Merge remote-tracking branch 'refs/remotes/origin/master' into 6641851

.gitignore

@@ -14,4 +14,3 @@ windows/keep-secure/index.md
 
 # User-specific files  
 .vs/
-

windows/keep-secure/TOC.md

@@ -27,8 +27,8 @@
 ### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
 #### [Windows Information Protection (WIP) overview](wip-enterprise-overview.md)
 #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
-#### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
+#### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md)
-#### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
+#### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md)
 ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
 ## [VPN profile options](vpn-profile-options.md)
 ## [Windows security baselines](windows-security-baselines.md)
@@ -704,8 +704,13 @@
 ##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
 ##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
 #### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
+#### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
+##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
 #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
 ### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
 #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
 #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)

windows/keep-secure/advanced-security-auditing-faq.md

@@ -125,7 +125,7 @@ Often it is not enough to know simply that an object such as a file or folder wa
 
 ## <a href="" id="bkmk-8"></a>How do I know when changes are made to access control settings, by whom, and what the changes were?
 
-To track access control changes on computers running Windows Server 2016 Technical Preview, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs:
+To track access control changes on computers running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs:
 -   **Audit File System** subcategory: Enable for success, failure, or success and failure
 -   **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure
 -   A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor

windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md

@@ -14,20 +14,22 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 As a security operations team member, you can manage Windows Defender ATP alerts as part of your routine activities. Alerts will appear in queues according to their current status.
 
 To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.
 
-> **Note**&nbsp;&nbsp;By default, the queues are sorted from newest to oldest.
+> [!NOTE]
+> By default, the queues are sorted from newest to oldest.
 
 The following table and screenshot demonstrate the main areas of the **Alerts queue**.
 
-![Screenshot of the Dashboard showing the New Alerts list and navigation bar](images/alertsq.png)
+![Screenshot of the Dashboard showing the New Alerts list and navigation bar](images/alertsq2.png)
 
 Highlighted area|Area name|Description
 :---|:---|:---
@@ -59,7 +61,8 @@ There are three mechanisms to pivot the queue against:
   - **30 days**
   - **6 months**
 
-  > **Note**&nbsp;&nbsp;You can change the sort order (for example, from most recent to least recent) by clicking the sort order icon ![the sort order icon looks like two arrows on top of each other](images/sort-order-icon.png)
+  > [!NOTE]
+  > You can change the sort order (for example, from most recent to least recent) by clicking the sort order icon ![the sort order icon looks like two arrows on top of each other](images/sort-order-icon.png)
 
 ### Related topics
 - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)

windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md

@@ -11,22 +11,22 @@ author: mjcaparas
 ---
 
 # Assign user access to the Windows Defender ATP portal
-
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Azure Active Directory
-<!--Office 365-->
+- Office 365
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). You can assign users with one of the following levels of permissions:
-
-Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). User can be assigned one of the following levels of permissions:
 - Full access (Read and Write)
 - Read only access
 
 **Full access** <br>
-Users with full access can log in, view all system information as well as resolve alerts, submit files for deep analysis, and download the onboarding package.
+Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
 Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles.
 
 **Read only access** <br>
@@ -34,13 +34,21 @@ Users with read only access can log in, view all alerts, and related information
 They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
 Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role.
 
-<!--
+Use the following steps to assign security roles:
-Your administrator can assign roles using the Office 365 portal, or in the Azure classic portal, or by using the AAD module for Windows PowerShell. 
+- Preparations:
-For more information, see [Assigning admin roles in Office 365](https://support.office.com/en-us/article/Assigning-admin-roles-in-Office-365-eac4d046-1afd-4f1a-85fc-8219c79e1504?ui=en-US&rs=en-US&ad=US) and [Assigning administrator roles in Azure Active Directory](https://azure.microsoft.com/en-us/documentation/articles/active-directory-assign-admin-roles/).-->
+    - Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/).<br> 
     
-Use the following cmdlets to perform the security role assignment:
+        > [!NOTE]
+        > You need to run the PowerShell cmdlets in an elevated command-line.
 
-- Full access:<br>```Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader@Contoso.onmicrosoft.com”```
+- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/en-us/library/dn194123.aspx).
-- Read only access:<br>```Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"```
+- For **read and write** access, assign users to the security administrator role by using the following command:
+```text
+Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
+```
+- For **read only** access, assign users to the security reader role by using the following command:
+```text
+Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader@Contoso.onmicrosoft.com”
+```
 
 For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/en-us/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).

windows/keep-secure/change-history-for-keep-windows-10-secure.md

@@ -23,18 +23,22 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 - [Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)
 - [Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)
 - [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md)
-- [Detect and block Potentially Unwanted Applications](enable-pua-windows-defender-for-windows-10.md)
+- [Detect and block Potentially Unwanted Applications with Windows Defender](enable-pua-windows-defender-for-windows-10.md)
+- [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
+- [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+- [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+- [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
 
 
 ## July 2016
 
 |New or changed topic | Description |
 |----------------------|-------------|
-|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated various topics throughout this section for new name and new UI in Microsoft Intune and System Center Configuration Manager. |
 |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |New |
 |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New |
-|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |New |
+|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New |
-|[Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |New |
+|[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New |
 |[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (multiple topics) | Updated |
 |[Device Guard deployment guide](device-guard-deployment-guide.md) (multiple topics) | Updated |
 
@@ -43,7 +47,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 
 |New or changed topic | Description |
 |----------------------|-------------|
-|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added an update about needing to reconfigure your Windows Information Protection app rules after delivery of the June service update. |
+|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Added an update about needing to reconfigure your enterprise data protection app rules after delivery of the June service update. |
 | [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New |
 | [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) (mutiple topics) | New security monitoring reference topics |
 | [Windows security baselines](windows-security-baselines.md) | New |
@@ -56,7 +60,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 | [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. |
 | [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content |
 |[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated info based on changes to the features and functionality.|
-| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview |
+| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 |
 |[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (mutiple topics) | New |
 
 ## April 2016
@@ -70,7 +74,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 
 |New or changed topic | Description |
 |----------------------|-------------|
-|[Requirements to use AppLocker](requirements-to-use-applocker.md) |Added that MDM can be used to manage any edition of Windows 10. Windows 10 Enterprise or Windows Server 2016 Technical Preview is required to manage AppLocker by using Group Policy.|
+|[Requirements to use AppLocker](requirements-to-use-applocker.md) |Added that MDM can be used to manage any edition of Windows 10. Windows 10 Enterprise or Windows Server 2016 is required to manage AppLocker by using Group Policy.|
 |[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Added pre-release content about how to set up and deploy Windows Information Protection (WIP) in an enterprise environment.|
 
 ## February 2016

windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,87 @@
+---
+title: Configure an Azure Active Directory application for SIEM integration
+description: Configure an Azure Active Directory application so that it can communicate with supported SIEM tools.
+keywords: configure aad for siem integration, siem integration, application, oauth 2
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+---
+
+# Configure an Azure Active Directory application for SIEM integration
+
+**Applies to:**
+
+- Azure Active Directory
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application  to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal.
+
+1. Login to the [Azure management portal](https://manage.windowsazure.com).
+
+2. Select **Active Directory**.
+
+3. Select your tenant.
+
+4. Click **Applications**, then select **Add** to create a new application.
+
+5. Click **Add an application my organization is developing**.
+
+6. Choose a client name for the application, for example, *Alert Export Client*.
+
+7. Select **WEB APPLICATION AND/OR WEB API** in the Type section.
+
+8. Assign a sign-on URL and app ID URI to the application, for example, `https://alertexportclient`.
+
+9. Confirm the request details and verify that you have successfully added the app.
+
+10. Select the application you've just created from the directory application list and click the **Configure** tab.
+
+11. Scroll down to the **keys** section and select a duration for the application key.
+
+12. Type the following URLs in the **Reply URL** field:
+
+  - `https://DataAccess-PRD.trafficmanager.net:444/api/FetchAccessTokenFromAuthCode`
+  - `https://localhost:44300/WDATPconnector`
+
+13. Click **Save** and copy the key in a safe place. You'll need this key to authenticate the client application on Azure Active Directory.
+
+14. Open a web browser and connect to the following URL: <br>
+```text
+https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=<tenant ID>&clientSecret=1234
+```
+An Azure login page appears.
+> [!NOTE]
+> - Replace *tenant ID* with your actual tenant ID.
+> - Keep the client secret as is. This is a dummy value, but the parameter must appear.
+
+15. Sign in with the credentials of a user from your tenant.
+
+16. Click **Accept** to provide consent. Ignore the error.
+
+17. Click **Application configuration** under your tenant.
+
+18. Click **Permissions to other applications**, then select **Add application**.
+
+19. Click **All apps** from the **SHOW** field and submit.
+
+20. Click **WDATPAlertExport**, then select **+** to add the application. You should see it on the **SELECTED** panel.
+
+21. Submit your changes.
+
+22. On the **WDATPAlertExport** record, in the **Delegated Permissions** field, select **Access WDATPAlertExport**.
+
+23. Save the application changes.
+
+After configuring the application in AAD, you can continue to configure the SIEM tool that you want to use.
+
+## Related topics
+- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)

windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,93 @@
+---
+title: Configure HP ArcSight to consume Windows Defender ATP alerts
+description: Configure HP ArcSight to receive and consume alerts from the Windows Defender ATP portal.
+keywords: configure hp arcsight, security information and events management tools, arcsight
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+---
+
+# Configure HP ArcSight to consume Windows Defender ATP alerts
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+You'll need to configure HP ArcSight so that it can consume Windows Defender ATP alerts.
+
+## Before you begin
+
+- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
+    - OAuth 2 Token refresh URL
+    - OAuth 2 Client ID
+    - OAuth 2 Client secret
+- Create your OAUth 2 Client properties file or get it from your Windows Defender ATP contact. For more information, see the ArcSight FlexConnector Developer's guide.
+
+  > [!NOTE]
+  > **For the authorization URL**: Append the following to the value you got from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com``` <br>
+  > **For the redirect_uri value use**: ```https://localhost:44300/wdatpconnector```
+  >
+- Get the *wdatp-connector.properties* file from your Windows Defender ATP contact. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format.
+- Install the HP ArcSight REST FlexConnector package on a server that has access to the Internet.
+- Contact the Windows Defender ATP team to get your refresh token or follow the steps in the section "Run restutil to Obtain a Refresh Token for Connector Appliance/ArcSight Management Center" in the ArcSight FlexConnector Developer's guide.
+
+## Configure HP ArcSight
+The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
+
+1. Copy the *wdatp-connector.jsonparser.properties* file into the `<root>\current\user\agent\flexagent` folder of the connector installation folder.
+
+2. Save the *wdatp-connector.properties* file into a folder of your choosing.
+
+3. Open an elevated command-line:
+
+    a. Go to **Start** and type **cmd**.
+
+    b. Right-click **Command prompt** and select **Run as administrator**.
+
+4. Enter the following command and press **Enter**: ```runagentsetup.bat```. The Connector Setup pop-up window appears.
+
+5. In the form fill in the following required fields with these values:
+    >[!NOTE]
+    >All other values in the form are optional and can be left blank.
+    
+    <table>
+    <tbody style="vertical-align:top;">
+    <tr>
+    <th>Field</th>
+    <th>Value</th>
+    </tr>
+    <tr>
+    <td>Configuration File</td>
+    <td>Type in the name of the client property file. It must match the client property file.</td>
+    </tr>
+    <td>Events URL</td>
+    <td>`https://DataAccess-PRD.trafficmanager.net:444/api/alerts`</td>
+    <tr>
+    <td>Authentication Type</td>
+    <td>OAuth 2</td>
+    </tr>
+    <td>OAuth 2 Client Properties file</td>
+    <td>Select *wdatp-connector.properties*.</td>
+    <tr>
+    <td>Refresh Token</td>
+    <td>Paste the refresh token that your Windows Defender ATP contact provided, or run the `restutil` tool to get it.</td>
+    </tr>
+    </tr>
+    </table>
+6. Select **Next**, then **Save**.
+
+7. Run the connector. You can choose to run in Service mode or Application mode.
+
+8. In the HP ArcSight console, create a **Windows Defender ATP** channel with intervals and properties suitable to your enterprise needs. Windows Defender ATP alerts will appear as discrete events, with “Microsoft” as the vendor and “Windows Defender ATP” as the device name.  
+
+## Related topics
+- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)

windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md

@@ -14,14 +14,17 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Group Policy
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+> [!NOTE]
+> To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
 
-> **Note**&nbsp;&nbsp;To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later. 
+## Onboard endpoints
-
-### Onboard endpoints
 1.  Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
 
     a.  Click **Endpoint Management** on the **Navigation pane**.
@@ -45,6 +48,7 @@ author: mjcaparas
 9. Click **OK** and close any open GPMC windows.
 
