Merge branch 'master' into tvm-event-insights

devices/hololens/hololens2-maintenance.md

@@ -3,7 +3,7 @@ title: HoloLens 2 device care and cleaning FAQ
 description: 
 author: Teresa-Motiv
 ms.author: v-tea
-ms.date: 3/26/2020
+ms.date: 4/14/2020
 ms.prod: hololens
 ms.topic: article
 ms.custom: 
@@ -69,10 +69,10 @@ To clean the brow pad, wipe it by using a cloth that's moistened by using water
 
 ## Can I use ultraviolet (UV) light to sanitize the device?
 
-UV germicidal irradiation has not been tested on HoloLens 2.
+UV-C germicidal irradiation has not been tested on HoloLens 2.
 
 > [!CAUTION]  
-> High levels of UV exposure can degrade the display quality of the device and damage the visor coating. Over-exposure to UV radiation has the following effects, in order of the duration and intensity of exposure:
+> High levels of UV-A and UV-B exposure can degrade the display quality of the device and damage the visor coating. Over-exposure to UV-A and UV-B radiation has the following effects, in order of the duration and intensity of exposure:
 >  
 > 1. The brow pad and device closures become discolored.
 > 1. Defects appear in the anti-reflective (AR) coating on the visor and on the sensor windows.

devices/surface/windows-autopilot-and-surface-devices.md

@@ -55,7 +55,7 @@ Surface partners that are enabled for Windows Autopilot include:
 | * [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html)  | * [Bechtle](https://www.bechtle.com/marken/microsoft/microsoft-windows-autopilot) |    |
 | * [SHI](https://www.shi.com/Surface) | * [Cancom](https://www.cancom.de/) |    |
 | * [LDI Connect](https://www.myldi.com/managed-it/)  | * [Computacenter](https://www.computacenter.com/uk) |    |
-| * [F1](https://www.functionone.com/#empower)  |   |
+| * [F1](https://www.functiononeit.com/#empower)  |   |
 
 ## Learn more
 

windows/deployment/windows-10-poc-sc-config-mgr.md

@@ -463,7 +463,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
 
 11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
 
-12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo.
+12. Click the **Task Sequence** tab. Under **State Restore** click **Tattoo** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo.
 
 13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again.
 
@@ -775,7 +775,7 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce
 
 9. Close the Map Network Drive window, the Explorer window, and the command prompt.
 
-10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequenc Wizard. Click **Next** to continue with the deployment.
+10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequence Wizard. Click **Next** to continue with the deployment.
 
 11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will:
     - Install Windows 10
@@ -1027,7 +1027,7 @@ In the Configuration Manager console, in the Software Library workspace under Op
 
 ### Deploy the new computer
 
-1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows Powershell prompt on the Hyper-V host:
+1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
 
     ```
     Start-VM PC4

windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md

@@ -47,7 +47,8 @@ Windows Hello provides many benefits, including:
 ## Where is Windows Hello data stored?
 The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor.
 
-Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file.
+> [!NOTE]
+>Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file.
 
 ## Has Microsoft set any device requirements for Windows Hello?
 We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:

windows/security/identity-protection/hello-for-business/hello-how-it-works.md

@@ -18,16 +18,23 @@ ms.reviewer:
 # How Windows Hello for Business works
 
 **Applies to**
+
 -   Windows 10
 
-Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords.  Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you.  For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices.  Windows Hello for Business also works for domain joined devices. 
+Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords.  Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you.  For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices.  Windows Hello for Business also works for domain joined devices.
 
 Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features.
 > [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
 
 ## Technical Deep Dive
+
 Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the components and how they support Windows Hello for Business.
 
+Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning and authentication work.
+
+> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
+> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]
+
 - [Technology and Terminology](hello-how-it-works-technology.md)
 - [Device Registration](hello-how-it-works-device-registration.md)
 - [Provisioning](hello-how-it-works-provisioning.md)

windows/security/identity-protection/hello-for-business/hello-videos.md

@@ -24,14 +24,33 @@ ms.reviewer:
 ## Overview of Windows Hello for Business and Features
 
 Watch Pieter Wigleven explain Windows Hello for Business, Multi-factor Unlock, and Dynamic Lock
+
 > [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
 
+## Why PIN is more secure than a password
+
+Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than a password.
+
+> [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA]
+
 ## Microsoft's passwordless strategy
 
 Watch Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**
 
 > [!VIDEO https://www.youtube.com/embed/mXJS615IGLM]
 
+## Windows Hello for Business Provisioning
+
+Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works.
+
+> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
+
+## Windows Hello for Business Authentication
+
+Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works.
+
+> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]
+
 ## Windows Hello for Business user enrollment experience
 
 The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment.

windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md

@@ -21,13 +21,18 @@ ms.date: 10/23/2017
 # Why a PIN is better than a password
 
 **Applies to**
+
 -   Windows 10
 
 Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
 On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
 
+Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than a password.
+
+> [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA]
 
 ## PIN is tied to the device
+
 One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
 
 Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
@@ -44,7 +49,7 @@ When the PIN is created, it establishes a trusted relationship with the identity
 
 The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
 
-User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.
+User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised.
 
