>Update Stage: &lt;Update stage&gt;, for example:
-<ul>
-<li>Search</li>
-<li>Download</li>
-<li>Install</li>
-</ul>
-</dt>
-<dt>Source Path: File share name for Universal Naming Convention (UNC), server name for Windows Server Update Services (WSUS)/Microsoft Update/ADL.</dt>
-<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-<li>Network Inspection System</li>
-</ul>
-</dt>
-<dt>Update Type: &lt;Update type&gt;, either Full or Delta.</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
-<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>This error occurs when there is a problem updating definitions.</p>
-<p>To troubleshoot this event:
-<ol>
-<li>Update the definitions. Either:<ol>
-<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
-</li>
-<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
-<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
-</li>
-</ol>
-</li>
-<li>Review the entries in the %Windir%\WindowsUpdate.log file for more information about this error.</li>
-<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
-</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 2002</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ENGINE_UPDATED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine updated successfully.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender engine version has been updated.</p>
-<dl>
-<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
-<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
-<dt>Engine Type: &lt;Engine type&gt;, either antimalware engine or Network Inspection System engine.</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 2003</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ENGINE_UPDATE_FAILED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine update failed.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to update the engine.</p>
-<dl>
-<dt>New Engine Version:</dt>
-<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
-<dt>Engine Type: &lt;Engine type&gt;, either antimalware engine or Network Inspection System engine.</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.</p>
-<p>To troubleshoot this event:
-<ol>
-<li>Update the definitions. Either:<ol>
-<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
-</li>
-<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
-<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
-</li>
-</ol>
-</li>
-<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
-</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 2004</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_REVERSION</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.</p>
-<dl>
-<dt>Signatures Attempted:</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions.</p>
-<p>To troubleshoot this event:
-<ol>
-<li>Restart the computer and try again.</li>
-<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
-<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
-</li>
-<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
-</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2005</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted.</p>
-<dl>
-<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2006</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_PLATFORM_UPDATE_FAILED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The platform update failed.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to update the platform.</p>
-<dl>
-<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2007</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The platform will soon be out of date. Download the latest platform to maintain up-to-date protection.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available.</p>
-<dl>
-<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2010</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine used the Dynamic Signature Service to get additional definitions.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender used <i>Dynamic Signature Service</i> to retrieve additional signatures to help protect your machine.</p>
-<dl>
-<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
-<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-<li>Network Inspection System</li>
-</ul>
-</dt>
-<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
-<dt>Dynamic Signature Type: &lt;Dynamic signature type&gt;, for example:
-<ul>
-<li>Version</li>
-<li>Timestamp</li>
-<li>No limit</li>
-<li>Duration</li>
-</ul>
-</dt>
-<dt>Persistence Path: &lt;Path&gt;</dt>
-<dt>Dynamic Signature Version: &lt;Version number&gt;</dt>
-<dt>Dynamic Signature Compilation Timestamp: &lt;Timestamp&gt;</dt>
-<dt>Persistence Limit Type: &lt;Persistence limit type&gt;, for example:
-<ul>
-<li>VDM version</li>
-<li>Timestamp</li>
-<li>No limit</li>
-</ul>
-</dt>
-<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 2011</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The Dynamic Signature Service deleted the out-of-date dynamic definitions.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender used <i>Dynamic Signature Service</i> to discard obsolete signatures.</p>
-<dl>
-<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
-<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-<li>Network Inspection System</li>
-</ul>
-</dt>
-<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
-<dt>Dynamic Signature Type: &lt;Dynamic signature type&gt;, for example:
-<ul>
-<li>Version</li>
-<li>Timestamp</li>
-<li>No limit</li>
-<li>Duration</li>
-</ul>
-</dt>
-<dt>Persistence Path: &lt;Path&gt;</dt>
-<dt>Dynamic Signature Version: &lt;Version number&gt;</dt>
-<dt>Dynamic Signature Compilation Timestamp: &lt;Timestamp&gt;</dt>
-<dt>Removal Reason:</dt>
-<dt>Persistence Limit Type: &lt;Persistence limit type&gt;, for example:
-<ul>
-<li>VDM version</li>
-<li>Timestamp</li>
-<li>No limit</li>
-</ul>
-</dt>
-<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 2012</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine encountered an error when trying to use the Dynamic Signature Service.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to use <i>Dynamic Signature Service</i>.</p>
-<dl>
-<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
-<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-<li>Network Inspection System</li>
-</ul>
-</dt>
-<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-<dt>Dynamic Signature Type: &lt;Dynamic signature type&gt;, for example:
-<ul>
-<li>Version</li>
-<li>Timestamp</li>
-<li>No limit</li>
-<li>Duration</li>
-</ul>
-</dt>
-<dt>Persistence Path: &lt;Path&gt;</dt>
-<dt>Dynamic Signature Version: &lt;Version number&gt;</dt>
-<dt>Dynamic Signature Compilation Timestamp: &lt;Timestamp&gt;</dt>
-<dt>Persistence Limit Type: &lt;Persistence limit type&gt;, for example:
-<ul>
-<li>VDM version</li>
-<li>Timestamp</li>
-<li>No limit</li>
-</ul>
-</dt>
-<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>Check your Internet connectivity settings.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2013</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The Dynamic Signature Service deleted all dynamic definitions.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender discarded all <i>Dynamic Signature Service</i> signatures.</p>
-<dl>
-<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2020</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine downloaded a clean file.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender downloaded a clean file.</p>
-<dl>
-<dt>Filename: &lt;File name&gt;
-Name of the file.</dt>
-<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
-<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 2021</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine failed to download a clean file.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to download a clean file.</p>
-<dl>
-<dt>Filename: &lt;File name&gt;
-Name of the file.</dt>
-<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
-<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>Check your Internet connectivity settings.
-</p>
-<p>The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. 
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2030</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine was downloaded and is configured to run offline on the next system restart.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2031</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine was unable to download and configure an offline scan.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to download and configure Windows Defender Offline.</p>
-<dl>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2040</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_OS_EXPIRING
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Antimalware support for this operating system version will soon end.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2041</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_OS_EOL
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Antimalware support for this operating system has ended. You must upgrade the operating system for continued support.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2042</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_PROTECTION_EOL
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.</p>
-</td>
-</tr>
-<tr><th rowspan="3">Event ID: 2050</th><td><p>Symbolic name:</p></td><td colspan="2"><p><b>MALWAREPROTECTION_SAMPLESUBMISSION_UPLOAD</b></p></td></tr><tr><td><p>Message:</p></td><td colspan="2"><p><b>The antimalware engine has uploaded a file for further analysis.<br />Filename &lt;uploaded filename&gt;<br />Sha256: &lt;file SHA&gt;</b></p></td></tr><tr><td><p>Description:</p></td><td colspan="2"><p>A file was uploaded to the Windows Defender Antimalware cloud for further analysis or processing.</p></td></tr>
-
-<tr><th rowspan="4">Event ID: 2051</th><td><p>Symbolic name:</p></td><td colspan="2"><p><b>MALWAREPROTECTION_SAMPLESUBMISSION_UPLOADED_FAILED</b></p></td></tr><tr><td><p>Message:</p></td><td colspan="2"><p><b>The antimalware engine has encountered an error trying to upload a suspicious file for further analysis.<br />
-Filename: &lt;uploaded filename&gt;<br />
-Sha256: &lt;file SHA&gt;<br />
-Current Signature Version: &lt;signature version number&gt;<br/>
-Current Engine Version: &lt;engine version number&gt;<br />
-Error code: &lt;error code&gt;</b></p></td></tr><tr><td><p>Description:</p></td><td colspan="2"><p>A file could not be uploaded to the Windows Defender Antimalware cloud.</p></td></tr><tr><td><p>User action:</p></td><td colspan="2"><p>You can attempt to manually submit the file.</p></td></tr>
-
-
-
-
-
-<tr>