 ## Additional Windows Defender ATP configuration settings
+For each endpoint, you can state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
 
 You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
 
@@ -66,10 +70,14 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
 
 6.  Choose to enable or disable sample sharing from your endpoints.
 
+>[!NOTE]
+> If you don't set a value, the default value is to enable sample collection.
+
 ### Offboard endpoints
 For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
 
-> **Note**&nbsp;&nbsp;Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
+> [!NOTE]
+> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
 
 1.	Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
 
@@ -79,7 +87,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 
-3.	Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click Edit.
+3.	Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
 
 4.	In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
 
@@ -101,7 +109,8 @@ With Group Policy there isn’t an option to monitor deployment of policies on t
 2.	Click **Machines view**.
 3.	Verify that endpoints are appearing.
 
-> **Note**&nbsp;&nbsp;It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
+> [!NOTE]
+> It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
 
 
 ## Related topics

windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md

@@ -14,11 +14,12 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14379 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints. 
 
 For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
@@ -35,7 +36,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
 
     b.  Select **Mobile Device Management/Microsoft Intune**, click **Download package** and save the .zip file.
 
-2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called  *WindowsDefenderATP.onboarding*.
+2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named  *WindowsDefenderATP.onboarding*.
 
 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
 
@@ -53,13 +54,15 @@ Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThrea
  Configuration for onboarded machines  | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled 
  
 
-> **Note**&nbsp;&nbsp;The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
+> [!NOTE]
+> The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
 
 ### Offboard and monitor endpoints
 
 For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
 
-> **Note**&nbsp;&nbsp;Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
+> [!NOTE]
+> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
 
 1.	Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
 
@@ -82,7 +85,8 @@ Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding |
  Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
   | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
 
-> **Note**&nbsp;&nbsp;The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated.
+> [!NOTE]
+> The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated.
 
 
 ## Related topics

windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md

@@ -12,23 +12,27 @@ author: mjcaparas
 
 # Configure endpoints using System Center Configuration Manager
 
-
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332  or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
+- System Center 2012 Configuration Manager or later versions
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
 
 <span id="sccm1606"/>
 ## Configure endpoints using System Center Configuration Manager (current branch) version 1606
-System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section.
+System Center Configuration Manager (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
-
-> **Note**&nbsp;&nbsp; If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later.
 
 <span id="sccm1602"/>
-## Configure endpoints using System Center Configuration Manager (current branch) version 1602 or earlier versions 
+## Configure endpoints using System Center Configuration Manager earlier versions
-You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in System Center Configuration Manager (current branch), version 1602 or earlier, including: System Center 2012 R2 Configuration Manager and System Center 2012 Configuration Manager. 
+You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions:
+
+- System Center 2012 Configuration Manager
+- System Center 2012 R2 Configuration Manager
+- System Center Configuration Manager (current branch), version 1511
+- System Center Configuration Manager (current branch), version 1602
 
 ### Onboard endpoints
 
@@ -36,9 +40,9 @@ You can use System Center Configuration Manager’s existing functionality to cr
 
     a. Click **Endpoint Management** on the **Navigation pane**.
 
-    b. Select **System Center Configuration Manager (current branch) version 1602 or earlier**, click **Download package**, and save the .zip file.
+    b. Select **System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
 
-2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*.
+2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
 
 3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
 
@@ -46,17 +50,42 @@ You can use System Center Configuration Manager’s existing functionality to cr
 
     a. Choose a predefined device collection to deploy the package to.
 
+### Configure sample collection settings
+For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
+
+You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on an endpoint.
+This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure they’re complaint.
+
+The configuration is set through the following registry key entry:
+
+```text
+Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
+Name: "AllowSampleCollection"
+Value: 0 or 1
+```
+Where:<br>
+Key type is a D-WORD. <br>
+Possible values are:
+- 0 - doesn't allow sample sharing  from this endpoint
+- 1 - allows sharing of all file types from this endpoint
+
+The default value in case the registry key doesn’t exist is 1.
+
+For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/en-us/library/gg681958.aspx).
+
+
 ### Offboard endpoints
 
 For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
 
-> **Note**&nbsp;&nbsp;Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
+> [!NOTE]
+> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
 
 1.	Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
 
     a. Click **Endpoint Management** on the **Navigation pane**.
 
-    b. Under **Endpoint offboarding** section, select **System Center Configuration Manager (current branch) version 1602 or earlier**, click **Download package**, and save the .zip file.
+    b. Under **Endpoint offboarding** section, select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 
@@ -83,10 +112,23 @@ Monitoring with SCCM consists of two parts:
 
 4. Review the status indicators under **Completion Statistics** and **Content Status**.
 
-If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to  troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information.
+If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to  troubleshoot the endpoints. For more information see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
 
 ![SCCM showing successful deployment with no errors](images/sccm-deployment.png)
 
+**Check that the endpoints are compliant with the Windows Defender ATP service:**<br>
+You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your deployment.
+
+This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines.
+
+Monitor the following registry key entry:
+```
+Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status”
+Name: “OnboardingState”
+Value: “1”
+```
+For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/en-us/library/gg681958.aspx).
+
 ## Related topics
 - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)

windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md

@@ -11,9 +11,18 @@ author: mjcaparas
 ---
 
 # Configure endpoints using a local script
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
 You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.
 
-
+## Onboard endpoints
 1.  Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
 
     a.  Click **Endpoint Management** on the **Navigation pane**.
@@ -21,11 +30,11 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You
     b.  Select **Local Script**, click **Download package** and save the .zip file.
 
 
-2.  Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*.
+2.  Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
 
 3.  Open an elevated command-line prompt on the endpoint and run the script:
 
-    a.  Click **Start** and type **cmd**.
+    a.  Go to **Start** and type **cmd**.
 
     b.  Right-click **Command prompt** and select **Run as administrator**.
 
@@ -35,12 +44,34 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You
 
 5.  Press the **Enter** key or click **OK**.
 
-See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry.
+For for information on how you can manually validate that the endpoint is compliant and correctly reports telemetry see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
 
-## Offboard endpoints using a local script
+## Configure sample collection settings
+For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
+
+You can manually configure the sample sharing setting on the endpoint by using *regedit* or creating and running a *.reg* file.  
+
+The configuration is set through the following registry key entry:
+
+```text
+Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
+Name: "AllowSampleCollection"
+Value: 0 or 1
+```
+Where:<br>
+Name type is a D-WORD. <br>
+Possible values are:
+- 0 - doesn't allow sample sharing  from this endpoint
+- 1 - allows sharing of all file types from this endpoint
+
+The default value in case the registry key doesn’t exist is 1.
+
+
+## Offboard endpoints
 For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
 
-> **Note**&nbsp;&nbsp;Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
+> [!NOTE]
+> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
 
 1.	Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
 
@@ -52,7 +83,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days
 
 3.  Open an elevated command-line prompt on the endpoint and run the script:
 
-    a.  Click **Start** and type **cmd**.
+    a.  Go to **Start** and type **cmd**.
 
     b.  Right-click **Command prompt** and select **Run as administrator**.
 
@@ -62,6 +93,18 @@ For security reasons, the package used to offboard endpoints will expire 30 days
 
 5.  Press the **Enter** key or click **OK**.
 
+## Monitor endpoint configuration
+You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) to verify that the script completed successfully and the agent is running.
+
+Monitoring can also be done directly on the portal, or by using the different deployment tools.
+
+### Monitor endpoints using the portal
+1.	Go to the Windows Defender ATP portal.
+
+2.	Click **Machines view**.
+
+3.	Verify that endpoints are appearing.
+
 
 ## Related topics
 - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)

windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md

@@ -1,7 +1,7 @@
 ---
 title: Configure Windows Defender ATP endpoints
-description: Use Group Policy or SCCM to deploy the configuration package or do manual registry changes on endpoints so that they are onboarded to the service.
+description: Configure endpoints so that they are onboarded to the service.
-keywords: configure endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm, system center configuration manager
+keywords: configure endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -14,11 +14,12 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 Endpoints in your organization must be configured so that the Windows Defender ATP service can get telemetry from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization. 
 
 Windows Defender ATP supports the following deployment tools and methods:

windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md

@@ -1,7 +1,7 @@
 ---
 title: Configure Windows Defender ATP endpoint proxy and Internet connection settings
 description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service.
-keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, web proxy auto detect, wpad, netsh, winhttp, proxy server
+keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -15,168 +15,91 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service.
 
 The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service.
 
 The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
 
-- Configure Web Proxy Auto Detect (WPAD) settings and configure Windows to automatically detect the proxy server
+- Configure the proxy server manually using a static proxy
 
-- Configure the proxy server manually using Netsh
+## Configure the proxy server manually using a static proxy
+Configure a static proxy to allow only Windows Defender ATP sensor to report telemetry and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet.
 
-## Configure Web Proxy Auto Detect (WPAD) settings and proxy server
+The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**.
 
-Configure WPAD in the environment and configure Windows to automatically detect the proxy server through Policy or the local Windows settings.
+The registry key that this policy sets can be found at:
-
+```HKLM\Software\Policies\Microsoft\Windows\DataCollection              TelemetryProxyServer```
-Enable the **Automatically detect settings** option in the Windows Proxy settings so that WinHTTP can use the WPAD feature to locate a proxy server.
-
-1. Click **Start** and select **Settings**.
-
-2. Click **Network & Internet**.
-
-3. Select **Proxy**.
-
-4. Verify that the **Automatically detect settings** option is set to On.
-
-    ![Image showing the proxy settings configuration page](images/proxy-settings.png)
-
-5. If the **Use setup script** or **Manual proxy setup** options are enabled then you will need to [configure proxy settings manually by using Netsh](#configure-proxy-server-manually-using-netsh) method for WinHTTP to discover the appropriate proxy settings and connect.
-
-## Configure the proxy server manually using Netsh
-
-If **Use setup script** or **Manual proxy setup** settings are configured in the Windows Proxy setting, then endpoints will not be discovered by WinHTTP.
-Use Netsh to configure the proxy settings to enable connectivity.
-
-You can configure the endpoint by using any of these methods:
-
-- Importing the configured proxy settings to WinHTTP
-- Configuring the proxy settings manually to WinHTTP
-
-After configuring the endpoints, you'll need to verify that the correct proxy settings were applied.
-
-**Import the configured proxy settings to WinHTTP**
-
-1.  Open an elevated command-line prompt on the endpoint:
-
-    a.  Click **Start** and type **cmd**.
-
-    b.  Right-click **Command prompt** and select **Run as administrator**.
-
-2. Enter the following command and press **Enter**:
 
+The policy and the registry key takes the following string format:
 ```text
- netsh winhttp import proxy source=ie
+<server name or ip>:<port>
 ```
- An output showing the applied WinHTTP proxy settings is displayed.
+For example: 10.0.0.6:8080
 
-
+If the static proxy settings are configured after onboarding, then you must restart the PC to apply the proxy settings.
- **Configure the proxy settings manually to WinHTTP**
-
- 1.  Open an elevated command-line prompt on the endpoint:
-
-    a.  Click **Start** and type **cmd**.
-
-    b.  Right-click **Command prompt** and select **Run as administrator**.
-
- 2. Enter the following command and press **Enter**:
-
- ```text
- proxy [proxy-server=] ProxyServerName:PortNumber
- ```
-    Replace *ProxyServerName* with the fully qualified domain name of the proxy server.
-
-    Replace *PortNumber* with the port number that you want to configure the proxy server with.
-
- An output showing the applied WinHTTP proxy settings is displayed.
-
-
-**Verify that the correct proxy settings were applied**
-
-1.  Open an elevated command-line prompt on the endpoint:
-
-    a.  Click **Start** and type **cmd**.
-
-    b.  Right-click **Command prompt** and select **Run as administrator**.
-
-2. Enter the following command and press **Enter**:
-
-```
-netsh winhttp show proxy
-```
-
-For more information on how to use Netsh see, [Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP)](https://technet.microsoft.com/en-us/library/cc731131(v=ws.10).aspx)     
 
 ## Enable access to Windows Defender ATP service URLs in the proxy server
 
 If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
 
-- *.blob.core.windows.net
+Primary Domain Controller | .Microsoft.com DNS record
-- crl.microsoft.com
+:---|:---
-- eu.vortex-win.data.microsoft.com
+ Central US | winatp-gw-cus.microsoft.com <br> us.vortex-win.data.microsoft.com <br> crl.microsoft.com <br>*.blob.core.windows.net
-- sevillegwcus.microsoft.com
+ East US (2)| winatp-gw-eus.microsoft.com <br> us.vortex-win.data.microsoft.com <br> crl.microsoft.com <br>*.blob.core.windows.net
-- sevillegweus.microsoft.com
+ West Europe | winatp-gw-weu.microsoft.com <br> eu.vortex-win.data.microsoft.com <br> crl.microsoft.com <br>*.blob.core.windows.net
-- sevillegwneu.microsoft.com
+ North Europe | winatp-gw-neu.microsoft.com <br> eu.vortex-win.data.microsoft.com <br> crl.microsoft.com <br>*.blob.core.windows.net
-- sevillegwweu.microsoft.com
-- us.vortex-win.data.microsoft.com 
-- www.microsoft.com
 
+ <br>
+ If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP  sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.
 
-If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP  sensor is connecting from system context, make sure anonymous traffic is permitted to the above listed URLs.
 
 ## Verify client connectivity to Windows Defender ATP service URLs
 
 Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
 
-1. Download the connectivity verification tools to the PC where Windows Defender ATP sensor is running on:
+1. Download the [connectivity verification tool](https://go.microsoft.com/fwlink/p/?linkid=823683) to the PC where Windows Defender ATP sensor is running on.
 
-    - [Download PsTools Suite](https://technet.microsoft.com/en-us/sysinternals/bb896649)
+2.  Extract the contents of WDATPConnectivityAnalyzer on the endpoint.
-    - [Download PortQry Command Line Port Scanner Version 2.0 utility](https://www.microsoft.com/en-us/download/details.aspx?id=17148)
-
-2. Extract the contents of **PsTools** and **PortQry** to a directory on the computer hard drive.
 
 3. Open an elevated command-line:
 
-    a. Click **Start** and type **cmd**.
+    a. Go to **Start** and type **cmd**.
 
     b.  Right-click **Command prompt** and select **Run as administrator**.
 
 4. Enter the following command and press **Enter**:
 
     ```
-    HardDrivePath\PsExec.exe -s cmd.exe
+    HardDrivePath\WDATPConnectivityAnalyzer.cmd
     ```
-    Replace *HardDrivePath* with the path where the PsTools Suite was extracted to:
+    Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example 
-    ![Image showing the command line](images/psexec-cmd.png)
+    ```text
-
+    C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd
-5. Enter the following command and press **Enter**:
-
     ```
-    HardDrivePath\portqry.exe -n us.vortex-win.data.microsoft.com -e 443 -p tcp
+
+5. Extract the *WDATPConnectivityAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*.
+
+6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. <br><br>
+The tool checks the connectivity of Windows Defender ATP service URLs that Windows Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Windows Defender ATP  services. For example:
+  ```text
+  Testing URL : https://xxx.microsoft.com/xxx
+  1 - Default proxy: Succeeded (200)
+  2 - Proxy auto discovery (WPAD): Succeeded (200)
+  3 - Proxy disabled: Succeeded (200)
+  4 - Named proxy: Doesn't exist
+  5 - Command line proxy: Doesn't exist              
   ```
-    Replace *HardDrivePath* with the path where the PortQry utility was extracted to:
-    ![Image showing the command line](images/portqry.png)
 
-6.	Verify that the output shows that the name is **resolved** and connection status is **listening**.
+If at least one of the connectivity options returns a (200) status, then the Windows Defender ATP client can communicate with the tested URL properly using this connectivity method. <br><br>
 
-7. Repeat the same steps for the remaining URLs with the following arguments:
+However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy server). The URLs you'll use will depend on the region selected during the onboarding procedure.
-
-   - portqry.exe -n eu.vortex-win.data.microsoft.com -e 443 -p tcp
-   - portqry.exe -n sevillegwcus.microsoft.com -e 443 -p tcp
-   - portqry.exe -n sevillegweus.microsoft.com -e 443 -p tcp
-   - portqry.exe -n sevillegwweu.microsoft.com -e 443 -p tcp
-   - portqry.exe -n sevillegwneu.microsoft.com -e 443 -p tcp
-   - portqry.exe -n www.microsoft.com -e 80 -p tcp
-   - portqry.exe -n crl.microsoft.com -e 80 -p tcp
-
-8. Verify that each URL shows that the name is **resolved** and the connection status is **listening**.
-
-If the any of the verification steps indicate a fail, then verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
 
 ## Related topics
 - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)

windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,43 @@
+---
+title: Configure security information and events management tools
+description: Configure supported security information and events management tools to receive and consume alerts.
+keywords: configure siem, security information and events management tools, splunk, arcsight
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+---
+
+# Configure security information and events management (SIEM) tools to consume alerts
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Windows Defender ATP supports security information and events management (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
+
+Windows Defender ATP currently supports the following SIEM tools:
+
+- Splunk
+- HP ArcSight
+
+To use either of these supported SIEM tools you'll need to:
+
+- [Configure an Azure Active Directory application for SIEM integration in your tenant](configure-aad-windows-defender-advanced-threat-protection.md)
+- Configure the supported SIEM tool:
+    - [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+    - [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+
+## In this section
+
+Topic | Description
+:---|:---
+[Configure an Azure Active Directory application](configure-aad-windows-defender-advanced-threat-protection.md)| Learn about configuring an Azure Active Directory application to integrate with supported security information and events management (SIEM) tools.
+ [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to consume Windows Defender ATP alerts.
+ [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to consume Windows Defender ATP alerts.

windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,110 @@
+---
+title: Configure Splunk to consume Windows Defender ATP alerts
+description: Configure Splunk to receive and consume alerts from the Windows Defender ATP portal.
+keywords: configure splunk, security information and events management tools, splunk
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+---
+
+# Configure Splunk to consume Windows Defender ATP alerts
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+You'll need to configure Splunk so that it can consume Windows Defender ATP alerts.
+
+## Before you begin
+
+- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk
+- Contact the Windows Defender ATP team to get your refresh token
+- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
+    - OAuth 2 Token refresh URL
+    - OAuth 2 Client ID
+    - OAuth 2 Client secret
+
+## Configure Splunk
+
+1. Login in to Splunk.
+
+2. Click **Search & Reporting**, then **Settings** > **Data inputs**.
+
+3. Click **REST** under **Local inputs**.
+> [!NOTE]
+> This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/).
+
+4. Click **New**.
+
+5. Type the following values in the required fields, then click **Save**:
+> [!NOTE]
+>All other values in the form are optional and can be left blank.
+
+  <table>
+  <tbody style="vertical-align:top;">
+  <tr>
+  <th>Field</th>
+  <th>Value</th>
+  </tr>
+  <tr>
+  <td>Endpoint URL</td>
+  <td>https://DataAccess-PRD.trafficmanager.net:444/api/alerts</td>
+  </tr>
+  <tr>
+  <td>HTTP Method</td>
+  <td>GET</td>
+  </tr>
+  <td>Authentication Type</td>
+  <td>oauth2</td>
+  <tr>
+  <td>OAuth 2 Token Refresh URL</td>
+  <td>	Value taken from AAD application</td>
+  </tr>
+  <tr>
+  <td>OAuth 2 Client ID</td>
+  <td>Value taken from AAD application</td>
+  </tr>
+  <tr>
+  <td>OAuth 2 Client Secret</td>
+  <td>Value taken from AAD application</td>
+  </tr>
+  <tr>
+  <td>Response type</td>
+  <td>Json</td>
+  </tr>
+  <tr>
+  <td>Response Handler</td>
+  <td>JSONArrayHandler</td>
+  </tr>
+  <tr>
+  <td>Polling Interval</td>
+  <td>Number of seconds that Splunk will ping the Windows Defender ATP endpoint. Accepted values are in seconds.</td>
+  </tr>
+  <tr>
+  <td>Set sourcetype</td>
+  <td>From list</td>
+  </tr>
+  <tr>
+  <td>Source type</td>
+  <td>\_json</td>
+  </tr>
+  </tr>
+  </table>
+
+After completing these configuration steps, you can go to the Splunk dashboard and run queries.
+
+You can use the following query as an example in Splunk: <br>
+```source="rest://windows atp alerts"|spath|table*```
+
+
+## Related topics
+- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
+- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)

windows/keep-secure/credential-guard.md

@@ -12,7 +12,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.
 
@@ -290,7 +290,7 @@ Some ways to store credentials are not protected by Credential Guard, including:
 
 -   Software that manages credentials outside of Windows feature protection
 -   Local accounts and Microsoft Accounts
--   Credential Guard does not protect the Active Directory database running on Windows Server 2016 Technical Preview domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 Technical Preview servers running Remote Desktop Gateway. If you're using a Windows Server 2016 Technical Preview server as a client PC, it will get the same protection as it would be running Windows 10 Enterprise.
+-   Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would be running Windows 10 Enterprise.
 -   Key loggers
 -   Physical attacks
 -   Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access high value assets in your organization.
@@ -328,7 +328,7 @@ Enabling compound authentication also enables Kerberos armoring, which provides
 
 ### Deploying machine certificates
 
-If the domain controllers in your organization are running Windows Server 2016 Technical Preview, devices running Windows 10 will automatically enroll a machine certificate when Credential Guard is enabled and the PC is joined to the domain.
+If the domain controllers in your organization are running Windows Server 2016, devices running Windows 10 will automatically enroll a machine certificate when Credential Guard is enabled and the PC is joined to the domain.
 If the domain controllers are running Windows Server 2012 R2, the machine certificates must be provisioned manually on each device. You can do this by creating a certificate template on the domain controller or certificate authority and deploying the machine certificates to each device.
 The same security procedures used for issuing smart cards to users should be applied to machine certificates.
 

windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md

@@ -14,11 +14,12 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 The **Dashboard** displays a snapshot of:
 
 - The latest active alerts on your network
@@ -40,18 +41,18 @@ You can view the overall number of active ATP alerts from the last 30 days in yo
 
 Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**).
 
-See the [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topic for more information.
+For more information see, [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md).
 
-The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. See the [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topics for more information.
+The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. For more information see,  [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md).
 
 ## Machines at risk
 This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
 
 ![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk.png)
 
-Click the name of the machine to see details about that machine. See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine) topic for more information.
+Click the name of the machine to see details about that machine. For more information see, [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine).
 
-You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. See the [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) topic for more information.
+You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
 
 ## Status
 The **Status** tile informs you if the service is active and running and the unique number of machines (endpoints) reporting over the past 30 days.
@@ -84,7 +85,8 @@ Threats are considered "active" if there is a very high probability that the mal
 
 Clicking on any of these categories will navigate to the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine.
 
-> **Note**&nbsp;&nbsp;The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+> [!NOTE]
+> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
 
 ### Related topics
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)

windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,15 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP.
-> **Note**&nbsp;&nbsp;This document covers the information specific to the Windows Defender ATP service. Other data shared and stored by Windows Defender and Windows 10 is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). See the [Windows 10 privacy FAQ for more information](http://windows.microsoft.com/en-au/windows-10/windows-privacy-faq).
+> [!NOTE]
+> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender and Windows 10, see [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). See also [Windows 10 privacy FAQ](http://windows.microsoft.com/en-au/windows-10/windows-privacy-faq) for more information.
 
 ## What data does Windows Defender ATP collect?
 
@@ -28,7 +30,7 @@ Microsoft will collect and store information from your configured endpoints in a
 
 Information collected includes code file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as GUIDs, names, and the operating system version).
 
-Microsoft stores this data in a Microsoft Azure security-specific data store, and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/).
+Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/).
 
 Microsoft uses this data to:
 - Proactively identify indicators of attack (IOAs) in your organization
@@ -39,10 +41,10 @@ Microsoft does not mine your data for advertising or for any other purpose other
 
 ## Do I have the flexibility to select where to store my data?
 
-Data for this new service is stored in Microsoft Azure datacenters in the United States and European Union based on the geolocation properties. Subject to the relevant preview program you may be able to specify your preferred geolocation when you onboard to the service. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations in which your data will reside. Microsoft will not transfer the data from the specified geolocation except in specific circumstances during the preview stage.
+When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
 
 ## Is my data isolated from other customer data?
-Yes. The new cloud service provides appropriate segregation at a number of levels, such as isolation of files, configurations, and telemetry data. Aside from data access authentication, simply keeping different data appropriately segregated provides well-recognized protection.
+Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides. 
 
 ## How does Microsoft prevent malicious insider activities and abuse of high privilege roles?
 
@@ -58,18 +60,14 @@ Additionally, Microsoft conducts background verification checks of certain opera
 No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which don’t contain any customer specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
 
 ## How long will Microsoft store my data? What is Microsoft’s data retention policy?
-Your data privacy is one of Microsoft's key commitments for the cloud. For this service, at contract termination or expiration, your data will be erased from Microsoft’s systems to make it unrecoverable after 90 days (from contract termination or expiration).
+**At service onboarding**<br>
+You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. There’s a flexibility of choosing in the range of 1 month to six months to meet your company’s regulatory compliance needs.
+
+**At contract termination or expiration**<br>
+Your data will be kept for a period of at least 90 days, during which it will be available to you. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
+
 
 ## Can Microsoft help us maintain regulatory compliance?
 Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP has a roadmap for obtaining national, regional and industry-specific certifications, starting with ISO 27001. The service is designed, implemented, and maintained according to the compliance and privacy principles of ISO 27001, as well as Microsoft’s compliance standards.
 By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run, including this new Microsoft cloud service.
 
-## Is there a difference between how Microsoft handles data for the preview programs and for General Availability?
-Subject to the preview program you are in, you could be asked to choose to store your data in a datacenter either in Europe or United States. Your data will not be copied or moved outside of the datacenter you choose, except in the following specific circumstance:
-
-1.	You choose Europe as your datacenter, and
-2.	You [submit a file for deep analysis](investigate-files-windows-defender-advanced-threat-protection.md#submit-files-for-analysis).
-
-In this circumstance, the submitted file will be sent to the US deep analysis laboratory. The results of the analysis will be stored in the European datacenter, and the file and data will be deleted from the US deep analysis laboratory and datacenter.
-
-This is a temporary measure as we work to integrate our deep analysis capabilities into the European datacenter. If you have any concerns or questions about submitting files for deep analysis and you are using a European datacenter, or if you’d like to be updated as to when the European deep analysis lab is online, email [winatp@microsoft.com](mailto:winatp@microsoft.com).

windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,32 @@
+---
+title: Windows Defender compatibility
+description: Learn about how Windows Defender works with Windows Defender ATP.
+keywords: windows defender compatibility, defender, windows defender atp
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+---
+
+# Windows Defender compatibility
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+The Windows Defender Advanced Threat Protection agent depends on Windows Defender for some capabilities such as file scanning.
+
+If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender on that endpoint will enter into passive mode.
+
+Windows Defender will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
+
+The Windows Defender interface will be disabled, and users on the endpoint will not be able to use Windows Defender to perform on-demand scans or configure most options.
+
+For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).

windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md

@@ -1,7 +1,7 @@
 ---
 title: Review events and errors on endpoints with Event Viewer
 description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service.
-keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Advanced Threat Protection service, cannot start, broken, can't start
+keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Defender Advanced Threat Protection service, cannot start, broken, can't start
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -15,16 +15,19 @@ author: iaanw
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Event Viewer
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/en-US/library/aa745633(v=bts.10).aspx) on individual endpoints.
 
 For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
 
-> **Note**&nbsp;&nbsp;It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
+> [!NOTE]
+> It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
 
 **Open Event Viewer and find the Windows Defender ATP service event log:**
 
@@ -35,7 +38,8 @@ For example, if endpoints are not appearing in the **Machines view** list, you m
 
   a.  You can also access the log by expanding **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE** and click on **Operational**.
 
-    > **Note**&nbsp;&nbsp;SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
+    > [!NOTE]
+	> SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
 
 3.  Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service.
 
@@ -49,39 +53,39 @@ For example, if endpoints are not appearing in the **Machines view** list, you m
 </tr>
 <tr>
 <td>1</td>
-<td>Windows Advanced Threat Protection service started (Version ```variable```).</td>
+<td>Windows Defender Advanced Threat Protection service started (Version ```variable```).</td>
 <td>Occurs during system start up, shut down, and during onbboarding.</td>
 <td>Normal operating notification; no action required.</td>
 </tr>
 <tr>
 <td>2</td>
-<td>Windows Advanced Threat Protection service shutdown.</td>
+<td>Windows Defender Advanced Threat Protection service shutdown.</td>
 <td>Occurs when the endpoint is shut down or offboarded.</td>
 <td>Normal operating notification; no action required.</td>
 </tr>
 <tr>
 <td>3</td>
-<td>Windows Advanced Threat Protection service failed to start. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to start. Failure code: ```variable```.</td>
 <td>Service did not start.</td>
 <td>Review other messages to determine possible cause and troubleshooting steps.</td>
 </tr>
 <tr>
 <td>4</td>
-<td>Windows Advanced Threat Protection service contacted the server at ```variable```.</td>
+<td>Windows Defender Advanced Threat Protection service contacted the server at ```variable```.</td>
-<td>variable = URL of the Windows Defender ATP processing servers.<br>
+<td>Variable = URL of the Windows Defender ATP processing servers.<br>
 This URL will match that seen in the Firewall or network activity.</td>
 <td>Normal operating notification; no action required.</td>
 </tr>
 <tr>
 <td>5</td>
-<td>Windows Advanced Threat Protection service failed to connect to the server at ```variable```.</td>
+<td>Windows Defender Advanced Threat Protection service failed to connect to the server at ```variable```.</td>
-<td>variable = URL of the Windows Defender ATP processing servers.<br>
+<td>Variable = URL of the Windows Defender ATP processing servers.<br>
 The service could not contact the external processing servers at that URL.</td>
 <td>Check the connection to the URL. See [Configure proxy and Internet connectivity](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#configure-proxy-and-Internet-connectivity).</td>
 </tr>
 <tr>
 <td>6</td>
-<td>Windows Advanced Threat Protection service is not onboarded and no onboarding parameters were found.</td>
+<td>Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found.</td>
 <td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
 <td>Onboarding must be run before starting the service.<br>
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
@@ -89,72 +93,66 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
 </tr>
 <tr>
 <td>7</td>
-<td>Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: ```variable```.</td>
-<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>Variable = detailed error description. The endpoint did not onboard correctly and will not be reporting to the portal.</td>
 <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
 <tr>
 <td>8</td>
-<td>Windows Advanced Threat Protection service failed to clean its configuration. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to clean its configuration. Failure code: ```variable```.</td>
-<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>**During onboarding:** The service failed to clean its configuration during the onboarding. The onboarding process continues. <br><br> **During offboarding:** The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+ </td>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+<td>**Onboarding:** No action required. <br><br> **Offboarding:** Reboot the system.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
 <tr>
 <td>9</td>
-<td>Windows Advanced Threat Protection service failed to change its start type. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: ```variable```.</td>
-<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>**During onboarding:** The endpoint did not onboard correctly and will not be reporting to the portal. <br><br>**During offboarding:** Failed to change the service start type. The offboarding process continues. </td>
 <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
 <tr>
 <td>10</td>
-<td>Windows Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```.</td>
 <td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
 <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
 <tr>
 <td>11</td>
-<td>Windows Advanced Threat Protection service completed.</td>
+<td>Onboarding or re-onboarding of Windows Defender Advanced Threat Protection service completed.</td>
 <td>The endpoint onboarded correctly.</td>
 <td>Normal operating notification; no action required.<br>
 It may take several hours for the endpoint to appear in the portal.</td>
 </tr>
 <tr>
 <td>12</td>
-<td>Windows Advanced Threat Protection failed to apply the default configuration.</td>
+<td>Windows Defender Advanced Threat Protection failed to apply the default configuration.</td>
-<td>Service was unable to apply configuration from the processing servers.</td>
+<td>Service was unable to apply the default configuration.</td>
-<td>This is a server error and should resolve after a short period.</td>
+<td>This error should resolve after a short period of time.</td>
 </tr>
 <tr>
 <td>13</td>
-<td>Service machine ID calculated: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection machine ID calculated: ```variable```.</td>
 <td>Normal operating process.</td>
 <td>Normal operating notification; no action required.</td>
 </tr>
 <tr>
-<td>14</td>
-<td>Service cannot calculate machine ID. Failure code: ```variable```</td>
-<td>Internal error.</td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
-</tr>
-<tr>
 <td>15</td>
-<td>Windows Advanced Threat Protection cannot start command channel with URL: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection cannot start command channel with URL: ```variable```.</td>
-<td>variable = URL of the Windows Defender ATP processing servers.<br>
+<td>Variable = URL of the Windows Defender ATP processing servers.<br>
 The service could not contact the external processing servers at that URL.</td>
 <td>Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).</td>
 </tr>
 <tr>
 <td>17</td>
-<td>Windows Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```.</td>
 <td>An error occurred with the Windows telemetry service.</td>
-<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled)<br>
+<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
 <tr>
 <td>18</td>
@@ -171,44 +169,45 @@ If this error persists after a system restart, ensure all Windows updates have f
 </tr>
 <tr>
 <td>20</td>
-<td>Cannot wait for OOBE (Windows Welcome) to complete. Failure code: ```variable```</td>
+<td>Cannot wait for OOBE (Windows Welcome) to complete. Failure code: ```variable```.</td>
 <td>Internal error.</td>
 <td>If this error persists after a system restart, ensure all Windows updates have full installed.</td>
 </tr>
 <tr>
 <td>25</td>
-<td>Windows Advanced Threat Protection service failed to reset health status in the registry, causing the onboarding process to fail. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: ```variable```.</td>
-<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>The endpoint did not onboard correctly.
+It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
 <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
 <tr>
 <td>26</td>
-<td>Windows Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```.</td>
 <td>The endpoint did not onboard correctly.<br>
 It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
 <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
 <tr>
 <td>27</td>
-<td>Windows Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender. Onboarding process failed. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender. Onboarding process failed. Failure code: ```variable```.</td>
 <td>Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
 <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).<br>
 Ensure real-time antimalware protection is running properly.</td>
 </tr>
 <tr>
 <td>28</td>
-<td>Windows Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```.</td>
 <td>An error occurred with the Windows telemetry service.</td>
 <td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
 <tr>
 <td>30</td>
-<td>Windows Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender. Failure code: ```variable```.</td>
 <td>Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
 <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
 See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
@@ -216,24 +215,115 @@ Ensure real-time antimalware protection is running properly.</td>
 </tr>
 <tr>
 <td>31</td>
-<td>Windows Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```.</td>
-<td>An error occurred with the Windows telemetry service.</td>
+<td>An error occurred with the Windows telemetry service during onboarding. The offboarding process continues.</td>
 <td>[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).</td>
 </tr>
 <tr>
+<td>32</td>
+<td>Windows Defender Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: %1</td>
+<td>An error occurred during offboarding.</td>
+<td>Reboot the machine.</td>
+</tr>
+<tr>
 <td>33</td>
-<td>Windows Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```.</td>
 <td>A unique identifier is used to represent each endpoint that is reporting to the portal.<br>
 If the identifier does not persist, the same machine might appear twice in the portal.</td>
 <td>Check registry permissions on the endpoint to ensure the service can update the registry.</td>
 </tr>
 <tr>
 <td>34</td>
-<td>Windows Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```.</td>
 <td>An error occurred with the Windows telemetry service.</td>
 <td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
+</tr>
+<tr>
+<td>35</td>
+<td>Windows Defender Advanced Threat Protection service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code: ```variable```.</td>
+<td>An error occurred with the Windows telemetry service during offboarding. The offboarding process continues.
+</td>
+<td>Check for errors with the Windows telemetry service.</td>
+</tr>
+<tr>
+<td>36</td>
+<td>Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration succeeded. Completion code: ```variable```.</td>
+<td>Registering Windows Defender Advanced Threat Protection with the Connected User Experiences and Telemetry service completed successfully.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>37</td>
+<td>Windows Defender Advanced Threat Protection A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4.</td>
+<td>The machine has almost used its allocated quota of the current 24-hour window. It’s about to be throttled.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>38</td>
+<td>Network connection is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.</td>
+<td>The machine is using a metered/paid network and will be contacting the server less frequently.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>39</td>
+<td>Network connection is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.</td>
+<td>The machine is not using a metered/paid connection and will contact the server as usual.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>40</td>
+<td>Battery state is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2.</td>
+<td>The machine has low battery level and will contact the server less frequently.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>41</td>
+<td>Battery state is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2.</td>
+<td>The machine doesn’t have low battery level and will contact the server as usual.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>42</td>
+<td>Windows Defender Advanced Threat Protection WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception message: %4</td>
+<td>Internal error. The service failed to start.</td>
+<td>If this error persists, contact Support.</td>
+</tr>
+<tr>
+<td>43</td>
+<td>Windows Defender Advanced Threat Protection WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception Error: %4, Exception message: %5</td>
+<td>Internal error. The service failed to start.</td>
+<td>If this error persists, contact Support.</td>
+</tr>
+<tr>
+<td>44</td>
+<td>Offboarding of Windows Defender Advanced Threat Protection service completed.</td>
+<td>The service was offboarded.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>45</td>
+<td>Failed to register and to start the event trace session [%1]. Error code: %2</td>
+<td>An error occurred on service startup while creating ETW session. This caused service start-up failure.</td>
+<td>If this error persists, contact Support.</td>
+</tr>
+<tr>
+<td>46</td>
+<td>Failed to register and start the event trace session [%1] due to lack of resources. Error code: %2. This is most likely because there are too many active event trace sessions. The service will retry in 1 minute.</td>
+<td>An error occurred on service startup while creating ETW session due to lack of resources. The service started and is running, but will not report any sensor event until the ETW session is started.</td>
+<td>Normal operating notification; no action required. The service will try to start the session every minute.</td>
+</tr>
+<tr>
+<td>47</td>
+<td>Successfully registered and started the event trace session - recovered after previous failed attempts.</td>
+<td>This event follows the previous event after successfully starting of the ETW session.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>48</td>
+<td>Failed to add a provider [%1] to event trace session [%2]. Error code: %3. This means that events from this provider will not be reported.</td>
+<td>Failed to add a provider to ETW session. As a result, the provider events aren’t reported.</td>
+<td>Check the error code. If the error persists contact Support.</td>
 </tr>
 </tr>
 </tbody>

windows/keep-secure/implement-microsoft-passport-in-your-organization.md

@@ -340,6 +340,7 @@ You’ll need this software to set Windows Hello for Business policies in your e
 <li>Azure AD subscription</li>
 <li>[Azure AD Connect](http://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
 <li>AD CS with NDES</li>
+<<<<<<< HEAD
 <li>Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work</li>
 </ul></td>
 </tr>

windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md

@@ -14,11 +14,12 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 Alerts in Windows Defender ATP indicate possible security breaches on endpoints in your organization.
 
 There are three alert severity levels, described in the following table.
@@ -43,17 +44,39 @@ Details displayed about the alert include:
 - When the alert was last observed
 - Alert description
 - Recommended actions
-- The potential scope of breach
+- The incident graph
 - The indicators that triggered the alert
 
-![A detailed view of an alert when clicked](images/alert-details.png)
-
 Alerts attributed to an adversary or actor display a colored tile with the actor name.
 
 Click on the actor's name to see a threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, tools, tactics, and processes (TTPs) as well as areas where it's active worldwide. You will also see a set of recommended actions to take.
 
 Some actor profiles include a link to download a more comprehensive threat intelligence report.
 
+![A detailed view of an alert when clicked](images/alert-details.png)
+
+## Incident graph
+The incident graph provides a visual representation of where an alert was seen, events that triggered the alert, and which other machines are affected by the event. It provides an illustrated alert footprint on the original machine and expands to show the footprint of each alert event on other machines. 
+
+You can click the circles on the incident graph to expand the nodes and view the associated events or files related to the alert. 
+
+## Alert spotlight
+The alert spotlight feature helps ease investigations by highlighting alerts related to a specific machine and events. You can highlight an alert and its related events in the machine timeline to increase your focus during an investigation.
+
+You can click on the machine link from the alert view to see the alerts related to the machine. 
+
+
+  > [!NOTE]
+  > This shortcut is not available from the Incident graph machine links.  
+
+Alerts related to the machine are displayed under the **Alerts related to this machine** section. 
+Clicking on an alert row takes you the to the date in which the alert was flagged on **Machine timeline**. This eliminates the need to manually filter and drag the machine timeline marker to when the alert was seen on that machine. 
+
+You can also choose to highlight an alert from the **Alerts related to this machine** or from the  **Machine timeline** section to see the correlation between the alert and other events that occurred on the machine. Right-click on any alert from either section and select **Mark related events**. This highlights alerts and events that are related and helps differentiate between the other alerts listed in the timeline. Highlighted events are displayed in all filtering modes whether you choose to view the timeline by **Detections**, **Behaviours**, or **Verbose**. 
+
+You can also remove the highlight by right-clicking a highlighted alert and selecting **Unmark related events**. 
+
+
 ### Related topics
 - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)

windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md

@@ -13,11 +13,12 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
 
 You can see information from the following sections in the URL view:

windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md

@@ -13,11 +13,12 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
 
 You can get information from the following sections in the file view:
@@ -62,11 +63,13 @@ Use the deep analysis feature to investigate the details of any file, usually du
 
 In the file's page, **Submit for deep analysis** is enabled when the file is available in the Windows Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
 
-> **Note**&nbsp;&nbsp;Only files from Windows 10 can be automatically collected.
+> [!NOTE]
+> Only files from Windows 10 can be automatically collected.
 
 You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/en-us/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
 
-> **Note**&nbsp;&nbsp;Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP.
+> [!NOTE]
+> Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP.
 
 When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications.
 
@@ -84,7 +87,8 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
 
 A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
 
-> **Note**&nbsp;&nbsp;Depending on machine availability, sample collection time can vary. There is a 3-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.
+> [!NOTE]
+> Depending on machine availability, sample collection time can vary. There is a 1-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.
 
 ## View deep analysis report
 
@@ -121,10 +125,11 @@ HKLM\SOFTWARE\Policies\Microsoft\Sense\AllowSampleCollection
   Value = 0 - block sample collection
   Value = 1 - allow sample collection
 ```
-5. Change the organizational unit through the Group Policy. See [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
+5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
 6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
 
-> **Note**&nbsp;&nbsp;If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
+> [!NOTE]
+> If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
 
 ### Related topics
 - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)

windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md

@@ -13,12 +13,12 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-
 Examine possible communication between your machines and external internet protocol (IP) addresses.
 
 Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines.
@@ -43,7 +43,8 @@ The **Communication with IP in organization** section provides a chronological v
 
 Details about the IP address are displayed, including: registration details (if available), reverse IPs (for example, domains), prevalence of machines in the organization that communicated with this IP Address (during selectable time period), and the machines in the organization that were observed communicating with this IP address.
 
-> **Note**&nbsp;&nbsp;Search results will only be returned for IP addresses observed in communication with machines in the organization.
+> [!NOTE]
+> Search results will only be returned for IP addresses observed in communication with machines in the organization.
 
 Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the IP address, the file associated with the communication and the last date observed.
 

windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md

@@ -14,11 +14,12 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, and the number of active malware detections. This view allows you to identify machines with the highest risk at a glance, and keep track of all the machines that are reporting telemetry in your network.
 
 Use the Machines view in these two main scenarios:
@@ -37,7 +38,8 @@ The Machines view contains the following columns:
 - **Active Alerts** - the number of alerts reported by the machine by severity
 - **Active malware detections** - the number of active malware detections reported by the machine
 
-> **Note**&nbsp;&nbsp;The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+> [!NOTE]
+> The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
 
 Click any column header to sort the view in ascending or descending order.
 
@@ -55,7 +57,8 @@ You can filter the view by the following time periods:
 - 30 days
 - 6 months
 
-> **Note**&nbsp;&nbsp;When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported telemetry within the last 24-hour period.
+> [!NOTE]
+> When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported telemetry within the last 24-hour period.
 
 The threat category filter lets you filter the view by the following categories:
 
@@ -65,7 +68,7 @@ The threat category filter lets you filter the view by the following categories:
 - Threat
 - Low severity
 
-See the [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#investigate-machines-with-active-malware-detections) topic for a description of each category.
+For more information on the description of each category see, [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#investigate-machines-with-active-malware-detections).
 
 You can also download a full list of all the machines in your organization, in CSV format. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) to download the entire list as a CSV file.
 
@@ -100,6 +103,8 @@ You'll see an aggregated view of alerts, a short description of the alert, detai
 
 This feature also enables you to selectively drill down into a behavior or event that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period.
 
+You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alerts-spotlight) feature to see the correlation between alerts and events on a specific machine.
+
 ![The timeline shows an interactive history of the alerts seen on a machine](images/timeline.png)
 
 Use the search bar to look for specific alerts or files associated with the machine.

windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md

@@ -14,14 +14,15 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 Windows Defender ATP notifies you of detected, possible attacks or breaches through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu.
 
-See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-windows-defender-advanced-threat-protection-alerts) topic for more details on how to investigate alerts.
+For more information on how to investigate alerts see, [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-windows-defender-advanced-threat-protection-alerts).
 
 Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the top of the alert to access the Manage Alert menu and manage alerts.
 
@@ -86,7 +87,8 @@ The context of the rule lets you tailor the queue to ensure that only alerts you
 1. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the heading of an existing alert.
 2. Choose the context for suppressing the alert.
 
-> **Note**&nbsp;&nbsp;You cannot create a custom or blank suppression rule. You must start from an existing alert.
+> [!NOTE]
+> You cannot create a custom or blank suppression rule. You must start from an existing alert.
 
 **See the list of suppression rules:**
 
@@ -95,7 +97,8 @@ The context of the rule lets you tailor the queue to ensure that only alerts you
 
   ![Click the settings icon and then Suppression rules to create and modify rules](images/suppression-rules.png)
 
-> **Note**&nbsp;&nbsp;You can also click **See rules** in the confirmation window that appears when you suppress an alert.
+> [!NOTE]
+> You can also click **See rules** in the confirmation window that appears when you suppress an alert.
 
 The list of suppression rules shows all the rules that users in your organization have created.
 Each rule shows:

windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md

@@ -14,33 +14,102 @@ author: iaanw
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 There are some minimum requirements for onboarding your network and endpoints.
 
 ## Minimum requirements
 
 ### Network and data storage and configuration requirements
-<!---Your organization must use Azure Active Directory (AAD) to manage users. AAD is used during service onboarding to manage user-based access to the [Windows Defender ATP portal](https://securitycenter.windows.com/).--->
+When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: either in a European or United States datacenter.
-
-<!--If you’d like help with using AAD to set up user access, contact the [Windows Defender ATP Yammer group](https://www.yammer.com/wsscengineering/\#/threads/inGroup?type=in\_group&feedId=7108776&view=all) or email [winatp@microsoft.com](mailto:winatp@microsoft.com).-->
-
-When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in either a European or United States datacenter.
 
 > **Notes**&nbsp;&nbsp;
 -   You cannot change your data storage location after the first-time setup.
 -   Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data.
 
 ### Endpoint hardware and software requirements
-Endpoints on your network must be running Windows 10 Insider Preview Build 14332 or later. The hardware requirements for Windows Defender ATP on endpoints is the same as those for Windows 10 Insider Preview Build 14332 or later.
+The Windows Defender ATP agent only supports the following editions of Windows 10:
 
-> **Note**&nbsp;&nbsp;Endpoints that are running Windows Server and mobile versions of Windows are not supported.
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 
-Internet connectivity on endpoints is also required. See [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)  for additional proxy configuration settings.
+Endpoints on your network must be running one of these editions.
+
+The hardware requirements for Windows Defender ATP on endpoints is the same as those for the supported editions.
+
+> [!NOTE]
+> Endpoints that are running Windows Server and mobile versions of Windows are not supported.
+
+#### Internet connectivity
+Internet connectivity on endpoints is required.
+
+SENSE can utilize up to 5MB daily of bandwidth  to communicate with the Windows Defender ATP cloud service and report cyber data.
+
+> [!NOTE]
+> SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
+
+For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
 
 Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10, but if it has been disabled you can turn it on by following the instructions in the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section.
 
+### Telemetry and diagnostics settings
+You must ensure that the telemetry and diagnostics service is enabled on all the endpoints in your organization.
+By default, this service is enabled, but it's good practice to check to ensure that you'll get telemetry from them.
 
+**Use the command line to check the Windows 10 telemetry and diagnostics service startup type**:
+
+1.  Open an elevated command-line prompt on the endpoint:
+
+  a.  Go to **Start** and type **cmd**.
+
+  b.  Right-click **Command prompt** and select **Run as administrator**.
+
+2.  Enter the following command, and press **Enter**:
+
+    ```text
+    sc qc diagtrack
+    ```
+
+If the service is enabled, then the result should look like the following screenshot:
+
+![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
+
+If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
+
+
+
+**Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:**
+
+1.  Open an elevated command-line prompt on the endpoint:
+
+	  a. Go to **Start** and type **cmd**.
+
+    b. Right-click **Command prompt** and select **Run as administrator**.
+
+2.  Enter the following command, and press **Enter**:
+
+    ```text
+    sc config diagtrack start=auto
+    ```
+
+3.  A success message is displayed. Verify the change by entering the following command, and press **Enter**:
+
+    ```text
+    sc qc diagtrack
+    ```
+
+## Windows Defender signature updates are configured
+The Windows Defender ATP agent depends on Windows Defender’s ability to scan files and provide information about them. If Windows Defender is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](windows-defender-in-windows-10.md).
+
+When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).
+
+## Windows Defender Early Launch Antimalware (ELAM) driver is enabled
+If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.
+
+If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information on how to validate and enable the Windows Defender ELAM driver see, [Ensure the Windows Defender ELAM driver is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-windows-defender-elam-driver-is-enabled).

windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,15 @@ author: iaanw
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 You need to onboard to Windows Defender ATP before you can use the service.
 
+
 ## In this section
 Topic | Description
 :---|:---

windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,12 @@ author: DulceMV
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-
 Enterprise security teams can use the Windows Defender ATP portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
 
 You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to:
@@ -37,19 +37,20 @@ When you open the portal, you’ll see the main areas of the application:
 
  ![Windows Defender Advanced Threat Protection portal](images/portal-image.png)
 
-> **Note**&nbsp;&nbsp;Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+> [!NOTE]
+> Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
 
 You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
 
 Area | Description
 :---|:---
 (1) Settings | Provides access to configuration settings such as time zone, alert suppression rules, and license information.
-(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Endpoint Management**.
+(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Enpoint Management**.
 **Dashboard**	| Provides clickable tiles that open detailed information on various alerts that have been detected in your organization.
 **Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts.
 **Machines view**| Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
-**Preferences setup**|	Shows the settings you selected <!--during [service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md),-->and lets you update your industry preferences and retention policy period.
+**Preferences setup**|	Shows the settings you selected and lets you update your industry preferences and retention policy period.
-**Endpoint Management**|	Allows you to download the onboarding configuration package.
+**Enpoint Management**|	Allows you to download the onboarding configuration package.
 (3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines view.
 (4) Search | Search for machines, files, external IP Addresses, or domains across endpoints. The drop-down combo box allows you to select the entity type.
 

windows/keep-secure/prepare-people-to-use-microsoft-passport.md

@@ -83,10 +83,15 @@ If your enterprise enables phone sign-in, users can pair a phone running Windows
 
 **Sign in to PC using the phone**
 
+<<<<<<< HEAD
 1.  Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to.
     > **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account.
     
     ![select a device](images/phone-signin-device-select.png)
+=======
+1.  Open the **Microsoft Authenticator** app and tap the name of the PC to sign in to.
+    > **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account.
+>>>>>>> parent of 9891b67... from master
      
 2.  Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.
 

windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md

@@ -216,7 +216,7 @@ The following Windows 10 services are protected with virtualization-based secur
 
 -   **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory
 -   **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
--   **Other isolated services**: for example, on Windows Server Technical Preview 2016, there is the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers.
+-   **Other isolated services**: for example, on Windows Server 2016, there is the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers.
 
 >**Note:**  Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended.
  
@@ -747,7 +747,7 @@ For more information about conditional access, see [Azure Conditional Access Pre
 For on-premises applications there are two options to enable conditional access control based on a device's compliance state:
 
 -   For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more details, see the [Azure AD Conditional Access preview updated: Now supports On-Premises and Custom LOB apps](http://go.microsoft.com/fwlink/p/?LinkId=691618) blog post.
--   Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server Technical Preview 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
+-   Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
 
 ![figure 13](images/hva-fig12-conditionalaccess12.png)
 

windows/keep-secure/requirements-to-use-applocker.md

@@ -32,7 +32,7 @@ The following table show the on which operating systems AppLocker features are s
 
 | Version | Can be configured | Can be enforced | Available rules | Notes |
 | - | - | - | - | - |
-| Windows 10| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016 Technical Preview. |
+| Windows 10| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016. |
 | Windows Server 2012 R2| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| | 
 | Windows 8.1| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| Only the Enterprise edition supports AppLocker| 
 | Windows RT 8.1| No| No| N/A||  

windows/keep-secure/settings-windows-defender-advanced-threat-protection.md

@@ -14,11 +14,12 @@ author: DulceMV
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 Use the **Settings** menu ![Settings icon](images/settings.png) to configure the time zone, suppression rules, and view license information.
 
 ## Time zone settings
@@ -52,7 +53,7 @@ To set the time zone:
 3.	The time zone indicator changes to **Timezone:Local**. Click it again to change back to **Timezone:UTC**.
 
 ## Suppression rules
-The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. See [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts).
+The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. For more information see, [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts).
 
 ## License
 Click the license link in the **Settings** menu to view the license agreement information for Windows Defender ATP.

windows/keep-secure/tpm-recommendations.md

@@ -14,7 +14,7 @@ author: brianlic-msft
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 -   Windows 10 IoT Core (IoT Core)
 
 This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10.
@@ -104,7 +104,7 @@ For end consumers, TPM is behind the scenes but still very relevant for Hello, P
 
 -   TPM is optional on IoT Core.
 
-### Windows Server 2016 Technical Preview
+### Windows Server 2016
 
 -   TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
 

windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md

@@ -7,58 +7,48 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: iaanw
+author: mjcaparas
 ---
 
 # Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues.
+This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the endpoints.
 
-You might need to troubleshoot the Windows Defender Advanced Threat Protection onboarding process if you encounter issues.
+If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an endpoint onboarding or connectivity problem.
-This page provides detailed steps for troubleshooting endpoints that aren't reporting correctly, and common error codes encountered during onboarding. <!--and steps for resolving problems with Azure Active Directory (AAD).-->
 
-## Endpoints are not reporting to the service correctly
+## Troubleshoot onboarding when deploying with Group Policy
+Deployment with Group Policy is done by running the onboarding script on the endpoints.  The Group Policy console does not indicate if the deployment has succeeded or not.
 
-If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after 20 minutes, it might indicate an endpoint onboarding or connectivity problem.
+If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint).
 
-Go through the following verification topics to address this issue:
+If the script completes successfully, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur.
 
-- [Ensure the endpoint is onboarded successfully](#Ensure-that-the-endpoint-is-onboarded-successfully)
+## Troubleshoot onboarding issues when deploying with System Center Configuration Manager
-- [Ensure the Windows Defender ATP service is enabled](#Ensure-that-the-Windows-Defender-ATP-service-is-enabled)
+When onboarding endpoints using the following versions of System Center Configuration Manager:
-- [Ensure the telemetry and diagnostics service is enabled](#Ensure-that-telemetry-and-diagnostics-service-is-enabled)
+- System Center 2012 Configuration Manager
-- [Ensure the endpoint has an Internet connection](#Ensure-that-the-Windows-Defender-ATP-endpoint-has-internet-connection)
+- System Center 2012 R2 Configuration Manager
+- System Center Configuration Manager (current branch) version 1511
+- System Center Configuration Manager (current branch) version 1602
 
 
-### Ensure the endpoint is onboarded successfully
+Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the endpoints. You can track the deployment in the Configuration Manager Console.
-If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service was successfully onboarded onto the endpoint.
 
-**Check the onboarding state in Registry**:
+If the deployment fails, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint).
 
-1. Click **Start**, type **Run**, and press **Enter**.
+If the onboarding completed successfully but the endpoints are not showing up in the **Machines view** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur.
 
-2. From the **Run** dialog box, type **regedit** and press **Enter**.
+## Troubleshoot onboarding when deploying with a script on the endpoint
-
-4. In the **Registry Editor** navigate to the Status key under:
-
-   ```text
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection
-```
-
-5. Check the **OnboardingState** value is set to **1**.
-
-  ![Image of OnboardingState status in Registry Editor](images/onboardingstate.png)
-
-If the **OnboardingState** value is not set to **1**, you can use Event Viewer to review errors on the endpoint.
-
-If you configured your endpoints with a deployment tool that required a script, you can check  the event viewer for the onboarding script results.
-<br>
-**Check the result of the script**:
 
+**Check the result of the script on the endpoint**:
 1. Click **Start**, type **Event Viewer**, and press **Enter**.
 
 2. Go to **Windows Logs** > **Application**.
@@ -66,293 +56,19 @@ If you configured your endpoints with a deployment tool that required a script,
 3. Look for an event from **WDATPOnboarding** event source.
 