 The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
 
@@ -54,10 +59,11 @@ The Windows Hello for Business PIN is subject to the same set of IT management p
 
 ## What if someone steals the laptop or phone?
 
-To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device.
+To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user's biometrics or guess his or her PIN—and all of this must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device.
 You can provide additional protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins.
 
 **Configure BitLocker without TPM**
+
 1.  Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
 
     **Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup**
@@ -72,7 +78,8 @@ You can provide additional protection for laptops that don't have TPM by enablin
 2.  Set the number of invalid logon attempts to allow, and then click OK.
 
 ## Why do you need a PIN to use biometrics?
-Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
+
+Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
 
 If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello.
 

windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md

@@ -77,7 +77,6 @@ Not currently available.
 
 ## Integrations
 Integrations with the following Microsoft products are not currently available:
-- Azure Security Center
 - Azure Advanced Threat Protection
 - Azure Information Protection
 - Office 365 Advanced Threat Protection

windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md

@@ -23,7 +23,8 @@ ms.date: 04/24/2018
 **Applies to:**
 - Virtual desktop infrastructure (VDI) machines
 
-
+>[!WARNING]
+> Micrsosoft Defender ATP currently does not support Windows Virtual Desktop multi-user session.
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
 

windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md

@@ -175,7 +175,7 @@ The following capabilities are included in this integration:
 - Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
 
     > [!NOTE]
-    > Automated onboarding is only applicable for Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016.
+    > Automated onboarding is only applicable for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016.
 
 - Servers monitored by  Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers.  In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console.
 - Server investigation -  Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach

windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md

@@ -21,6 +21,9 @@ ms.topic: conceptual
 
 ## 100.90.70
 
+> [!WARNING]
+> When upgrading the installed package from a product version earlier than 100.90.70, the update may fail on Red Hat-based and SLES distributions. This is because of a major change in a file path. A temporary solution is to remove the older package, and then install the newer one. This issue does not exist in newer versions.
+
 - Antivirus [exclusions now support wildcards](linux-exclusions.md#supported-exclusion-types)
 - Added the ability to [troubleshoot performance issues](linux-support-perf.md) through the `mdatp` command-line tool
 - Improvements to make the package installation more robust

windows/security/threat-protection/microsoft-defender-atp/live-response.md

@@ -59,6 +59,9 @@ You'll need to enable the live response capability in the [Advanced features set
 
     >[!NOTE]
     >Only users with manage security or global admin roles can edit these settings.
+    
+- **Ensure that the machine has an Automation Remediation level assigned to it**<br>
+You'll need to enable, at least, the minimum Remdiation Level for a given Machine Group. Otherwise you won't be able to establish a Live Response session to a member of that group.
 
 - **Enable live response unsigned script execution** (optional) <br>
 

windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md

@@ -1,4 +1,4 @@
----
+---
 title: Manage indicators 
 ms.reviewer: 
 description: Create indicators for a file hash, IP address, URLs or domains that define the detection, prevention, and exclusion of entities.

windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md

@@ -68,6 +68,7 @@ Access to Microsoft Defender ATP is done through a browser, supporting the follo
 - Windows 8.1 Pro
 - Windows 10, version 1607 or later
   - Windows 10 Enterprise
+  - [Windows 10 Enterprise LTSC](https://docs.microsoft.com/windows/whats-new/ltsc/)
   - Windows 10 Education
   - Windows 10 Pro
   - Windows 10 Pro Education
@@ -89,7 +90,6 @@ The hardware requirements for Microsoft Defender ATP on machines is the same as
 ### Other supported operating systems
 - macOSX
 - Linux (currently, Microsoft Defender ATP is only available in the Public Preview Edition for Linux)
-- Android
 
 > [!NOTE]
 > You'll need to know the exact Linux distros, Android, and macOS versions that are compatible with Microsoft Defender ATP for the integration to work.
@@ -160,7 +160,7 @@ Internet connectivity on machines is required either directly or through proxy.
 