-<th rowspan="4">Event ID: 3002</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_FEATURE_FAILURE
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Real-time protection encountered an error and failed.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender Real-Time Protection feature has encountered an error and failed.</p>
-<dl>
-<dt>Feature: &lt;Feature&gt;, for example:
-<ul>
-<li>On Access</li>
-<li>Internet Explorer downloads and Microsoft Outlook Express attachments</li>
-<li>Behavior monitoring</li>
-<li>Network Inspection System</li>
-</ul>
-</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-<dt>Reason: The reason Windows Defender real-time protection has restarted a feature.</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>You should restart the system then run a full scan because it’s possible the system was not protected for some time.
-</p>
-<p>The Windows Defender client’s real-time protection feature encountered an error because one of the services failed to start. 
-</p>
-<p>If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. 
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 3007</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_FEATURE_RECOVERED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Real-time protection recovered from a failure. We recommend running a full system scan when you see this error.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.</p>
-<dl>
-<dt>Feature: &lt;Feature&gt;, for example:
-<ul>
-<li>On Access</li>
-<li>IE downloads and Outlook Express attachments</li>
-<li>Behavior monitoring</li>
-<li>Network Inspection System</li>
-</ul>
-</dt>
-<dt>Reason: The reason Windows Defender real-time protection has restarted a feature.</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>The real-time protection feature has restarted. If this event happens again, contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>. </p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5000</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_ENABLED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Real-time protection is enabled.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5001</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_DISABLED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Real-time protection is disabled.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled. </p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5004</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_FEATURE_CONFIGURED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The real-time protection configuration changed.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender Real-time Protection feature configuration has changed.</p>
-<dl>
-<dt>Feature: &lt;Feature&gt;, for example:
-<ul>
-<li>On Access</li>
-<li>IE downloads and Outlook Express attachments</li>
-<li>Behavior monitoring</li>
-<li>Network Inspection System</li>
-</ul>
-</dt>
-<dt>Configuration: </dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5007</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_CONFIG_CHANGED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform configuration changed.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.</p>
-<dl>
-<dt>Old value: &lt;Old value number&gt;
-Old Windows Defender configuration value.</dt>
-<dt>New value: &lt;New value number&gt;
-New Windows Defender configuration value.</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="5">Event ID: 5008</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ENGINE_FAILURE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine encountered an error and failed.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender  engine has been terminated due to an unexpected error.</p>
-<dl>
-<dt>Failure Type: &lt;Failure type&gt;, for example:
-Crash
-or Hang</dt>
-<dt>Exception Code: &lt;Error code&gt;</dt>
-<dt>Resource: &lt;Resource&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>To troubleshoot this event:<ol>
-<li>Try to restart the service.<ul>
-<li>For antimalware, antivirus and spyware, at an elevated command prompt, type <b>net stop msmpsvc</b>, and then type <b>net start msmpsvc</b> to restart the antimalware engine.</li>
-<li>For the <i>Network Inspection System</i>, at an elevated command prompt, type <b>net start nissrv</b>, and then type <b>net start nissrv</b> to restart the <i>Network Inspection System</i> engine by using the NiSSRV.exe file.
-</li>
-</ul>
-</li>
-<li>If it fails in the same way, look up the error code by accessing the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support Site</a>  and entering the error number in the <b>Search</b> box, and contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>The Windows Defender client engine stopped due to an unexpected error.</p>
-<p>To troubleshoot this event:
-<ol>
-<li>Run the scan again.</li>
-<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
-<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
-</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5009</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ANTISPYWARE_ENABLED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Scanning for malware and other potentially unwanted software is enabled.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>Windows Defender scanning for malware and other potentially unwanted software has been enabled.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5010</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ANTISPYWARE_DISABLED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Scanning for malware and other potentially unwanted software is disabled.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>Windows Defender scanning for malware and other potentially unwanted software is disabled.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5011</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ANTIVIRUS_ENABLED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Scanning for viruses is enabled.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>Windows Defender scanning for viruses has been enabled. </p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5012</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ANTIVIRUS_DISABLED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Scanning for viruses is disabled.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>Windows Defender scanning for viruses is disabled. </p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5100</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_EXPIRATION_WARNING_STATE
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform will expire soon.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender  has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.</p>
-<dl>
-<dt>Expiration Reason: The reason Windows Defender will expire.</dt>
-<dt>Expiration Date: The date Windows Defender will expire.</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5101</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_DISABLED_EXPIRED_STATE
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform is expired.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description::</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender  grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.</p>
-<dl>
-<dt>Expiration Reason:</dt>
-<dt>Expiration Date: </dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-</dl>
-</p>
-</td>
-</tr>
-</table>
-
-## Windows Defender client error codes
-If Windows Defender experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
-This section provides the following information about Windows Defender client errors.
--   The error code
--   The possible reason for the error
--   Advice on what to do now
-Use the information in these tables to help troubleshoot Windows Defender error codes.
-<table>
-<tr>
-<th colspan="4">External error codes</th>
-</tr>
-<tr>
-<th>Error code</th>
-<th>Message displayed</th>
-<th>Possible reason for error</th>
-<th>What to do now</th>
-</tr>
-<tr>
-<td>
-<p>0x80508007 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_NO_MEMORY 
-</b></p>
-</td>
-<td>
-<p>This error indicates that you might have run out of memory. 
-</p>
-</td>
-<td>
-<p>
-<ol>
-<li>Check the available memory on your device.</li>
-<li>Close any unused applications that are running to free up memory on your device.</li>
-<li>Restart the device and run the scan again. 
-</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050800C</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_INPUT_DATA</b></p>
-</td>
-<td>
-<p>This error indicates that there might be a problem with your security product.</p>
-</td>
-<td rowspan="4">
-<p>
-<ol>
-<li>Update the definitions. Either:<ol>
-<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
-</li>
-<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
-<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
-</li>
-</ol>
-</li>
-<li>Run a full scan.
-</li>
-<li>Restart the device and try again.</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508020</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_CONFIGURATION 
-</b></p>
-</td>
-<td>
-<p>This error indicates that there might be an engine configuration error; commonly, this is related to input 
-data that does not allow the engine to function properly. 
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x805080211 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_QUARANTINE_FAILED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that Windows Defender failed to quarantine a threat. 
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508022 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_REBOOT_REQUIRED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that a reboot is required to complete threat removal. 
-</p>
-</td>
-</tr>
-<tr>
-<td rowspan="2">
-<p>0x80508023 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_THREAT_NOT_FOUND 
-</b></p>
-</td>
-<td>
-<p>This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device. 
-</p>
-</td>
-<td>
-<p>Run the <a href="https://www.microsoft.com/security/scanner/default.aspx">Microsoft Safety Scanner</a> then update your security software and try again. 
-</p>
-</td>
-</tr>
-<tr>
-<td rowspan="2">
-<p><b>ERR_MP_FULL_SCAN_REQUIRED 
-</b></p>
-</td>
-<td rowspan="2">
-<p>This error indicates that a full system scan might be required. 
-</p>
-</td>
-<td rowspan="2">
-<p>Run a full system scan. 
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508024 
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508025 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_MANUAL_STEPS_REQUIRED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that manual steps are required to complete threat removal. 
-</p>
-</td>
-<td>
-<p>Follow the manual remediation steps outlined in the <a href="https://www.microsoft.com/security/portal/threat/Threats.aspx">Microsoft Malware Protection Encyclopedia</a>. You can find a threat-specific link in the event history.  
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508026 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_REMOVE_NOT_SUPPORTED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that removal inside the container type might not be not supported. 
-</p>
-</td>
-<td>
-<p>Windows Defender is not able to remediate threats detected inside the archive. Consider manually removing the detected resources. 
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508027 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_REMOVE_LOW_MEDIUM_DISABLED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that removal of low and medium threats might be disabled. 
-</p>
-</td>
-<td>
-<p>Check the detected threats and resolve them as required. 
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508029 
-</p>
-</td>
-<td>
-<p><b>ERROR_MP_RESCAN_REQUIRED 
-</b></p>
-</td>
-<td>
-<p>This error indicates a rescan of the threat is required. 
-</p>
-</td>
-<td>
-<p>Run a full system scan. 
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508030 
-</p>
-</td>
-<td>
-<p><b>ERROR_MP_CALLISTO_REQUIRED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that an offline scan is required. 
-</p>
-</td>
-<td>
-<p>Run Windows Defender Offline. You can read about how to do this in the <a href="http://windows.microsoft.com/windows/what-is-windows-defender-offline">Windows Defender Offline 
-article</a>.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508031 
-</p>
-</td>
-<td>
-<p><b>ERROR_MP_PLATFORM_OUTDATED  
-</b></p>
-</td>
-<td>
-<p>This error indicates that Windows Defender does not support the current version of the platform and requires a new version of the platform. 
-</p>
-</td>
-<td>
-<p>You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use <a href="https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx">System Center Endpoint Protection</a>.  
-</p>
-</td>
-</tr>
-</table>
-<p> </p>
-<table>
-<tr>
-<th colspan="4">Internal error codes</th>
-</tr>
-<tr>
-<th>Error code</th>
-<th>Message displayed</th>
-<th>Possible reason for error</th>
-<th>What to do now</th>
-</tr>
-<tr>
-<td>
-<p>0x80501004</p>
-</td>
-<td>
-<p><b>ERROR_MP_NO_INTERNET_CONN 
-</b></p>
-</td>
-<td>
-<p>Check your Internet connection, then run the scan again.</p>
-</td>
-<td>
-<p>Check your Internet connection, then run the scan again.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501000</p>
-</td>
-<td>
-<p><b>ERROR_MP_UI_CONSOLIDATION_BAS</b>E</p>
-</td>
-<td rowspan="34">
-<p>This is an internal error. The cause is not clearly defined.</p>
-</td>
-<td rowspan="36">
-<p>
-<ol>
-<li>Update the definitions. Either:<ol>
-<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
-</li>
-<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
-<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
-</li>
-</ol>
-</li>
-<li>Run a full scan.
-</li>
-<li>Restart the device and try again.</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501001</p>
-</td>
-<td>
-<p><b>ERROR_MP_ACTIONS_FAILED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501002</p>
-</td>
-<td>
-<p><b>ERROR_MP_NOENGINE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501003</p>
-</td>
-<td>
-<p><b>ERROR_MP_ACTIVE_THREATS</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x805011011</p>
-</td>
-<td>
-<p><b>MP_ERROR_CODE_LUA_CANCELLED </b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501101</p>
-</td>
-<td>
-<p><b>ERROR_LUA_CANCELLATION </b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501102</p>
-</td>
-<td>
-<p><b>MP_ERROR_CODE_ALREADY_SHUTDOWN</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501103</p>
-</td>
-<td>
-<p><b>MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING </b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501104</p>
-</td>
-<td>
-<p><b>MP_ERROR_CODE_CANCELLED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501105</p>
-</td>
-<td>
-<p><b>MP_ERROR_CODE_NO_TARGETOS</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501106</p>
-</td>
-<td>
-<p><b>MP_ERROR_CODE_BAD_REGEXP</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501107</p>
-</td>
-<td>
-<p><b>MP_ERROR_TEST_INDUCED_ERROR</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501108</p>
-</td>
-<td>
-<p><b>MP_ERROR_SIG_BACKUP_DISABLED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508001</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_INIT_MODULES</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508002</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_DATABASE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508004</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_UFS </b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050800C</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_INPUT_DATA</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050800D</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_GLOBAL_STORAGE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050800E</p>
-</td>
-<td>
-<p><b>ERR_MP_OBSOLETE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050800F</p>
-</td>
-<td>
-<p><b>ERR_MP_NOT_SUPPORTED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050800F
-0x80508010
-</p>
-</td>
-<td>
-<p><b>ERR_MP_NO_MORE_ITEMS </b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508011</p>
-</td>
-<td>
-<p><b>ERR_MP_DUPLICATE_SCANID</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508012</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_SCANID</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508013</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_USERDB_VERSION</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508014</p>
-</td>
-<td>
-<p><b>ERR_MP_RESTORE_FAILED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508016</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_ACTION</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508019</p>
-</td>
-<td>
-<p><b>ERR_MP_NOT_FOUND</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80509001</p>
-</td>
-<td>
-<p><b>ERR_RELO_BAD_EHANDLE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80509003</p>
-</td>
-<td>
-<p><b>ERR_RELO_KERNEL_NOT_LOADED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050A001</p>
-</td>
-<td>
-<p><b>ERR_MP_BADDB_OPEN</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050A002</p>
-</td>
-<td>
-<p><b>ERR_MP_BADDB_HEADER</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050A003</p>
-</td>
-<td>
-<p><b>ERR_MP_BADDB_OLDENGINE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050A004</p>
-</td>
-<td>
-<p><b>ERR_MP_BADDB_CONTENT </b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050A005</p>
-</td>
-<td>
-<p><b>ERR_MP_BADDB_NOTSIGNED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050801</p>
-</td>
-<td>
-<p><b>ERR_MP_REMOVE_FAILED</b></p>
-</td>
-<td>
-<p>This is an internal error. It might be triggered when malware removal is not successful. 
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508018 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_SCAN_ABORTED 
-</b></p>
-</td>
-<td>
-<p>This is an internal error. It might have triggered when a scan fails to complete. 
-</p>
-</td>
-</tr>
-</table>
-
-## Related topics
-
-- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
-- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+This page has been redirected to *Troubleshoot Windows Defender Antivirus*. 
\ No newline at end of file
diff --git a/windows/keep-secure/use-group-policy-windows-defender-antivirus.md b/windows/keep-secure/use-group-policy-windows-defender-antivirus.md
new file mode 100644
index 0000000000..07133adfb1
--- /dev/null
+++ b/windows/keep-secure/use-group-policy-windows-defender-antivirus.md
@@ -0,0 +1,15 @@
+---
+title: Configure Windows Defender AV with Group Policy
+description: Configure Windows Defender AV settings with Group Policy
+keywords: group policy, GPO, configuration, settings
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Use Group Policy settings to configure and manage Windows Defender AV
\ No newline at end of file
diff --git a/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md b/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
new file mode 100644
index 0000000000..9f6c3a09b5
--- /dev/null
+++ b/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
@@ -0,0 +1,15 @@
+---
+title: Configure Windows Defender AV with Configuration Manager and Intune
+description: Use System Center Configuration Manager and Microsoft Intune to configure Windows Defender AV and Endpoint Protection
+keywords: scep, intune, endpoint protection, configuration
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
\ No newline at end of file
diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
new file mode 100644
index 0000000000..7d975adcd1
--- /dev/null
+++ b/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -0,0 +1,51 @@
+---
+title: Use PowerShell cmdlets to configure and run Windows Defender AV
+description: In Windows 10, you can use PowerShell cmdlets to run scans, update definitions, and change settings in Windows Defender Antivirus.
+keywords: scan, command line, mpcmdrun, defender
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Use PowerShell cmdlets to configure and manage Windows Defender AV
+
+**Applies to:**
+
+- Windows 10
+
+You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/en-us/powershell/mt173057.aspx).
+
+For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) topic.
+
+PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software. 
+
+> [!NOTE]
+> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
+
+PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
+
+
+**Use Windows Defender PowerShell cmdlets**
+
+1. Click **Start**, type **powershell**, and press **Enter**.
+2. Click **Windows PowerShell** to open the interface. 
+    > [!NOTE]
+    > You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+3. Enter the command and parameters.
+
+To open online help for any of the cmdlets type the following:
+
+```PowerShell
+Get-Help <cmdlet> -Online
+```
+Omit the `-online` parameter to get locally cached help.
+
+## Related topics
+
+- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
index 0ab40df034..dec540347e 100644
--- a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
@@ -10,41 +10,9 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: iaanw
+redirect_url: /use-powershell-cmdlets-windows-defender-antivirus/
 ---
 
 # Use PowerShell cmdlets to configure and run Windows Defender
 
-**Applies to:**
-
-- Windows 10
-
-You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/en-us/powershell/mt173057.aspx).
-
-For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) topic.
-
-PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software. 
-
-> [!NOTE]
-> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
-
-PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
-
-
-**Use Windows Defender PowerShell cmdlets**
-
-1. Click **Start**, type **powershell**, and press **Enter**.
-2. Click **Windows PowerShell** to open the interface. 
-    > [!NOTE]
-    > You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
-3. Enter the command and parameters.
-
-To open online help for any of the cmdlets type the following:
-
-```text
-Get-Help <cmdlet> -Online
-```
-Omit the `-online` parameter to get locally cached help.
-
-## Related topics
-
-- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
\ No newline at end of file
+This page has been redirected to *Use PowerShell cmdlets to configure and run Windows Defender Antivirus*.
\ No newline at end of file
diff --git a/windows/keep-secure/use-wmi-windows-defender-antivirus.md b/windows/keep-secure/use-wmi-windows-defender-antivirus.md
new file mode 100644
index 0000000000..e369e90bd8
--- /dev/null
+++ b/windows/keep-secure/use-wmi-windows-defender-antivirus.md
@@ -0,0 +1,15 @@
+---
+title: Configure Windows Defender AV with WMI
+description: Use WMI scripts to configure Windows Defender AV
+keywords: wmi, scripts, windows management instrumentation, configuration
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
\ No newline at end of file
diff --git a/windows/keep-secure/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/keep-secure/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
new file mode 100644
index 0000000000..708740d908
--- /dev/null
+++ b/windows/keep-secure/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -0,0 +1,57 @@
+---
+title: Utilize cloud-delivered protection in Windows Defender Antivirus
+description: Cloud-delivered protection provides an advanced level of fast, robust antivirus detection.
+keywords: windows defender antivirus, antimalware, security, defender, cloud, cloud-delivered protection
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+Cloud-delivered protection for Windows Defender Antivirus, also referred to as Microsoft Advanced Protection Service (MAPS), provides you with strong, fast protection in addition to our standard real-time protection.
+
+
+
+>[!NOTE] 
+>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
+
+Enabling cloud-delivered protection helps detect and block new malware - even if the malware has never been seen before - without needing to wait for a traditionally delivered definition update to block it. Definition updates can take hours to prepare and deliver, while our cloud service can deliver updated protection in seconds. 
+
+Cloud-delivered protecton is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies.
+
+The following table describes the differences in cloud-based protection between recent versions of Windows and System Center Configuration Manager.
+
+
+Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | Configuration manager 2012 | Configuration manager (current branch) | Microsoft Intune
+---|---|---|---|---|---|---
+Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service
+Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version | Dependent on Windows version | Dependent on Windows version
+Block at first sight availability | No | Yes | Yes | Not configurable | Configurable | No
+Cloud block timeout period | No | No | Configurable | Not configurable | Configurable | No
+ 
+You can also [configure Windows Defender AV to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-windows-defender-antivirus.md#cloud-report-updates).
+
+
+## In this section
+
+ Topic | Description 
+---|---
+[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with System Center Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
+[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and System Center Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
+[Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
+[Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for a traditional signature. You can enable and configure it with System Center Configuration Manager and Group Policy.
+[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-based protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy.
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-antivirus-in-windows-10.md b/windows/keep-secure/windows-defender-antivirus-in-windows-10.md
new file mode 100644
index 0000000000..350b93809e
--- /dev/null
+++ b/windows/keep-secure/windows-defender-antivirus-in-windows-10.md
@@ -0,0 +1,74 @@
+---
+title: Windows Defender Antivirus
+description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10.
+keywords: windows defender antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
+ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Windows Defender Antivirus in Windows 10
+
+**Applies to**
+-   Windows 10
+
+Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
+
+This library of documentation is aimed for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network.
+
+For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/library/dn765478.aspx).
+
+## What's new in Windows 10, version 1703
+
+New features for Windows Defender AV in Windows 10, version 1703 include:
+- [Updates to how the Block at First Sight feature can be configured](configure-block-at-first-sight-windows-defender-antivirus.md)
+- [The ability to specify the level of cloud-protection](specify-cloud-protection-level-windows-defender-antivirus.md)
+- [Windows Defender Antivirus protection in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md)
+
+We've expanded this documentation library to cover end-to-end deployment, management, and configuration for Windows Defender AV, and we've added some new guides that can help with evaluating and deploying Windows Defender AV in certain scenarios:
+- [Evaluation guide for Windows Defender AV](evaluate-windows-defender-antivirus.md)
+- [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](deployment-vdi-windows-defender-antivirus.md)
+
+See the [In this library](#in-this-library) list at the end of this topic for links to each of the updated sections in this library.
+
+
+## Minimum system requirements
+
+Windows Defender has the same hardware requirements as Windows 10. For more information, see:
+-   [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
+-   [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
+
+
+Some features require a certain version of Windows 10 - the minimum version required is specified at the top of each topic.
+
+## Compatibility with Windows Defender Advanced Threat Protection
+
+Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network. 
+
+See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
+
+If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. 
+
+In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won’t run, and Windows Defender will not provide real-time protection from malware.
+
+You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+
+If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
+
+
+ 
+## In this library
+
+Topic | Description
+:---|:---
+[Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and powershell script.
+[Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools.
+[Configure Windows Defender features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can use a number of management tools, including Group Policy, System Center Configuration Manager, Microsoft Intune, PowerShell cmdlets, and Windows Management Instrumentation (WMI). You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings.
+[Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) | You can set up scheduled scans, run on-demand scans, and configure how remediation works when threats are detected.
+[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-antivirus.md)|Review event IDs in Windows Defender Antivirus and take the appropriate actions.
+[Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)|The management and configuration tools that you can use with Windows Defender AV are listed and described here.
+
diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md
index 342b7ac541..4c9af5e903 100644
--- a/windows/keep-secure/windows-defender-block-at-first-sight.md
+++ b/windows/keep-secure/windows-defender-block-at-first-sight.md
@@ -10,121 +10,10 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: iaanw
+redirect_url: /configure-block-at-first-sight-windows-defender-antivirus/
+
 ---
 
 # Block at First Sight
 
-**Applies to**
-
-- Windows 10, version 1607
-
-**Audience**
-
-- Network administrators
-
-Block at First Sight is a feature of Windows Defender cloud protection that provides a way to detect and block new malware within seconds. 
-
-It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention.
-
-## How it works
-
-When a Windows Defender client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
-
-> [!NOTE]
-> The Block at first sight feature only uses the cloud-protection backend for "portable executable" (PE) files that are downloaded from the Internet, or originating from the Internet zone. This includes file types such as .exe, .dll, .scr, and so on. A hash value of the file is checked via the cloud backend to determine if this is a previously undetected file.
-
-If the cloud backend is unable to make a determination, the file will be locked by Windows Defender while a copy is uploaded to the cloud. Only after the cloud has received the file will Windows Defender release the lock and let the file run. The cloud will perform additional analysis to reach a determination, blocking all future encounters of that file. 
-
-In many cases this process can reduce the response time to new malware from hours to seconds.
-
-> [!NOTE]
-> Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to be slower download times for some files.
-
-
-## Confirm Block at First Sight is enabled
-
-Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work. Usually, these settings are already enabled in most default Windows Defender deployments in enterprise networks.
-
-> [!IMPORTANT]
-> There is no specific individual setting in System Center Configuration Manager to enable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly.
-
-### Confirm Block at First Sight is enabled with Group Policy
-
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4.  Click **Policies** then **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Defender > MAPS** and configure the following Group Policies:
-    
-    1.  Double-click the **Join Microsoft MAPS** setting and ensure the option is set to **Enabled**. Click **OK**.
-    
-    1.  Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following:
-    
-        1. Send safe samples (1)
-        
-        1. Send all samples (3)
-
-        > [!WARNING]
-        > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function.
-
-    1. Click **OK**.
-
-1.  In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender > Real-time Protection**:
-    
-    1.  Double-click the **Scan all downloaded files and attachments** setting and ensure the option is set to **Enabled**. Click **OK**.
-    
-    1.  Double-click the **Turn off real-time protection** setting and ensure the option is set to **Disabled**. Click **OK**.
-
-If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered.
-
-
-### Confirm Block at First Sight is enabled with Windows Settings
-
-> [!NOTE]
-> If the pre-requisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
-
-You can confirm that Block at First Sight is enabled in Windows Settings. The feature is automatically enabled, as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
-
-**Confirm Block at First Sight is enabled on individual clients**
-
-1. Open Windows Defender settings:
-
-    a. Open the Windows Defender app and click **Settings**.
-    
-    b. On the main Windows Settings page, click **Update & Security** and then **Windows Defender**.
-
-2.	Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
-
-## Disable Block at First Sight
-
-> [!WARNING]
-> Disabling the Block at First Sight feature will lower the protection state of the endpoint and your network.
-
-> [!NOTE]
-> You cannot disable Block at First Sight with System Center Configuration Manager
-
-You may choose to disable the Block at First Sight feature if you want to retain the pre-requisite settings without using Block at First Sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
-
-**Disable Block at First Sight with Group Policy**
-
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4.  Click **Policies** then **Administrative templates**.
-
-5.  Expand the tree through **Windows components > Windows Defender > MAPS**.
-
-1.  Double-click the **Configure the ‘Block at First Sight’ feature** setting and set the option to **Disabled**.
-
-    > [!NOTE]
-    > Disabling the Block at First Sight feature will not disable or alter the pre-requisite group policies.
-
-
-## Related topics
-
-- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
-
-
+This page has been redirected to *Configure the Block at First Sight feature*.
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-enhanced-notifications.md b/windows/keep-secure/windows-defender-enhanced-notifications.md
index e70fede4fd..b63c67e65f 100644
--- a/windows/keep-secure/windows-defender-enhanced-notifications.md
+++ b/windows/keep-secure/windows-defender-enhanced-notifications.md
@@ -10,37 +10,9 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: iaanw
+redirect_url: /configure-notifications-windows-defender-antivirus/
 ---
 
 # Configure enhanced notifications for Windows Defender in Windows 10
 
-**Applies to:**
-
-- Windows 10, version 1607
-
-In Windows 10, application notifications about malware detection and remediation by Windows Defender are more robust, consistent, and concise.
-
-Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals.
-
-You can enable and disable enhanced notifications in Windows Settings. 
-
-## Disable notifications
-
-You can disable enhanced notifications on individual endpoints in Windows Settings. 
-
-**Use Windows Settings to disable enhanced notifications on individual endpoints**
-
-1. Open the **Start** menu and click or type **Settings**.
-
-1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Enhanced notifications** section.
-
-1. Toggle the setting between **On** and **Off**.
-
-![Windows Defender enhanced notifications](images/defender/enhanced-notifications.png)
-
-
-
-
-## Related topics
-
-- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
+This page has been redirected to *Configure notifications*.
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md
index 58ecb02cde..4eb81e6c4e 100644
--- a/windows/keep-secure/windows-defender-in-windows-10.md
+++ b/windows/keep-secure/windows-defender-in-windows-10.md
@@ -8,72 +8,9 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: jasesso
+redirect_url: /windows-defender-antivirus-in-windows-10/
 ---
 
 # Windows Defender in Windows 10
 
-**Applies to**
--   Windows 10
-
-Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
-This topic provides an overview of Windows Defender, including a list of system requirements and new features.
-
-For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server).
-
-Take advantage of Windows Defender by configuring settings and definitions using the following tools:
--   Microsoft Active Directory *Group Policy* for settings
--   Windows Server Update Services (WSUS) for definitions
-
-Windows Defender provides the most protection when cloud-based protection is enabled. Learn how to enable cloud-based protection in [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md).
-> **Note:**  System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including:
--   Settings management
--   Definition update management
--   Alerts and alert management
--   Reports and report management
-
-When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed.
-
-
-### Compatibility with Windows Defender Advanced Threat Protection
-
-Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network. 
-
-See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
-
-If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. 
-
-In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won’t run, and Windows Defender will not provide real-time protection from malware.
-
-You can [configure updates for Windows Defender](configure-windows-defender-in-windows-10.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
-
-If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
-
-
- 
-### Minimum system requirements
-
-Windows Defender has the same hardware requirements as Windows 10. For more information, see:
--   [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
--   [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
-
-### New and changed functionality
-
--   **Improved detection for unwanted applications and emerging threats using cloud-based protection.** Use the Microsoft Active Protection Service to improve protection against unwanted applications and advanced persistent threats in your enterprise.
--   **Windows 10 integration.** All Windows Defender in Windows 10 endpoints will show the Windows Defender user interface, even when the endpoint is managed.
--   **Operating system, enterprise-level management, and bring your own device (BYOD) integration.** Windows 10 introduces a mobile device management (MDM) interface for devices running Windows 10. Administrators can use MDM-capable products, such as Intune, to manage Windows Defender on Windows 10 devices.
-
-For more information about what's new in Windows Defender in Windows 10, see [Windows Defender in Windows 10: System integration](https://www.microsoft.com/security/portal/enterprise/threatreports_august_2015.aspx) on the Microsoft Active Protection Service website.
-
-## In this section
-
-Topic | Description
-:---|:---
-[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)|Use Active Directory or Windows Server Update Services to manage and deploy updates to endpoints on your network. Configure and run special scans, including archive and email scans.
-[Configure updates for Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)|Configure definition updates and cloud-based protection with Active Directory and Windows Server Update Services.
-[Windows Defender Offline in Windows 10](windows-defender-offline.md)|Manually run an offline scan directly from winthin Windows without having to download and create bootable media.
-[Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)|Run scans and configure Windows Defender options with Windows PowerShell cmdlets in Windows 10.
-[Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)|Use the Block at First Sight feature to leverage the Windows Defender cloud.
-[Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)|Enable or disable enhanced notifications on endpoints running Windows Defender for greater details about threat detections and removal.
-[Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md)|Use the command-line utility to run a Windows Defender scan.
-[Detect and block Potentially Unwanted Applications with Windows Defender](enable-pua-windows-defender-for-windows-10.md)|Use the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
-[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)|Review event IDs in Windows Defender for Windows 10 and take the appropriate actions.
+This page has been redirected to *Windows Defender Antivirus in Windows 10*.
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-offline.md b/windows/keep-secure/windows-defender-offline.md
index a90a308ed7..c3e4825764 100644
--- a/windows/keep-secure/windows-defender-offline.md
+++ b/windows/keep-secure/windows-defender-offline.md
@@ -1,6 +1,6 @@
 ---
 title: Windows Defender Offline in Windows 10
-description: You can use Windows Defender Offline straight from the Windows Defender client. You can also manage how it is deployed in your network.
+description: You can use Windows Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network.
 keywords: scan, defender, offline
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -12,15 +12,26 @@ localizationpriority: medium
 author: iaanw
 ---
 
-# Windows Defender Offline in Windows 10
+# Run and review the results of a Windows Defender Offline scan
+
 
 **Applies to:**
 
 - Windows 10, version 1607
 
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell cmdlets
+- Windows Management Instruction (WMI)
+
 Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
 
-In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Defender client. In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
+In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
 
 ## Pre-requisites and requirements
 
@@ -39,16 +50,18 @@ To run Windows Defender Offline from the endpoint, the user must be logged in wi
  
 ## Windows Defender Offline updates
 
-Windows Defender Offline uses the most up-to-date signature definitions available on the endpoint; it's updated whenever Windows Defender is updated with new signature definitions. Depending on your setup, this is usually though Microsoft Update or through the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
+Windows Defender Offline uses the most recent protection updates available on the endpoint; it's updated whenever Windows Defender Antivirus is updated. 
 
 > [!NOTE]
-> Before running an offline scan, you should attempt to update the definitions on the endpoint. You can either force an update via Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
+> Before running an offline scan, you should attempt to update Windows Defender AV protection. You can either force an update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
 
-For information on setting up Windows Defender updates, see the [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) topic.
+See the [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) topic for more information.
 
 ## Usage scenarios
 
-In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. The need to perform an offline scan will also be revealed in System Center Configuration Manager, if you're using it to manage your endpoints.
+In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. 
+
+The need to perform an offline scan will also be revealed in System Center Configuration Manager if you're using it to manage your endpoints.
 
 The prompt can occur via a notification, similar to the following:
 
@@ -58,125 +71,76 @@ The user will also be notified within the Windows Defender client:
 
 ![Windows Defender showing the requirement to run Windows Defender Offline](images/defender/client.png)
 
-In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
+In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. 
+
+Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
 
 ![System Center Configuration Manager indicating a Windows Defender Offline scan is required](images/defender/sccm-wdo.png)
 
-## Manage notifications
+## Configure notifications
 <a name="manage-notifications"></a>
 
-You can suppress Windows Defender Offline notifications with Group Policy. 
+Windows Defender Offline notifications are configured in the same policy setting as other Windows Defender AV notifications.
 
-> [!NOTE]
-> Changing these settings will affect *all* notifications from Windows Defender. Disabling notifications will mean the endpoint user will not see any messages about any threats detected, removed, or if additional steps are required.
-
-**Use Group Policy to suppress Windows Defender notifications:**
-
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4.  Click **Policies** then **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Defender > Client Interface**.
-
-1.  Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client.
-
-## Configure Windows Defender Offline settings
-
-You can use Windows Management Instrumentation to enable and disable certain features in Windows Defender Offline. For example, you can use `Set-MpPreference` to change the `UILockdown` setting to disable and enable notifications. 
-
-For more information about using Windows Management Instrumentation to configure Windows Defender Offline, including configuration parameters and options, see the following topics:
-
--	[Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx)
-
--	[Windows Defender MSFT_MpPreference class](https://msdn.microsoft.com/en-us/library/windows/desktop/dn455323(v=vs.85).aspx)
-
-For more information about notifications in Windows Defender, see the [Configure enhanced notifications in Windows Defender](windows-defender-enhanced-notifications.md)] topic.
+For more information about notifications in Windows Defender, see the [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) topic.
 
 ## Run a scan 
 
-Windows Defender Offline uses up-to-date threat definitions to scan the endpoint for malware that might be hidden. In Windows 10, version 1607, you can manually force an offline scan using Windows Update and Security settings.
+> [!IMPORTANT]
+> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
 
-> [!NOTE]
-> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. 
+You can run a Windows Defender Offline scan with the following:
 
-You can set up a Windows Defender Offline scan with the following:
-
--	Windows Update and Security settings
-
--	Windows Defender
-
--	Windows Management Instrumentation
-
--	Windows PowerShell
-
--	Group Policy
-
-> [!NOTE]
-> The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
-
-**Run Windows Defender Offline from Windows Settings:**
-
-1.	Open the **Start** menu and click or type **Settings**.
-
-1.	Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Windows Defender Offline** section.
-
-1.	Click **Scan offline**. 
-
-    ![Windows Defender Offline setting](images/defender/settings-wdo.png)
-
-1.	Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
-
-**Run Windows Defender Offline from Windows Defender:**
-
-1.	Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client. 
-
-1.	On the **Home** tab click **Download and Run**.
-
-    ![Windows Defender home tab showing the Download and run button](images/defender/download-wdo.png)
-
-1.	Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- The Windows Defender Security Center app
 
 
-**Use Windows Management Instrumentation to configure and run Windows Defender Offline:**
 
-Use the `MSFT_MpWDOScan` class (part of the Windows Defender Windows Management Instrumentation provider) to run a Windows Defender Offline scan.
- 
-The following Windows Management Instrumentation script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
+**Use PowerShell cmdlets to run an offline scan:**
+
+Use the following cmdlets:
+
+```PowerShell
+Start-MpWDOScan
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to run an offline scan:**
+
+Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class to run an offline scan.
+
+The following WMI script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
 
 ```WMI
 wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start 
 ```
 
-For more information about using Windows Management Instrumentation to run a scan in Windows Defender, including configuration parameters and options, see the following topics:
+See the following for more information:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
 
--	[Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx) 
 
--	[MSFT_MpWDOScan class article](https://msdn.microsoft.com/library/windows/desktop/mt622458(v=vs.85).aspx)
+**Use the Windows Defender Security app to run an offline scan:**
 
-**Run Windows Defender Offline using PowerShell:**
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
-Use the PowerShell parameter `Start-MpWDOScan` to run a Windows Defender Offline scan. 
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label:
+
+    
+3.	Select **Windows Defender Offline scan** and click **Scan now**.
+
+
+> [!NOTE]
+> In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client.
 
-For more information on available cmdlets and optios, see the [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md) topic.
 
 ## Review scan results
 
-Windows Defender Offline scan results will be listed in the main Windows Defender user interface after performing the scan. 
+Windows Defender Offline scan results will be listed in the [Scan history section of the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#detection-history). 
 
-1.	Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client. 
-
-1.	Go to the **History** tab.
-
-1.	Select **All detected items**.
-
-1.	Click **View details**.
-
-Any detected items will display. Items that are detected by Windows Defender Offline will be listed as **Offline** in the **Detection source**:
-
-![Windows Defender detection source showing as Offline](images/defender/detection-source.png)
 
 ## Related topics
 
-- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
\ No newline at end of file
+- [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-security-center-antivirus.md b/windows/keep-secure/windows-defender-security-center-antivirus.md
new file mode 100644
index 0000000000..3eba103bd0
--- /dev/null
+++ b/windows/keep-secure/windows-defender-security-center-antivirus.md
@@ -0,0 +1,145 @@
+---
+title: Windows Defender Antivirus in the Windows Defender Security Center app
+description: Windows Defender AV is now included in the Windows Defender Security Center app.
+keywords: wdav, antivirus, firewall, security, windows
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+
+
+
+# Windows Defender Antivirus in the Windows Defender Security Center app
+
+**Applies to**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- End-users
+
+**Manageability available with**
+
+- Windows Defender Security Center app  
+
+
+In Windows 10, version 1703 (also known as the Creators Update), the Windows Defender app is now part of the Windows Defender Security Center.
+
+Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
+
+The app also includes the settings and status of:
+
+- The PC (as "device health")
+- Windows Firewall
+- Windows Defender SmartScreen Filter
+- Parental and Family Controls
+
+**Review virus and threat protection settings in the Windows Defender Security Center app:**
+
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](images/defender/wdav-protection-settings-wdsc.png)
+    
+## Comparison of settings and functions of the old app and the new app
+
+All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Defender Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app. 
+
+The following diagrams compare the location of settings and functions between the old and new apps:
+
+![Version of Windows Defender in Windows 10 before version 1703](images/defender/wdav-windows-defender-app-old.png)
+
+![Windows Defender Antivirus in Windows 10, version 1703 and later](images/defender/wdav-wdsc.png)
+
+Item | Windows 10, before version 1703 | Windows 10, version 1703 | Description
+---|---|---|---
+1 | **Update** tab | **Protection updates** | Update the protection ("definition updates")
+2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed
+3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission
+4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Windows Defender Offline scan
+5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 you can run custom and full scans under the **Advanced scan** option
+
+
+## Common tasks
+
+This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the new Windows Defender Security app.
+
+> [!NOTE]
+> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured.
+
+**Run a scan with the Windows Defender Security Center app**
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+3. Click **Quick scan**.
+
+4. Click **Advanced scan** to specify different types of scans, such as a full scan.
+
+
+**Download protection updates in the Windows Defender Security Center app**
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+3. Click **Protection updates**.
+
+4. Click **Check for updates** to download new protection updates (if there are any).
+
+
+
+**Ensure Windows Defender Antivirus is enabled in the Windows Defender Security Center app**
+
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+3. Click **Virus & threat protection settings**.
+
+4. Toggle the switches to **On** for the following settings:
+    1.  **Real-time protection**
+    2.  **Cloud-based protection**
+    3.  **Automatic sample submission**
+
+
+
+
+<a id="exclusions"></a>
+**Add exclusions for Windows Defender Antivirus in the Windows Defender Security Center app**
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+3. Click **Virus & threat protection settings**.
+
+4. Under the **Exclusions** setting, click **Add or remove exclusions**. 
+
+5. Click the plus icon to choose the type and set the options for each exclusion. 
+
+<a id="detection-history"></a>
+**Review threat detection history in the Windows Defender Security Center app**
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+3. Click **Scan history**.
+
+4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).
+
+
+
+
+## Related topics
+
+- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md)
+
+
diff --git a/windows/manage/images/waas-wufb-update-compliance.png b/windows/manage/images/waas-wufb-update-compliance.png
new file mode 100644
index 0000000000..0c1bbaea7c
Binary files /dev/null and b/windows/manage/images/waas-wufb-update-compliance.png differ
diff --git a/windows/manage/windows-store-for-business-overview.md b/windows/manage/windows-store-for-business-overview.md
index 81941f86f8..a3a565c261 100644
--- a/windows/manage/windows-store-for-business-overview.md
+++ b/windows/manage/windows-store-for-business-overview.md
@@ -18,12 +18,12 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
-With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
+With Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
 
 ## Features
 
 
-Organizations of any size can benefit from using the Store for Business provides:
+Organizations of any size can benefit from using the Store for Business:
 
 -   **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate the Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
 
@@ -47,7 +47,6 @@ Organizations of any size can benefit from using the Store for Business provides
 
 ## Prerequisites
 
-
 You'll need this software to work with the Store for Business.
 
 ### Required
@@ -78,7 +77,6 @@ While not required, you can use a management tool to distribute and manage apps.
 
 ## How does the Store for Business work?
 
-
 ### Sign up!
 
 The first step for getting your organization started with the Store for Business is signing up. To sign up for the Business store, you need an Azure AD account and you must be a Global Administrator for your organization.
diff --git a/windows/update/waas-delivery-optimization.md b/windows/update/waas-delivery-optimization.md
index 7a3e27122c..ffc4f91f43 100644
--- a/windows/update/waas-delivery-optimization.md
+++ b/windows/update/waas-delivery-optimization.md
@@ -37,24 +37,24 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
 
 Several Delivery Optimization features are configurable:
 
-| Group Policy setting | MDM setting |
-| --- | --- |
-| [Download mode](#download-mode) | DODownloadMode |
-| [Group ID](#group-id)  | DOGroupID |
-| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer |
-| [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer |
-| [Max Cache Age](#max-cache-age) | DOMaxCacheAge |
-| [Max Cache Size](#max-cache-size)  | DOMaxCacheSize |
-| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize |
-| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive |
-| [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache |
-| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth |
-| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth |
-| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth |
-| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap |
-| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS |
-| [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching |
-| [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 
+| Group Policy setting | MDM setting | Supported from version |
+| --- | --- | --- |
+| [Download mode](#download-mode) | DODownloadMode | 1511 |
+| [Group ID](#group-id)  | DOGroupID | 1511 |
+| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 |
+| [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 |
+| [Max Cache Age](#max-cache-age) | DOMaxCacheAge | 1511 |
+| [Max Cache Size](#max-cache-size)  | DOMaxCacheSize | 1511 |
+| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 |
+| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 |
+| [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 |
+| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 |
+| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 |
+| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 |
+| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 |
+| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 |
+| [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1703 |
+| [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1703 |
 
 When configuring Delivery Optimization on Windows 10 devices, the first and most important thing to configure, would be [Download mode](#download-mode). Download mode dictates how Delivery Optimization downloads Windows updates.
 
@@ -82,7 +82,7 @@ Various controls allow administrators to further customize scenarios where Deliv
 - [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled.
 - [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) sets the minimum disk size required for peer caching to be enabled.
 - [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) allows clients connected through VPN to use peer caching.
-- [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) controls the minimum battery level required for uploads to occur.
+- [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) controls the minimum battery level required for uploads to occur. Enabling this policy is required to allow upload while on battery.
 
 ### How Microsoft uses Delivery Optimization
 In Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet.
@@ -119,11 +119,11 @@ By default, peer sharing on clients using the group download mode is limited to
 <span id="minimum-ram-allowed-to-use-peer-caching"/>
 ### Minimum RAM (inclusive) allowed to use Peer Caching  
 
-This setting specifies the minimum RAM size in GB required to use Peer Caching. The value 0 means not limited, which means the cloud service set default value will be used. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. The recommended values are 1 to 4 GB.  
+This setting specifies the minimum RAM size in GB required to use Peer Caching. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. The recommended values are 1 to 4 GB, and the default value is 4 GB.
 
 ### Minimum disk size allowed to use Peer Caching
 
-This setting specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means not limited, which means the cloud service set default value will be used. The recommended values are 64 to 256 GB.
+This setting specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The recommended values are 64 to 256 GB, and the default value is 32 GB.
 
 >[!NOTE]
 >If the [Modify Cache Drive](#modify-cache-drive) policy is set, the disk size check will apply to the new working directory specified by this policy.
@@ -143,7 +143,7 @@ This setting specifies the maximum number of gigabytes the Delivery Optimization
 
 ### Minimum Peer Caching Content File Size
 
-This setting specifies the minimum content file size in MB enabled to use Peer Caching. The value 0 means "unlimited" which means the cloud service set default value will be used. The recommended values are from 1 to 100000 MB. 
+This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000 MB.
 
 ### Maximum Download Bandwidth
 
@@ -159,7 +159,7 @@ This setting allows you to limit the amount of upload bandwidth individual clien
 
 ### Minimum Background QoS
 
-This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more bytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network.
+This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network.
 
 ### Modify Cache Drive
 
@@ -177,7 +177,9 @@ This setting determines whether a device will be allowed to participate in Peer
 
 This setting specifies battery levels at which a device will be allowed to upload data. Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery). Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set if you allow uploads on battery is 40 (for 40%).
 The device can download from peers while on battery regardless of this policy.
-The value 0 means not limited, which means the cloud service set default value will be used.
+
+>[!IMPORTANT]
+> By default, devices **will not upload while on battery**. To enable uploads while on battery, you need to enable this policy and set the battery value under which uploads pause.
 
 <span id="set-preferred-cache-devices"/>
 ## Set “preferred” cache devices for Delivery Optimization
@@ -188,7 +190,7 @@ To specify which devices are preferred, you can set the **Max Cache Age** config
 
 On devices that are not preferred, you can choose to set the following policy to prioritize data coming from local peers instead of the Internet:
 
--  Set **DOMinBackgroundQoS** with a low value, for example `65536` which is the equivalent of 64 KB/s.
+-  Set **DOMinBackgroundQoS** with a low value, for example `64` which is the equivalent of 64 KB/s.
 
 ## Learn more
 
diff --git a/windows/update/waas-manage-updates-wufb.md b/windows/update/waas-manage-updates-wufb.md
index f15a5388f4..3bb0310e57 100644
--- a/windows/update/waas-manage-updates-wufb.md
+++ b/windows/update/waas-manage-updates-wufb.md
@@ -104,6 +104,13 @@ Windows Update for Business was first made available in Windows 10, version 1511
 <tr><td><p>Drivers</p></td><td><p>No driver-specific controls</p></td><td><p>Drivers can be selectively excluded from Windows Update for Business.</p></td></tr>
 </tbody></table>
 
+## Monitor Windows Updates using Update Compliance
+
+Update Compliance, now **available in public preview**, provides a holistic view of OS update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This new service uses telemetry data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated.
+
+![Update Compliance Dashboard](images/waas-wufb-update-compliance.png)
+
+For more information about Update Compliance, see [Monitor Windows Updates using Update Compliance](update-compliance-monitor.md).
 
 ## Steps to manage updates for Windows 10
 
@@ -119,7 +126,6 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
 </tbody></table>
 </br>
 
-
 ## Related topics
 
 - [Update Windows 10 in the enterprise](index.md)
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index 265b3b3910..87a9c88d26 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -146,7 +146,7 @@ Many users customize their settings for Windows and for specific applications. C
 
 With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.
 
-With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and EU-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. 
+With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. 
 
 [Learn how to synchronize user-customized settings with UE-V.](../manage/uev-for-windows.md)
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index f92b7cc421..22fd04dd94 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -1,5 +1,5 @@
 ---
-title: What's new in Windows 10, version 1703 (Windows 10)
+title: New IT Pro content for Windows 10, version 1703
 description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 and Windows 10 Mobile.
 keywords: ["What's new in Windows 10", "Windows 10", "creators update"]
 ms.prod: w10
@@ -10,9 +10,11 @@ localizationpriority: high
 ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617
 ---
 
-# What's new in Windows 10, version 1703
+# New IT Pro content for Windows 10, version 1703
 
-Below is a list of some of the new and updated features in Windows 10, version 1703 (also known as the Creators Update).
+Below is a list of some of the new and updated content that discusses Information Technology (IT) Pro features in Windows 10, version 1703 (also known as the Creators Update).
+
+For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features).
 
 >[!NOTE]
 >For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info).
@@ -50,7 +52,7 @@ The following new Group Policy and mobile device management (MDM) settings are a
 
 ### Start and taskbar layout
 
-Enterprises can apply a customized Start and taskbar layout to devices running Windows 10 Pro, version 1703. 
+Enterprises have been able to apply customized Start and taskbar layouts to devices running Windows 10 Enterprise and Education. In Windows 10, version 1703, customized Start and taskbar layout can also be applied to Windows 10 Pro. 
 
 Additional MDM policy settings are available for Start and taskbar layout. For details, see [Manage Windows 10 Start and taskbar layout](../configure/windows-10-start-layout-options-and-policies.md).
 
@@ -64,7 +66,11 @@ The Lockdown Designer app helps you configure and create a lockdown XML file to
 
 [Learn more about the Lockdown Designer app.](../configure/mobile-lockdown-designer.md)
 
+### Cortana at work
 
+Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.
+
+Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data.
 
 
 ## Deployment
@@ -79,12 +85,6 @@ Additional security features of Windows 10 that are enabled when you boot in UEF
 
 For details, see [MBR2GPT.EXE](../deploy/mbr-to-gpt.md).
 
-### Cortana at work
-
-Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.
-
-Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data.
-
 ## Security
 
 ### Windows Defender Advanced Threat Protection 
@@ -174,7 +174,11 @@ To check out all the details, see [Configure Delivery Optimization for Windows 1
 ### Application Virtualization for Windows (App-V)
 Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Addtionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
 
-To see info about these updates, see [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-provision-a-vm.md), [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-sequencing.md), [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-updating.md), and [Automatically cleanup unpublished packages on the App-V client](../manage/appv-auto-clean-unpublished-packages.md)
+For more info, see the following topics:
+- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-provision-a-vm.md)
+- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-sequencing.md)
+- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-updating.md)
+- [Automatically cleanup unpublished packages on the App-V client](../manage/appv-auto-clean-unpublished-packages.md)
 
 ## Related topics