 If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue.
-> **Note**&nbsp;&nbsp;The following event IDs are specific to the onboarding script only. 
+> [!NOTE]
+> The following event IDs are specific to the onboarding script only.
 
 Event ID | Error Type | Resolution steps
 :---|:---|:---
-5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```
+5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
-10 | Onboarding data couldn't be written to registry |  Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```. Verify that the script was ran as an administrator.
+10 | Onboarding data couldn't be written to registry |  Check the permissions on the registry, specifically<br> ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.<br>Verify that the script was ran as an administrator.
 15 |  Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).
+15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender ELAM driver, see [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions.
 30 |  The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
-35 |  The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location ```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```. The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). 
+35 |  The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location<br>```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.<br>The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
 40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
-
+65 | Insufficient privileges| Run the script again with administrator privileges.
-<br>
-**Use Event Viewer to identify and adress onboarding errors**:   
-
-1. Click **Start**, type **Event Viewer**, and press **Enter**.
-
-2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**.
-
-    > **Note**&nbsp;&nbsp;SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
-
-3. Select **Operational** to load the log.
-
-4. In the **Action** pane, click **Filter Current log**.
-
-5. On the **Filter** tab, under **Event level:** select **Critical**, **Warning**, and **Error**, and click **OK**.
-
-  ![Image of Event Viewer log filter](images/filter-log.png)
-
-6. Events which can indicate issues will appear in the **Operational** pane. You can attempt to troubleshoot them based on the solutions in the following table:
-
-Event ID | Message | Resolution steps
-:---|:---|:---
-5 | Windows Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
-6 | Windows Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
-7 |  Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again.
-15 | Windows Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
-25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
-
-
-### Ensure the Windows Defender ATP service is enabled
-If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service is set to automatically start and is running on the endpoint.
-
-You can use the SC command line program for checking and managing the startup type and running state of the service.
-
-**Check the Windows Defender ATP service startup type from the command line:**
-
-1.  Open an elevated command-line prompt on the endpoint:
-
-  a.  Click **Start**, type **cmd**, and press **Enter**.
-
-  b.  Right-click **Command prompt** and select **Run as administrator**.
-
-2.  Enter the following command, and press **Enter**:
-
-    ```text
-    sc qc sense
-    ```
-
-If the the service is running, then the result should look like the following screenshot:
-
-  ![Result of the sq query sense command](images/sc-query-sense-autostart.png)
-
-If the service ```START_TYPE``` is not set to ```AUTO_START```, then you'll need to set the service to automatically start.
-
-**Change the Windows Defender ATP service startup type from the command line:**
-
-1.  Open an elevated command-line prompt on the endpoint:
-
-  a.  Click **Start**, type **cmd**, and press **Enter**.
-
-  b.  Right-click **Command prompt** and select **Run as administrator**.
-
-2.  Enter the following command, and press **Enter**:
-
-    ```text
-    sc config sense start=auto
-    ```
-
-3.  A success message is displayed. Verify the change by entering the following command and press **Enter**:
-
-    ```text
-    sc qc sense
-    ```
-
-**Check the Windows Defender ATP service is running from the command line:**
-
-1.  Open an elevated command-line prompt on the endpoint:
-
-  a.  Click **Start**, type **cmd**, and press **Enter**.
-
-  b.  Right-click **Command prompt** and select **Run as administrator**.
-
-2.  Enter the following command, and press **Enter**:
-
-    ```text
-    sc query sense
-    ```
-
-If the service is running, the result should look like the following screenshot:
-
-![Result of the sc query sense command](images/sc-query-sense-running.png)
-
-If the service **STATE** is not set to **RUNNING**, then you'll need to start it.
-
-**Start the Windows Defender ATP service from the command line:**
-
-1.  Open an elevated command-line prompt on the endpoint:
-
-  a.  Click **Start**, type **cmd**, and press **Enter**.
-
-  b.  Right-click **Command prompt** and select **Run as administrator**.
-
-2.  Enter the following command, and press **Enter**:
-
-    ```text
-    sc start sense
-    ```
-
-3.  A success message is displayed. Verify the change by entering the following command and press **Enter**:
-
-    ```text
-    sc qc sense
-    ```
-
-### Ensure the telemetry and diagnostics service is enabled
-If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. The service may have been disabled by other programs or user configuration changes.
-
-
-First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
-
-### Ensure the service is set to start
-
-**Use the command line to check the Windows 10 telemetry and diagnostics service startup type**:
-
-1.  Open an elevated command-line prompt on the endpoint:
-
-  a.  Click **Start**, type **cmd**, and press **Enter**.
-
-  b.  Right-click **Command prompt** and select **Run as administrator**.
-
-2.  Enter the following command, and press **Enter**:
-
-    ```text
-    sc qc diagtrack
-    ```
-
-If the service is enabled, then the result should look like the following screenshot:
-
-![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
-
-If the ```START_TYPE``` is not set to ```AUTO_START```, then you'll need to set the service to automatically start.
-
-
-
-**Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:**
-
-1.  Open an elevated command-line prompt on the endpoint:
-
-  a.  Click **Start**, type **cmd**, and press **Enter**.
-
-  b.  Right-click **Command prompt** and select **Run as administrator**.
-
-2.  Enter the following command, and press **Enter**:
-
-    ```text
-    sc config diagtrack start=auto
-    ```
-
-3.  A success message is displayed. Verify the change by entering the following command, and press **Enter**:
-
-    ```text
-    sc qc diagtrack
-    ```
-
-**Use the Windows Services console to check the Windows 10 telemetry and diagnostics service startup type**:
-
-1.  Open the services console:
-
-  a. Click **Start** and type **services**.
-
-  b. Press **Enter** to open the console.
-
-2.  Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
-
-3.  Check the **Startup type** column - the service should be set as **Automatic**.
-
-If the startup type is not set to **Automatic**, you'll need to change it so the service starts when the endpoint does.
-
-
-**Use the Windows Services console to set the Windows 10 telemetry and diagnostics service to automatically start:**
-
-1.  Open the services console:
-
-  a. Click **Start** and type **services**.
-
-  b. Press **Enter** to open the console.
-
-2.  Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
-
-3.  Right-click on the entry and click **Properties**.
-
-4.  On the **General** tab, change the **Startup type:** to **Automatic**, as shown in the following image. Click OK.
-
-    ![Select Automatic to change the startup type in the Properties dialog box for the service](images/windefatp-utc-console-autostart.png)
-
-### Ensure the service is running
-
-**Use the command line to check the Windows 10 telemetry and diagnostics service is running**:
-
-1.  Open an elevated command-line prompt on the endpoint:
-
-  a.  **Click **Start** and type **cmd**.**
-
-  b.  Right-click **Command prompt** and select **Run as administrator**.
-
-2.  Enter the following command, and press **Enter**:
-
-    ```text
-    sc query diagtrack
-    ```
-
-If the service is running, the result should look like the following screenshot:
-
-![Result of the sc query command for sc query diagtrack](images/windefatp-sc-query-diagtrack.png)
-
-If the service **STATE** is not set to **RUNNING**, then you'll need to start it.
-
-
-**Use the command line to start the Windows 10 telemetry and diagnostics service:**
-
-1.  Open an elevated command-line prompt on the endpoint:
-
-  a.  **Click **Start** and type **cmd**.**
-
-  b.  Right-click **Command prompt** and select **Run as administrator**.
-
-2.  Enter the following command, and press **Enter**:
-
-    ```text
-    sc start diagtrack
-    ```
-
-3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
-
-    ```text
-    sc query diagtrack
-    ```
-
-**Use the Windows Services console to check the Windows 10 telemetry and diagnostics service is running**:
-
-1.  Open the services console:
-
-  a. Click **Start** and type **services**.
-
-  b. Press **Enter** to open the console.
-
-2.  Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
-
-3.  Check the **Status** column - the service should be marked as **Running**.
-
-If the service is not running, you'll need to start it.
-
-
-**Use the Windows Services console to start the Windows 10 telemetry and diagnostics service:**
-
-1.  Open the services console:
-
-  a. Click **Start** and type **services**.
-
-  b. Press **Enter** to open the console.
-
-2.  Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
-
-3.  Right-click on the entry and click **Start**, as shown in the following image.
-
-![Select Start to start the service](images/windef-utc-console-start.png)
-
-
-### Ensure the endpoint has an Internet connection
-
-The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service.
-
-WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment.
-
-To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic.
-
-If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.    
 
 ## Troubleshoot onboarding issues using Microsoft Intune
 You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
@@ -369,7 +85,7 @@ If none of the event logs and troubleshooting steps work, download the Local scr
 
 Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps
 :---|:---|:---|:---|:---
-0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding <br> Offboarding |  **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. <br><br> **Troubleshooting steps:** <br> Check the event IDs in the [Ensure the endpoint is onboarded successfully](#ensure-the-endpoint-is-onboarded-successfully) section. <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
+0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding <br> Offboarding |  **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. <br><br> **Troubleshooting steps:** <br> Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section. <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
  | | | Onboarding <br> Offboarding <br> SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it. <br><br> **Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. <br> <br> If it doesn't exist, open an elevated command and add the key.
   | | | SenseIsRunning <br> OnboardingState <br> OrgId |  **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed. <br><br> **Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues). <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
    | | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms:  Enterprise, Education, and Professional. <br> Server is not supported.
@@ -395,47 +111,209 @@ Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider
 
 Channel name: Admin
 
-ID | Severity | Event description | Description
+ID | Severity | Event description | Troubleshooting steps
 :---|:---|:---|:---
-1801 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Get Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3) | Windows Defender ATP has failed to get specific node's value. <br> TokenName: Contains node name that caused the error. <br> Result: Error details.  
+1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ELAM driver needs to be enabled see, [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions.
-1802 | Information | Windows Defender Advanced Threat Protection CSP: Get Node's Value complete. NodeId: (%1), TokenName: (%2), Result: (%3) |  Windows Defender ATP has completed to get specific node's value. <br> TokenName: Contains node name <br><br> Result: Error details or succeeded.
+
-1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ATP has completed to get specific node's value. <br><br> TokenName: Contains node name that caused the error <br><br> Result: Error details.
+## Troubleshoot onboarding issues on the endpoint
-1820 | Information | Windows Defender Advanced Threat Protection CSP: Set Nod's Value complete. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ATP has completed to get specific node's value. <br><br> TokenName: Contains node name <br><br> Result: Error details or succeeded.
+If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines view an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
+- [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log)
+- [Ensure the telemetry and diagnostics service is enabled](#ensure-that-telemetry-and-diagnostics-service-is-enabled)
+- [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
+- [Ensure the endpoint has an Internet connection](#ensure-that-the-Windows-Defender-ATP-endpoint-has-internet-connection)
+- [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled)
 
 
-<!--
+### View agent onboarding errors in the endpoint event log
 
-## There are no users in the Azure Active Directory
+1. Click **Start**, type **Event Viewer**, and press **Enter**.
-If you don't see any users in the [Azure Management Portal](https://manage.windowsazure.com/) during the service onboarding stage, you might need to add users to the directory first.
 
-1.  Go to the Azure Management Portal and select the directory you want to manage.
+2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**.
 
-2.  Click **Users** from the top menu bar.
+  > [!NOTE]
+	> SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
 
-    ![Example Azure Management Portal organization](images/contoso-users.png)
+3. Select **Operational** to load the log.
 
-3.  Click **Add user** from the menu bar at the bottom.
+4. In the **Action** pane, click **Filter Current log**.
 
-    ![Add user menu](images/add-user.png)
+5. On the **Filter** tab, under **Event level:** select **Critical**, **Warning**, and **Error**, and click **OK**.
 
-4.  Select the type of user and enter their details. There might be multiple steps in the **Add user** dialog box depending on the type of user. When you're done, click **Complete** ![Check icon](images/check-icon.png) or **OK**.
+  ![Image of Event Viewer log filter](images/filter-log.png)
 
-5.  Continue to add users. They will now appear in the **Users** section of the **Windows ATP Service** application. You must assign the user a role before they can access the [Windows Defender ATP portal](https://securitycenter.windows.com/).
+6. Events which can indicate issues will appear in the **Operational** pane. You can attempt to troubleshoot them based on the solutions in the following table:
 
-## The Windows Defender ATP app doesn't appear in the Azure Management Portal
+Event ID | Message | Resolution steps
-If you remove access for all users to the Windows ATP Service application (by clicking Manage access), you will not see the application in the list of applications in your directory in the [Azure Management Portal](https://manage.windowsazure.com/).
+:---|:---|:---
+5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
+6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
+7 |  Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again.
+15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
+25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
+<br>
+There are additional components on the endpoint that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
 
-Log in to the application in the Azure Management Portal again:
+### Ensure the telemetry and diagnostics service is enabled
+If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. The service might have been disabled by other programs or user configuration changes.
 
-1.  Sign in to the [Windows Defender ATP portal](https://securitycenter.windows.com/) with the user account you want to give access to.
+First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
 
-2.  Confirm that you have signed in with the correct details, and click **Accept**.
+### Ensure the service is set to start
+
+**Use the command line to check the Windows 10 telemetry and diagnostics service startup type**:
+
+1.  Open an elevated command-line prompt on the endpoint:
+
+  a.  Click **Start**, type **cmd**, and press **Enter**.
+
+  b.  Right-click **Command prompt** and select **Run as administrator**.
+
+2.  Enter the following command, and press **Enter**:
+
+    ```text
+    sc qc diagtrack
+    ```
+
+    If the service is enabled, then the result should look like the following screenshot:
+
+    ![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
+
+    If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
+
+
+**Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:**
+
+1.  Open an elevated command-line prompt on the endpoint:
+
+  a.  Click **Start**, type **cmd**, and press **Enter**.
+
+  b.  Right-click **Command prompt** and select **Run as administrator**.
+
+2.  Enter the following command, and press **Enter**:
+
+    ```text
+    sc config diagtrack start=auto
+    ```
+
+3.  A success message is displayed. Verify the change by entering the following command, and press **Enter**:
+
+    ```text
+    sc qc diagtrack
+    ```
+
+4. Start the service.
+
+  a. In the command prompt, type the following command and press **Enter**:
+
+  ```text
+  sc start diagtrack
+  ```
+
+### Ensure the endpoint has an Internet connection
+
+The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service.
+
+WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment.
+
+To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic.
+
+If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.
+
+### Ensure the Windows Defender ELAM driver is enabled
+If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled.
+
+**Check the ELAM driver status:**
+
+1.	Open a command-line prompt on the endpoint:
+
+  a. Click **Start**, type **cmd**, and select **Command prompt**.
+
+2.	Enter the following command, and press Enter:
+    ```
+    sc qc WdBoot
+    ```
+    If the ELAM driver is enabled, the output will be:
+
+    ```
+    [SC] QueryServiceConfig SUCCESS
+
+    SERVICE_NAME: WdBoot
+            TYPE               : 1  KERNEL_DRIVER
+            START_TYPE         : 0   BOOT_START
+            ERROR_CONTROL      : 1   NORMAL
+            BINARY_PATH_NAME   : \SystemRoot\system32\drivers\WdBoot.sys
+            LOAD_ORDER_GROUP   : Early-Launch
+            TAG                : 0
+            DISPLAY_NAME       : Windows Defender Boot Driver
+            DEPENDENCIES       :
+            SERVICE_START_NAME :
+    ```
+    If the ELAM driver is disabled the output will be:
+    ```
+    [SC] QueryServiceConfig SUCCESS
+
+    SERVICE_NAME: WdBoot
+            TYPE               : 1  KERNEL_DRIVER
+            START_TYPE         : 0   DEMAND_START
+            ERROR_CONTROL      : 1   NORMAL
+            BINARY_PATH_NAME   : \SystemRoot\system32\drivers\WdBoot.sys
+            LOAD_ORDER_GROUP   : _Early-Launch
+            TAG                : 0
+            DISPLAY_NAME       : Windows Defender Boot Driver
+            DEPENDENCIES       :
+            SERVICE_START_NAME :
+    ```
+
+#### Enable the ELAM driver
+
+1. Open an elevated PowerShell console on the endpoint:
+
+  a. Click **Start**, type **powershell**.
+
+  b. Right-click **Command prompt** and select **Run as administrator**.
+
+2. Run the following PowerShell cmdlet:
+
+    ```text
+    'Set-ExecutionPolicy -ExecutionPolicy Bypass’
+    ```
+3. Run the following PowerShell script:
+
+    ```text
+    Add-Type @'
+    using System;
+    using System.IO;
+    using System.Runtime.InteropServices;
+    using Microsoft.Win32.SafeHandles;
+    using System.ComponentModel;
+
+    public static class Elam{
+        [DllImport("Kernel32", CharSet=CharSet.Auto, SetLastError=true)]
+        public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);
+
+        public static void InstallWdBoot(string path)
+        {
+            Console.Out.WriteLine("About to call create file on {0}", path);
+            var stream = File.Open(path, FileMode.Open, FileAccess.Read, FileShare.Read);
+            var handle = stream.SafeFileHandle;
+
+            Console.Out.WriteLine("About to call InstallELAMCertificateInfo on handle {0}", handle.DangerousGetHandle());
+            if (!InstallELAMCertificateInfo(handle))
+            {
+                Console.Out.WriteLine("Call failed.");
+                throw new Win32Exception(Marshal.GetLastWin32Error());
+            }
+            Console.Out.WriteLine("Call successful.");
+        }
+    }
+    '@
+
+    $driverPath = $env:SystemRoot + "\System32\Drivers\WdBoot.sys"
+    [Elam]::InstallWdBoot($driverPath)
+    ```
 
-3.  Go to the [Azure Management Portal](https://manage.windowsazure.com/) and navigate to your directory. You will see the **Windows ATP Service** application in the **Applications** section again.
 
--->
 
 ## Related topics
 - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
 - [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-

windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md

@@ -13,11 +13,12 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
 
 ### Server error - Access is denied due to invalid credentials
@@ -40,8 +41,10 @@ U.S. region:
 - sevillesettings-prd.trafficmanager.net			
 - threatintel-cus-prd.cloudapp.net			
 - threatintel-eus-prd.cloudapp.net
-
+- winatpauthorization.windows.com
-
+- winatpfeedback.windows.com
+- winatpmanagement.windows.com
+- winatponboarding.windows.com
 
 EU region:
 
@@ -52,7 +55,10 @@ EU region:
 - sevillesettings-prd.trafficmanager.net
 - threatintel-neu-prd.cloudapp.net
 - threatintel-weu-prd.cloudapp.net
-
+- winatpauthorization.windows.com
+- winatpfeedback.windows.com
+- winatpmanagement.windows.com
+- winatponboarding.windows.com
 
 ### Windows Defender ATP service shows event or error logs in the Event Viewer
 

windows/keep-secure/use-windows-defender-advanced-threat-protection.md

@@ -14,11 +14,12 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 A typical security breach investigation requires a member of a security operations team to:
 
 1. View an alert on the **Dashboard** or **Alerts queue**
@@ -41,6 +42,6 @@ Topic | Description
 [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization.
 [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
 [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
-[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external internet protocol (IP) addresses.
+[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses.
 [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
 [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert.

windows/keep-secure/windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.
-
-Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
 
 Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
 
@@ -78,10 +79,12 @@ detect sophisticated cyber-attacks, providing:
 Topic | Description
 :---|:---
 [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) | This overview topic for IT professionals provides information on the minimum requirements to use Windows Defender ATP such as network and data storage configuration, and endpoint hardware and software requirements, and deployment channels.
-[Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) | You'll need to onboard and configure the Windows Defender ATP service and the endpoints in your network before you can use the service. Learn about how you can assign users to the Windows Defender ATP service in Azure Active Directory (AAD) and using a configuration package to configure endpoints.
 [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)| Learn about how Windows Defender ATP collects and handles information and where data is stored.
+[Assign user access to the Windows Defender ATP portal](assign-portal-access-windows-defender-advanced-threat-protection.md)| Before users can access the portal, they'll need to be granted specific roles in Azure Active Directory.
+[Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) | You'll need to onboard and configure the Windows Defender ATP service and the endpoints in your network before you can use the service. Learn about how you can assign users to the Windows Defender ATP service in Azure Active Directory (AAD) and using a configuration package to configure endpoints.
 [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the main features of the service and how it leverages Microsoft technology to protect enterprise endpoints from sophisticated cyber attacks.
 [Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) | Learn about the capabilities of Windows Defender ATP to help you investigate alerts that might be indicators of possible breaches in your enterprise.
 [Windows Defender Advanced Threat Protection settings](settings-windows-defender-advanced-threat-protection.md) | Learn about setting the time zone and configuring the suppression rules to configure the service to your requirements.  
 [Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP.
 [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required.
+[Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) | Learn about how Windows Defender works in conjunction with Windows Defender ATP.

windows/manage/configure-windows-telemetry-in-your-organization.md

@@ -16,7 +16,7 @@ author: brianlic-msft
 
 -   Windows 10
 -   Windows 10 Mobile
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 At Microsoft, we use Windows telemetry to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Telemetry gives users a voice in the operating system’s development. This guide describes the importance of Windows telemetry and how we protect that data. Additionally, it differentiates between telemetry and functional data. It also describes the telemetry levels that Windows supports. Of course, you can choose how much telemetry is shared with Microsoft, and this guide demonstrates how.
 
@@ -36,7 +36,7 @@ Use this article to make informed decisions about how you might configure teleme
 
 ## Overview
 
-In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using the Privacy option in Settings, Group Policy, or MDM.
+In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control telemetry streams by using the Privacy option in Settings, Group Policy, or MDM.
 
 For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization.
 
@@ -159,7 +159,7 @@ Microsoft believes in and practices information minimization. We strive to gathe
 ## Telemetry levels
 
 
-This section explains the different telemetry levels in Windows 10, Windows Server 2016 Technical Preview, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the **Security** level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016 Technical Preview.
+This section explains the different telemetry levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the **Security** level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016.
 
 The telemetry data is categorized into four levels:
 
@@ -171,7 +171,7 @@ The telemetry data is categorized into four levels:
 
 -   **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels.
 
-The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016 Technical Preview.
+The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016.
 
 ![breakdown of telemetry levels and types of administrative controls](images/priv-telemetry-levels.png)
 
@@ -216,7 +216,7 @@ The Basic level gathers a limited set of data that’s critical for understandin
 
 The data gathered at this level includes:
 
--   **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Preview in the ecosystem. Examples include:
+-   **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include:
 
     -   Device attributes, such as camera resolution and display type
 
@@ -306,7 +306,7 @@ We do not recommend that you turn off telemetry in your organization as valuable
 
 You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on.
 
-The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced**.
+The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 is **Enhanced**.
 
 ### Configure the operating system telemetry level
 

windows/whats-new/whats-new-windows-10-version-1607.md

@@ -76,6 +76,11 @@ Several new features and management options have been added to Windows Defender
 - [Run a Windows Defender scan from the command line](../keep-secure/run-cmd-scan-windows-defender-for-windows-10.md).
 - [Detect and block Potentially Unwanted Applications with Windows Defender](../keep-secure/enable-pua-windows-defender-for-windows-10.md) during download and install times.
 
+### Windows Defender Advanced Threat Protection (ATP)
+With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
+
+[Learn more about Windows Defender Advanced Threat Protection (ATP)](../keep-secure/windows-defender-advanced-threat-protection.md)
+
 ## Management
 
 ### Use Remote Desktop Connection for PCs joined to Azure Active Directory