 The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth.
 
-For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md) .
+For more information on additional proxy configuration settings, see [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md).
 
 Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.
 
@@ -175,7 +175,7 @@ When Windows Defender Antivirus is not the active antimalware in your organizati
 If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md).
 
 > [!NOTE]
-> Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on.
+> Your regular group policy doesn't apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on.
 
 
 For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).

windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md

@@ -66,7 +66,7 @@ Threat & Vulnerability Management helps customers prioritize and focus on those
 
 Microsoft Defender ATP's Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
 
-- Remediation requests to IT. Through Microsoft Defender ATP's integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms. 
+- Remediation requests to IT. Through Microsoft Defender ATP's integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms.
 - Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
 - Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
 
@@ -84,10 +84,10 @@ Ensure that your machines:
 
 > Release | Security update KB number and link
 > :---|:---
-> RS3 customers | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
+> Windows 10 Version 1709 | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
-> RS4 customers| [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
+> Windows 10 Version 1803 | [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
-> RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
+> Windows 10 Version 1809 | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
-> 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
+> Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
 
 - Are onboarded to Microsoft Intune and  Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version.
 - Have at least one security recommendation that can be viewed in the machine page

windows/security/threat-protection/microsoft-defender-atp/onboarding.md

@@ -123,7 +123,7 @@ Manager and deploy that policy to Windows 10 devices.
 
     ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-onboarding-wizard.png)
 
-3.    Select **Download package**.
+3. Select **Download package**.
 
     ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-download-package.png)
 
@@ -184,11 +184,11 @@ Before the systems can be onboarded into the workspace, the deployment scripts n
 Edit the InstallMMA.cmd with a text editor, such as notepad and update the
 following lines and save the file:
 
-    ![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png)
+   ![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png)
 
 Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file:
 
-    ![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png)
+   ![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png)
 
 Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating
 Systems:

windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md

@@ -170,12 +170,12 @@ how the endpoint security suite should be enabled.
 
 | Component                               | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | Adoption Order Rank |
 |-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
-| Endpoint Detection & Response (EDR)     | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response)                                                                                                                                                                                                                                             | 1                   |
+| Endpoint Detection & Response (EDR)     | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. <br> [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response)                                                                                                                                                                                                                                             | 1                   |
-| Next Generation Protection (NGP)        | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Windows Defender Antivirus includes:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | 2                   |
+|Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: <br> - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities <br> - Invaluable machine vulnerability context during incident investigations <br> -  Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager <br> [Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 |
-| Attack Surface Reduction (ASR)          | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction)                                                                                                                                                                                                                                                                                                                                                                                       | 3                   |
+| Next Generation Protection (NGP)        | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Windows Defender Antivirus includes: <br> -Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Windows Defender Antivirus.   <br> -  Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection"). <br> - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research. <br> [Learn more](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).                                                                                                                                                                                                                                                                                                                                                                       |3                   |
-| Threat & Vulnerability Management (TVM) | Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 4                   |
+| Attack Surface Reduction (ASR)          | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats. <br> [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction)                                                                                                                                                                                                                                                                                                                                                                                       | 4                   |
-| Auto Investigation & Remediation (AIR)  | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable      |
+| Auto Investigation & Remediation (AIR)  | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. <br>[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable      |
-| Microsoft Threat Experts (MTE)          | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)                                                                                                                                                                                                                                                                                                                     | Not applicable      |
+| Microsoft Threat Experts (MTE)          | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed. <br>[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)                                                                                                                                                                                                                                                                                                                     | Not applicable      |
 
 ## Next step
 |||

windows/security/threat-protection/microsoft-defender-atp/production-deployment.md

@@ -57,7 +57,7 @@ In this deployment scenario, you'll be guided through the steps on:
 
 
 >[!NOTE]
->For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defnder ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
+>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defender ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
 
 ## Check license state
 

windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md

@@ -56,6 +56,14 @@ Windows Defender SmartScreen provide an early warning system against websites th
 > [!IMPORTANT]
 > SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.
 
+## Submit files to Windows Defender SmartScreen for review
+
+If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more info, see [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). 
+
+When submitting Microsoft Defender Smartscreen products, make sure to select **Microsoft Defender SmartScreen** from the menu.
+
+![Windows Security, Windows Defender SmartScreen controls](images/Microsoft-defender-smartscreen-submission.png)
+
 ## Viewing Windows Defender SmartScreen anti-phishing events
 
 When Windows Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx).